IS-IS
IS-IS (Intermediate System to Intermediate System) is defined in ISO 10589 and in RFC 1142 and RFC 1195.
IS-IS Multi-Instance is defined in RFC 6822.
IS-IS PDU types
- LAN Hello
- Serial (Point-to-Point) Hello
- Link State PDU (LSP)
- Complete Sequence Number PDU (CSNP)
- Partial Sequence Number PDU (PSNP)
IS-IS LSPs are like OSPF LSAs.
CSNPs are generated:
- by the DIS in order for all routers connected to the LAN to synchronize their databases
- by routers on a point-to-point network while setting up their adjacency
PSNPs are generated:
- by routers that are not synchronized with the DIS and need additional LSPs in their database
- by routers on a point-to-point network to acknowledge received LSPs
ISIS Hellos
- Point-to-Point
- Serial IIH are exchanged
- Multiacces/Broadcast
- L2 LAN IIH are exchanged
If you get error messages like "%CLNS-3-BADPACKET: ISIS: P2P hello, bad circuit type 0" on point-to-point (Serial/POS) interfaces on GNS3, then just ignore them.
The default hello interval is 10 seconds for non-DIS interfaces, and 3.333 seconds for DIS interfaces.
The hello timers do not need to agree on the neighbors.
On point-to-point links where a single Hello is used, a single hello timer must be used for both L1 and L2 adjacencies.
The fastest neighbor down detection with hello timers tuning is 1 sec, if "isis hello-interval minimal" is used. For faster detection use BFD.
All hellos are padded to the full interface MTU by default. You can disable this behavior with "no isis hello padding" (although Cisco routers always send the first five hellos padded), if you are having time-sensitive application traffic that travels across low-bandwidth interfaces or you want to minimize interface buffer resources when frequent hellos are configured.
ISIS vs CLNS
- Use "sh clns" commands to view
- neighbors
- adjacencies
- hellos
- PDUs
- interfaces
- metrics
- Use "sh isis" commands to view
- neighbors
- LSPs
- topologies
- SPF logs
- routes
In IOS-XR, all related show commands are found under the "sh isis" hierarchy.
If you need to change the MTU for ISIS to work, change the CLNS MTU.
ISIS over Frame-Relay requires CLNS broadcast mapping for the particular DLCI.
NET
NET = AREA-ID + SYSTEM-ID + SEL
net = 49.0001.0000.0000.2222.00
AREA-ID = 49.0001 (used for inter-area routing)
SYSTEM-ID = 0000.0000.2222 (used for intra-area routing)
SEL = 00
NET must begin and end with a single octet.
Cisco IS-IS implementation requires a 6-octets System-ID.
In order to ease with area migration, multiple Area-IDs can be configured on each router (System-ID must be kept the same).
IOS
router isis
max-area-addresses 5
net 49.0001.0000.0000.0002.00
net 49.0002.0000.0000.0002.00
net 49.0003.0000.0000.0002.00
net 49.0004.0000.0000.0002.00
net 49.0005.0000.0000.0002.00
In L1 adjacencies, max-area-addresses must match between neighbors.
Dynamic hostname exchange is by default enabled, but you can disable it if required.
IOS
router isis
no hostname dynamic
IOS-XR
router isis 1
hostname dynamic disable
before...
IOS
R2#sh isis neighbors
System Id Type Interface IP Address State Holdtime Circuit Id
R1 L2 Fa1/0 10.1.2.1 UP 25 R2.03
after...
IOS
R2#sh isis neighbors
System Id Type Interface IP Address State Holdtime Circuit Id
0000.0000.0001 L2 Fa1/0 10.1.2.1 UP 23 0000.0000.0002.03
R2#sh isis hostname
Level System ID Dynamic Hostname (notag)
2 0000.0000.0001 R1
* 0000.0000.0002 R2
Configuration
IOS
router isis X
net 49.0001.0000.0000.2222.00
is-type level-2-only
passive-interface Loopback0
!
interface X
ip router isis
IOS-XR
router isis X
is-type level-2-only
net 49.0001.0000.0000.1111.00
interface Loopback0
passive
address-family ipv4 unicast
!
interface X
circuit-type level-2-only
address-family ipv4 unicast
Although it's not required to use an IS-IS process/instance number ("router isis x") in IOS, it's better to use one as a reference in next tasks. IOS-XR requires a process ID.
"isis circuit-type level-2-only" under all interfaces creates an empty local L1 database.
"is-type level-2-only" under the IS-IS process doesn't create a L1 database at all.
"passive-interface X" under the IS-IS process doesn't require "ip router isis" under the interface in IOS, because the interface is automatically advertised. IOS-XR requires the whole config (address-family, circuit-type, passive) under each interface.
"log-adjacency-changes" in IOS or "log adjacency changes" in IOS-XR is not enabled by default under the IS-IS process.
For L1 adjacencies a common area (Area-ID) must be used between neighbors.
It is recommended that routers operating at a single level be configured specifically at that level in order to minimize the number of adjacencies, LSPs, and related SPF/PRC calculations.
Multi-area IS-IS
You can have multiple L1 area processes per router, but only one L2 area process. Interfaces can belong to only one process.
That way you can also have connectivity between different L1 areas that are connected to the same L1/L2 router.
IOS
router isis 1
net 49.0001.0000.0000.0003.00
!
router isis 11
net 49.0011.0000.0000.0003.00
is-type level-1
!
interface FastEthernet0/0.1
ip router isis 1
!
interface FastEthernet0/0.11
ip router isis 11
You might hit a bug in some releases with the following message appearing when trying to activate the L1 process under an interface.
%CLNS: Duplicate system ID configured in ip vrf <default> with router isis null
Routing table per router type & route-leaking
- L1 routers have
- L1 routes for prefixes originating from L1 routers in the same area (even crossing many L2 routers)
- L1 route for the default route originating from L1/L2 routers
- L1/L2 routers have
- L1 routes for prefixes originating from "attached" L1 routers
- L2 routes for all other prefixes
- L2 routers have
- L2 routes for all prefixes
When using multiple Area-IDs under the same IS-IS process of a L1/L2 router, then L1 routes from one L1 area can pass over to another L1 area.
Use route-leaking in L1/L2 routers in order to change the above. Route-leaking can be accomplished either with distribute-list or with a route-map in IOS.
IOS
router isis
redistribute isis ip level-2 into level-1 distribute-list 100
!
address-family ipv6
redistribute isis level-2 into level-1 distribute-list PREFIXLIST
exit-address-family
!
access-list 100 permit ip host 1.1.1.1 host 255.255.255.255
!
ipv6 prefix-list PREFIXLIST permit 2001:1::1/128
IPv4 distribute-list used in route-leaking should have the above "awkward" format in order to allow only 1.1.1.1/32 to be leaked.
When doing route-leaking in IOS, you must define the ISIS process/instance right after the "redistribute isis" command, although you might not see it in the actual configuration.
IOS-XR
router isis X
address-family ipv4
propagate level 2 into level 1 route-policy IPv4-RPL
address-family ipv6
propagate level 2 into level 1 route-policy IPv6-RPL
Leaked L2=>L1 routes appear as "ia" (inter-area) in L1 routers.
L1 routes are always preferred over L2.
Level-2 subdomain must not be partitioned in order for routing to work properly.
Always prefer to have a flat L2 network if possible.
Default admin distance of IS-IS is 115.
When a L1/L2 router advertises a route from L2 to L1, it sets the U/D bit, so any other L1/L2 router that receives this L1 LSP with the U/D bit set can ignore it and not advertise it any further.
It's good practice to also enable wide metrics when doing route-leaking in order to get "correct" metrics for the leaked routes.
Links
Default Route & ATT bit
An LSP with the ATT bit set, creates a default route in the L1 router. More specifically, a L1/L2 router sets the ATT bit in a L1 LSP when it has connectivity to another L1 area too.
The ATT bit can be managed in various ways:
IOS
router isis X
set-attached-bit route-map NODEF-ROUTEMAP
!
route-map NODEF-ROUTEMAP permit 10
match clns address CLNS-FILTER-SET
!
clns filter-set CLNS-FILTER-SET permit 99.9999
Use a non-existent CLNS area if you want to avoid setting the ATT-bit.
IOS-XR
CRS(config-isis-af)#attached-bit receive ?
ignore Ignore the attached bit in received LSPs
CRS(config-isis-af)#attached-bit send ?
always-set Always set the attached bit in our LSP
never-set Never set the attached bit our LSP
Beware of cases where L1/L2 router connects to multiple L1 areas and somehow loses L2 connectivity. Continuing to advertise a default route to L1 routers might lead to a blackhole.
You can also advertise a default route from a L2 router into a L1 router, by using the following configuration:
IOS
router isis X
default-information originate route-map DEF-ROUTE-ROUTEMAP
!
route-map DEF-ROUTE-ROUTEMAP permit 10
set level level-1
The default route will be advertised to the L1 router, so you end up with 2 default routes (the second one is created automatically from the LSP that has the ATT bit set, but has lower preference).
IOS
R2#sh isis rib 0.0.0.0 0.0.0.0
IPv4 local RIB for IS-IS process 1000
IPV4 unicast topology base (TID 0, TOPOID 0x0) =================
0.0.0.0/0
[115/L1/10] via 10.0.220.20(FastEthernet0/0.220), from 10.0.220.20, tag 0, LSP[12/12]
[115/L1/10] via 10.0.220.20(FastEthernet0/0.220), from 10.0.220.20, tag 0, LSP[0/28]
Remember to filter it from other L1/L2 adjacencies (if such a need arises).
IOS-XR
router isis X
address-family ipv4 unicast
default-information originate route-policy DEF-ROUTE-RPL
DR/DIS
LSPID "router.XX-00" (with next-to-last octet being non-zero) is being sent by a DIS, while LSPID "router.00-00" is being sent by everyone.
IOS
R2#sh isis database
IS-IS Level-1 Link State Database:
LSPID LSP Seq Num LSP Checksum LSP Holdtime ATT/P/OL
R2.00-00 * 0x00000015 0xE041 1184 0/0/0
R2.01-00 * 0x00000006 0xFA3B 380 0/0/0
R8.00-00 0x0000000B 0x4F55 1177 0/0/0
R8.09-00 0x00000001 0x5E58 1177 0/0/0
R9.00-00 0x0000000E 0x7C35 806 0/0/0
If the Circuit-Id in the "sh isis neighbors" output contains a router name (Circuit-ID+System-ID=LAN-ID), then this router is the DIS in the broadcast connection between the local router and the router shown under the System-Id.
IOS
R2#sh isis neighbors
Tag null:
System Id Type Interface IP Address State Holdtime Circuit Id
R7 L1 Et0/2 2.2.27.7 UP 8 R7.04
R8 L1 Et0/1 2.2.28.8 UP 7 R8.01
R9 L1 Et0/0 2.2.29.9 UP 9 R9.03
Each router generates an LSP for all its interfaces.
Each DIS generates a Pseudo-Node LSP for its attached broadcast interfaces.
DR/DIS election
- highest priority (0-127)
- highest mac address
There can be separate DRs for L1 and L2 adjacencies.
There is no backup DR. If the primary DR fails, a new DR is elected.
DR preemption is enabled by default.
"sh isis rib" in IOS will accept only a network prefix as input, but it will return all routes for the classful network. Always use a network mask to get the output for a specific route.
The "*" in front of a prefix in the "sh isis ipv6 rib" output means that the specific route will be installed in the router RIB also (not including directly connected networks).
Overload-bit
The overload bit is included in an LSP of the router and if it is set, it notifies routers in the area that the router is not available for transit traffic. It may be configured and cleared independently for IPv4 and IPv6 topologies.
IOS
router isis
set-overload-bit
IOS-XR
router isis 100
set-overload-bit
When used in combination with "wait-for-bgp", then if BGP sessions come up and BGP keepalives are not received from all the BGP neighbors, IS-IS will disable the overload bit after 10 minutes by default.
The IS-IS overload bit avoidance when activated, allows TE LSPs to continue working, although the router in that path has its overload bit set.
IOS
R1(config)#mpls traffic-eng path-selection overload allow ?
head Allow overloaded head node in TE CSPF
middle Allow overloaded middle node in TE CSPF
tail Allow overloaded tail node in TE CSPF
IOS-XR
mpls traffic-eng path-selection ignore overload
CRS(config)#mpls traffic-eng path-selection ignore overload ?
head Ignore overload node during CSPF for role head
mid Ignore overload node during CSPF for role mid
tail Ignore overload node during CSPF for role tail
<cr>
Metrics
Default metric is 10 for each interface, 0 for passive interfaces.
IOS
R2(config-if)#isis metric ?
<1-16777214> Default metric
maximum Maximum metric. All routers will exclude this link from their
SPF
IOS-XR
GSR(config-isis-if-af)#metric ?
<1-16777214> Default metric: <1-63> for narrow, <1-16777214> for wide
maximum Maximum wide metric. All routers will exclude this link from the
ir SPF
Wide metrics are used in:
- MPLS-TE
- prefix tags
- multi-topology
- need for metric > 63
IOS
router isis
metric-style wide
IOS-XR
router isis 100
address-family ipv4 unicast
metric-style wide
!
address-family ipv6 unicast
metric-style wide
The maximum metric that can be assigned to an IS-IS route is 1023 (without wide metrics enabled).
IS-IS Authentication
Authentication can be enabled:
- per domain (old style)
- "domain-password" under IS-IS process
- applies to LSPs by default
- for CSNPs, PSNPs extra command is required
- for Level-2 only
- clear text (type-1)
- adjacency formed but no L2 LSPs exchanged if wrong authentication
- per area (old style)
- "area-password" under IS-IS process
- applies to LSPs by default
- for CSNPs, PSNPs extra command is required
- for Level-1 only
- clear text (type-1)
- adjacency formed but no L1 LSPs exchanged if wrong authentication
- per interface (old style)
- "isis-password" under interface
- applies to Hellos by default
- for Level-1/Level-2
- clear text (type-1)
- no adjacency formed if wrong authentication
- per interface (new style)
- "isis authentication" under interface (IOS)
- "hello-password" under interface under IS-IS process (IOS-XR)
- applies to Hellos by default
- for Level-1/Level-2
- enhanced clear text (type-1) or MD5 (type-54)
- no adjacency formed if wrong authentication
- per instance (new style)
- "authentication" under IS-IS process (IOS)
- "lsp-password" under IS-IS process (IOS-XR)
- applies to LSPs, CSNPs, PSNPs by default
- for Level-1/Level-2
- enhanced clear text (type-1) or MD5 (type-54)
- adjacency formed but no LSPs exchanged if wrong authentication
You can use "text" in new-style authentication in order to be compatible with old-style authentication.
For old-style area authentication you have to use "level-1" in new-style, while for old-style domain authentication you have to use "level-2" in new-style.
On point-to-point links where a single Hello is used, a common password must be used for both L1 and L2 adjacencies.
IOS
interface FastEthernet0/0
isis authentication mode md5
isis authentication key-chain KEYCHAIN
!
key chain KEYCHAIN
key 1
key-string TESTPASS
IOS-XR
router isis 26
interface X
hello-password hmac-md5 TESTPASS
In IOS-XR, a key-chain can also be used instead of hmac-md5.
The only way to verify authentication in current releases is by using debug commands ("debug isis update-packets" and "debug isis authentication information").
IS-IS Topologies
- IOS
- default is single-topology
- configure "multi-topology" under ipv6 address-family to change
- IOS-XR
- default is multi-topology
- configure "single-topology" under ipv6 address-family to change
Only one IPv6 process is allowed in IOS.
IS-IS Single-Topology requirements
- Both IPv4 IS-IS and IPv6 IS-IS routing protocols must share a common network topology
- Any interface configured for IPv4 IS-IS must also be configured for IPv6 IS-IS, and vice versa
- All routers in the IS-IS area (for Level 1 routing) or the domain (for Level 2 routing) must support an identical set of address families (IPv4 only, IPv6 only, or both IPv4 and IPv6) on all interfaces
- Wide metrics are not necessary in single-topology
Links
ISIS as PE-CE
PE
IOS
router isis X
vrf VPN
net 49.0001.0000.0000.0001.00
!
interface FastEthernet0/0
vrf forwarding VPN
ip router isis X
IOS-XR
not supported
CE
IOS
router isis X
net 49.0001.0000.0000.0002.00
IOS-XR
router isis X
net 49.0001.0000.0000.0002.00
IS-IS for IPv6 is not supported as a PE-CE protocol in IOS.
IOS-XR doesn't support IS-IS as a PE-CE protocol at the role of PE.
Multi-Instance
IOS-XR
router isis 1
is-type level-2
net 47.0002.0000.0000.0008.00
address-family ipv4 unicast
metric-style wide
!
address-family ipv6 unicast
metric-style wide
!
interface GigabitEthernet0/2/2/0
address-family ipv4 unicast
address-family ipv6 unicast
!
router isis 2
is-type level-2
net 49.0002.0000.0000.0008.00
address-family ipv4 unicast
metric-style wide
!
address-family ipv6 unicast
metric-style wide
!
interface GigabitEthernet0/2/1/0
address-family ipv4 unicast
address-family ipv6 unicast
You can configure up to five IS-IS instances (processes).
MPLS can run on multiple IS-IS processes as long as the processes run on different sets of interfaces. Each interface may be associated with only a single IS-IS instance.
Because RIB treats each of the IS-IS instances as equal routing clients, you must be careful when redistributing routes between IS-IS instances.
The RIB does not know to prefer Level 1 routes over Level 2 routes from different instances, so if you are running Level 1 and Level 2 instances, you must enforce the preference by configuring different administrative distances for these two instances.
multi-instance vs multi-area
- multi-instance
- supported in IOS-XR
- multiple L2 areas
- multiple L1 areas
- redistribution allowed between different processes
- multiple IPv6 processes allowed
- use when: run multiple IS-IS processes
- multi-area
- supported in IOS
- only one L2 area
- multiple L1 areas
- redistribution not allowed between different processes
- only one IPv6 process allowed
- use when: connect multiple L1 areas on the same router
Fast Convergence
- BFD
- tunning of hellos
- ip event dampening
- point-to-point adjacencies
- tuning of SPF/PRC/LSP timers
- tag specific prefixes and give them high priority
Timers
- per process/instance
- LSP refresh interval
- seconds the router will wait before refreshing (re-creating and re-flooding) its own LSPs
- recommended: 65535 sec
- Max LSP lifetime
- the lifetime in the LSP header (in order to age out old LSPs)
- recommended: 65535 sec
- PRC interval (exponential backoff)
- seconds between two consecutive PRCs (triggered when changes that do not affect the topology, such as advertised external prefixes or metric changes, are detected)
- recommended: 5, 1, 20
- LSP generation interval (exponential backoff)
- seconds between creating new versions of a given LSP on a per-node basis
- recommended: 5, 1, 20
- SPF interval (exponential backoff)
- seconds between two consecutive SPF calculations
- recommended: 5, 1, 20
- per interface
- LSP interval
- milliseconds between the transmission of LSPs
- LSP retransmit interval
- seconds between the retransmission of an LSP on point-to-point links
- LSP retransmit throttle interval
- milliseconds between all the retransmitted LSPs on point-to-point links
The value set for the lsp-refresh-interval should be less than the value of the max-lsp-lifetime command. Usually the software will automatically reduce the LSP refresh interval to prevent the LSPs from timing out.
iSFP can be used to limit the SPF recalculations to specific portions of the topology.
Advertise minimum prefixes
IOS
router isis
advertise passive-only
set-overload-bit suppress interlevel external
!
interface X
no isis advertise prefix
IOS-XR
router isis 100
no set-overload-bit advertise external interlevel
address-family ipv4 unicast
advertise passive-only
!
interface X
suppressed
Summarization
IOS
router isis
summary-address 11.11.11.0 255.255.255.0
address-family ipv6
summary-prefix 11:11:11::/64
IOS-XR
router isis 1
address-family ipv4 unicast
summary-prefix 11.11.11.0/24
!
address-family ipv6 unicast
summary-prefix 11:11:11::/64
You can also define the level into which you want to advertise the summary.
