Is Is 3 PDF Free
Is Is 3 PDF Free
Is Is 3 PDF Free
IS-IS............................................................................................................................................................1
Course Description................................................................................................................................1
Course Highlights..................................................................................................................................1
Requirements.........................................................................................................................................1
Course Schedule....................................................................................................................................1
Introduction to IS-IS.................................................................................................................................1
Areas and Router Roles........................................................................................................................2
LSPs (Link State Packets).....................................................................................................................6
NET (Network Entity Title)................................................................................................................13
Metrics..................................................................................................................................................16
Conclusion............................................................................................................................................16
Integrated IS-IS Configuration on Cisco IOS...............................................................................................17
Configuration.........................................................................................................................................17
Area 12..............................................................................................................................................18
Area 34..............................................................................................................................................24
Area 12-34 connectivity.....................................................................................................................25
Conclusion.............................................................................................................................................30
IS-IS Authentication...................................................................................................................................30
Configuration.........................................................................................................................................30
Clear Text Authentication..................................................................................................................31
HMAC-MD5 Authentication...............................................................................................................36
Conclusion.............................................................................................................................................41
IS-IS DIS and Pseudonode......................................................................................................................41
Configuration.......................................................................................................................................46
Verification..........................................................................................................................................48
Conclusion............................................................................................................................................58
IS-IS Metric on Cisco IOS......................................................................................................................59
Configuration.......................................................................................................................................59
Conclusion............................................................................................................................................65
IS-IS Redistribution....................................................................................................................................65
Configuration.........................................................................................................................................65
Page 1 of 104
Verification............................................................................................................................................68
Conclusion.............................................................................................................................................72
IS-IS Summarization...................................................................................................................................72
Configuration.........................................................................................................................................72
Summarization...................................................................................................................................74
Redistribution Summarization...........................................................................................................76
Conclusion.............................................................................................................................................79
IS-IS Filtering..........................................................................................................................................79
Configuration.......................................................................................................................................80
Distribute-list Inbound filtering.........................................................................................................82
Level 1 to Level 2 filtering..................................................................................................................83
Conclusion............................................................................................................................................86
IS-IS Route Leaking....................................................................................................................................86
Conclusion...........................................................................................................................................102
IS-IS
Page 2 of 104
Course Description
In these lessons you will learn what the IS-IS link-state routing protocol is and how it is different
from OSPF. We start with the basics and then move on to more advanced topics like route
leaking, redistribution, etc.
Course Highlights
In this course you will learn:
Requirements
Good understanding of all OSPF will make this course a lot easier to understand.
Course Schedule
Introduction to IS-IS
Integrated IS-IS Configuration
IS-IS Authentication
IS-IS DIS and Pseudonode
IS-IS Metric on Cisco IOS
IS-IS Redistribution
IS-IS Summarization
IS-IS Filtering
IS-IS Route Leaking
Introduction to IS-IS
IS-IS is an IGP, link-state routing protocol, similar to OSPF. It forms neighbor adjacencies, has
areas, exchanges link-state packets, builds a link-state database and runs the Dijkstra SPF
algorithm to find the best path to each destination, which is installed in the routing table.
Page 3 of 104
Back when OSPF and IS-IS were developed, IP wasn’t the dominant protocol that it is today.
When people think of OSI they automatically think of the OSI-model but back then, ISO
(International Organization for Standardization) also created something similar to IP and UDP
called CLNP (Connectionless-mode Network Protocol) and CLNS (Connectionless-mode
Network Service).
Unlike OSPF which was developed by the IETF (Internet Engineering Task Force), IS-IS was
originally developed by DEC for CLNS, not IP and this is why it’s called IS-IS
(Intermediate System – Intermediate System).
Later, IS-IS was adapted so that it could also route IP and is then called integrated IS-IS.
Nowadays, we use IP everywhere so you might wonder why we care about this. When working
with IS-IS, you will see some references to CLNP/CLNS here and there. For example, when
configuring a router ID (called a Network Entity Title), it has to be configured with the NSAP
(Network Service Access Point Address) format. NSAP is similar to an IP address, and it is not
automatically configured so we have to understand its format.
IS-IS also rides directly on top of an Ethernet header, using its own header format. It’s not
encapsulated in an IP packet like other routing protocols (OSPF and EIGRP) are:
IS-IS is a highly scalable routing protocol, which is why it is used often on large service provider
network backbones. In this lesson I will give you an overview of what IS-IS is and how it works.
Level 1 system: this is an intra-area router, it only knows what the local area looks like
and will only learn prefixes from its own area. It creates a level 1 link-state database and
SPF tree for the area.
Level 2 system: this is a backbone router that knows all intra-area and inter-area
routes. It creates a level 2 link-state database and SPF tree for the backbone.
Level 1-2 system: this is a router that performs both roles. It creates a separate level 1
and 2 link-state database and two SPF trees, one for each database.
Page 4 of 104
Level 1-2 is the default on Cisco IOS routers.
Similar to other routing protocols like OSPF and EIGRP, IS-IS routers will send hello packets.
When you send and receive hello packets, you will form a neighbor adjacency. Routers will only
form neighbor adjacencies with routers that use the same level.
Let’s look at some examples to help you visualize this. Let’s start with a single area:
Above we have two routers in a single area. There is only one area so these two routers are
configured as level 1 routers. These two routers will form a level 1 neighbor adjacency. Let’s add
a second area:
Level 1 routers only know what the local area looks like. If a level 1 router wants to reach
something outside of its area, it has to use a level 2 router. In each area, we configure one
router as a level 1-2 router.
Page 5 of 104
Here is one more example, a larger topology that gives a good overview of the different router
levels and adjacencies:
The router in area 4 is a level 2 backbone router. There are no level 1 routers in area 4 so
we don’t need a level 1-2 router there.
Page 6 of 104
Area 3 has two level 1-2 routers. These routers will form two neighbor adjacencies with
each other:
o Level 1 adjacency
o Level 2 adjacency
Page 7 of 104
LSPs (Link State Packets)
Let’s talk about how IS-IS exchanges routing information. It uses LSPs (Link State Packet)
which is similar to OSPF’s LSAs. In the LSP you will find:
Don’t confuse the LSP with MPLS’ LSP (Label Switched Path), they use the same acronym.
Let’s take a closer look at how IS-IS uses LSPs to exchange routing information. Let’s start with
two routers that are configured to use IS-IS but there is no neighbor adjacency yet:
Each router will create an LSP (illustrated with the green jigsaw) . In the LSP we find the
directly connected networks that are advertised in IS-IS. A few seconds later, these routes
become neighbors:
Page 8 of 104
R1 and R2 are in the same area so they will establish a level 1 neighbor adjacency. These routers
will flood their LSPs within the area so that everyone knows about all LSPs in the area. The two
routers add each others LSP in their database. These routers can now run SPF on their level 1
database and figure out the shortest path to each destination.
IS-IS uses something called the DIS / Pseudonode which is similar to OSPF’s DR/BDR to
reduce unneeded flooding.
Let’s say we want to connect area 12 to another area, this means we need a level 2 router. Let’s
convert R2 into a level 1-2 router so I can show you what will happen. At this moment, we start
with a clean slate so there is no neighbor adjacency between R1 and R2:
Page 9 of 104
R2 now has a second database, the level 2 database. Besides its level 1 database and level 1 LSP,
it now also has a level 2 database. It generates a level 2 LSP and all prefixes for interfaces that
are directly connected and advertised in IS-IS.
Each IS-IS router only creates a single LSP for each level. This LSP carries multiple prefixes.
Page 10 of 104
Once again, R1 and R2 will exchange their level 1 LSPs. R2 receives the level 1 LSP from R1
and it copies new prefixes from its level 1 database to the LSP in the level 2 database. In my
example, that is 1.1.1.1/32 from R1.
Let’s continue this story. I will add a second area now, similar to area 12. There is no connection
yet between the two areas but the routers have formed a level 1 neighbor adjacency within the
area:
Page 11 of 104
Page 12 of 104
As you can see above, R4 has learned about the 3.3.3.3/32 prefix from R3 and copies this prefix
from the LSP in the level 1 database to its own LSP in the level 2 database.
Now we will create a connection between the two areas and enable IS-IS on this link Something
exciting will happen:
Page 13 of 104
Page 14 of 104
R2 and R4 are in different areas and will establish a level 2 neighbor adjacency. There are a
couple of things that will happen:
The 192.168.24.0/24 prefix is added in the level 1 LSP of R2 and R1 learns about it.
The 192.168.24.0/24 prefix is added in the level 2 LSP of R2.
The 192.168.24.0/24 prefix is added in the level 1 LSP of R4 and R3 learns about it.
The 192.168.24.0/24 prefix is added in the level 2 LSP of R4.
The level 2 LSPs are flooded within the backbone, R2 and R4 will receive each others
level 2 LSPs.
o R2 learns about 192.168.24.0/24, 192.168.34.0/24, 3.3.3.3/32 and 4.4.4.4/32 from
R4.
o R4 learns about 192.168.24.0/24, 192.168.12.0/24, 1.1.1.1/32 and 2.2.2.2/32 from
R2.
The two backbone routers R2 and R4 now know about every prefix out there.
If you look at the level 1 database of R1 and R3, you can see they don’t learn about prefixes
from the other area. This is how IS-IS works, a level 1 router will never learn about prefixes
from other areas. So, how do we get out of our own area?
Once a level 1-2 router is connected to another area, it will set a special bit in its level 1 LSP
called the attached bit. When a level 1 router sees this, it will generate a default route that is
pointed to the level 1-2 router.
IS-IS also prefers intra-area routes (level 1 database) over inter-area routes (level 2 database). If
a prefix is found in both databases, the router will use the information from the level 1 database.
Since IS-IS is a link-state routing protocol, it is important that the databases are synchronized.
Each LSP has a sequence number that is increased whenever there is a change in the LSP. LSPs
are acknowledged using an SNP (Sequence Number Packet) that comes in two flavors:
The CSNP has a list of all LSPs in the database, it is used to inform other routers that have
missing or outdated information. The PSNP is used to request one or more LSPs and also used to
acknowledge the receipt of one or more LSPs.
Page 15 of 104
Here’s what it looks like:
The NET consists of two “major” parts and can be anywhere between 8 and 20 bytes:
The IDP is used to tell to which routing domain you belong and has two parts:
AFI (Authority and Format Identifier): The AFI identifies the administrative authority
that is responsible for assigning you addressing. The AFI coding is administered by ISO.
IDI (Initial Domain Identifier): The IDI depends on the authority. They will typically
use a different value for each customer that refers to a (sub) domain number.
It’s very unlikely that you will ever see this as IS-IS is pretty much used only on private
networks. A possible scenario could be where a customer runs IS-IS with a service provider,
where the provider assigns the IDP to a customer.
Use AFI 49 which is reserved for private networks. If you use this, the IDI is optional.
Don’t use the IDP at all.
The second part of the NET is the DSP, these are your “local” settings:
Let’s look at some examples. The first NET is an example where an authority has assigned you
an IDP:
The area number is 12 and the unique ID of this router is 0000.0000.0001. This could be an
example for R1. If you use a private network, you can set the AFI to 49 and forget about the IDI:
Page 16 of 104
This is the most common example. This is for a router in area 12 with system ID
0000.0000.0001. One last example, you can remove the IDP completely if you want:
This only leaves the area number, system ID and the NSEL. Let me show you one example of
the previous four routers I used and the NETs we could use for them:
Above you can see that all routers use AF 49. R1 and R2 use 0012 to indicate their area number,
R3 and R4 use 0034 as the area number. Here are the system IDs:
R1: 0000.0000.0001
R2: 0000.0000.0002
R3: 0000.0000.0003
Page 17 of 104
R4: 0000.0000.0004
Metrics
IS-IS has four metric values that it can work with:
Default Metric: every interface has a default metric of 10, no matter the bandwidth. A
gigabit interface gets the same metric as a serial link. We can manually configure a
different metric for each interface.
Delay: similar to how EIGRP uses delay.
Expense: the actual monetary cost of a link.
Error: similar to how EIGRP uses reliability.
Cisco IOS routers, however, only support the default metric so that’s one one thing less to
worry about.
The maximum metric to reach any destination is 1023. This is something that can be changed by
enabling wide metrics, this increases the maximum metric up to 4261412864.
Conclusion
You have now learned the basics of IS-IS, enough to configure a small network with some areas
to get started:
Page 18 of 104
Level 1 LSPs are flooded within the area.
Level 2 LSPs are flooded within the backbone.
Level 1-2 routers that are connected to another area will set the attached bit in their level
1 LSP.
o Level 1 routers will generate a default route towards the level 1-2 router when
they see the attached bit.
Each router requires a NET (Network Entity Title) where we configure the area number
and unique system ID.
o AFI 49 without the IDI is the most common option.
There are four metric values:
o Default Metric
o Delay
o Expense
o Error
Cisco IOS only supports the default metric which is always 10, no matter what interface
you use. This can be manually configured.
There is more to explain about IS-IS which I will do in future lessons where we talk about the
pseudonode, filtering, leaking- NBMA networks, redistribution and more. For now, I hope this
has been useful to understand the basics of IS-IS.
Configuration
Here is the topology we will use:
Page 19 of 104
Above we have four routers. R1 and R2 are in area 12, R3 and R4 in area 34. R1 and R3 are
intra-area routers so they will be configured as level 1 routers. R2 and R4 form the backbone, so
these routers will be configured as level 1-2 routers.
Area 12
Let’s start with area 12. Instead of just showing you the configuration commands, we will also
take a look at the different databases so you can see what is going on.
Level-1 Routers
Let’s start with R1. First, we have to start the IS-IS process and set a NET (Network Entity
Title). We will keep it simple, the AFI will be 49, and the system ID will be 0000.0000.000X
where X is the router number. Here’s R1:
R1(config)#router isis
R1(config-router)#net 49.0012.0000.0000.0001.00
R1 is an intra-area router, so we will configure it as a level-1 router. The default is level 1-2 on
Cisco IOS routers, so this is something we have to change:
R1(config-router)#is-type level-1
Page 20 of 104
By default, IS-IS will not show when a neighbor adjacency goes up or down on the console. I
like to see this so let’s enable it:
R1(config-router)#log-adjacency-changes
R1(config)#interface Loopback 0
R1(config-if)#ip router isis
Before we continue with R2, let’s take a look at the database of R1:
Above we see a single LSP (Link State Packet). This is the LSP that R1 has generated when
we enabled IS-IS. You can see a sequence number, checksum, and holdtime. Let’s take a look at
the contents of this LSP:
Above we see the contents of the LSP. There are two prefixes with the metrics and subnet masks.
Let’s continue with R2. This router will be a level 1-2 router since it’s connected to a different
area. I’d like to show you the differences between a level 1 and level 1-2 router, so before we use
R2 as a level 1-2 router, I’m going to configure it as a level-1 router first:
R2(config)#router isis
R2(config-router)#net 49.0012.0000.0000.0002.00
R2(config-router)#is-type level-1
R2(config-router)#log-adjacency-changes
Page 21 of 104
R2(config-if)#ip router isis
R2(config)#interface Loopback 0
R2(config-if)#ip router isis
A few seconds later, you will see the neighbor adjacency appearing. This only shows up on the
console because of the log-adjacency-changes command:
R1#
%CLNS-5-ADJCHANGE: ISIS: Adjacency to 0000.0000.0002 (GigabitEthernet0/1) Up,
new adjacency
R2#
%CLNS-5-ADJCHANGE: ISIS: Adjacency to 0000.0000.0001 (GigabitEthernet0/1) Up,
new adjacency
Excellent, we now have two neighbors. You can also verify this with the show isis neighbors
command:
Page 22 of 104
Above we now also see the LSP from R2 in the database of R1. We can see two prefixes with the
metrics and subnet masks.
If you look closely, you can see a third entry in the output above (R2.01-00). This is about the DIS that
creates a pseudonode. It is a similar mechanism to OSPF’s DR/BDR. We will cover this in another lesson.
Network 2.2.2.2/32 was unknown to R1, so this will be installed in the routing table:
Above we see 2.2.2.2/32 in the routing table of R1. The administrative distance of IS-IS is 115,
and the total metric is 20. You can see that the level (L1) also shows up in the routing table. Let’s
take a look at the database of R2:
Above we see the LSP of R1 with its two prefixes: 1.1.1.1/32 and 192.168.12.0/24. 1.1.1.1/32
was unknown to R2, so this will be installed in the routing table:
There it is.
Page 23 of 104
Want to take a look for yourself? Here you will find the configuration of R1 and R2 as level 1 routers.
hostname R1
!
ip cef
!
interface Loopback0
ip address 1.1.1.1 255.255.255.255
ip router isis
!
interface GigabitEthernet0/1
ip address 192.168.12.1 255.255.255.0
ip router isis
!
router isis
net 49.0012.0000.0000.0001.00
is-type level-1
log-adjacency-changes
!
end
hostname R2
!
ip cef
!
interface Loopback0
ip address 2.2.2.2 255.255.255.255
ip router isis
!
interface GigabitEthernet0/1
ip address 192.168.12.2 255.255.255.0
ip router isis
!
interface GigabitEthernet0/2
ip address 192.168.24.2 255.255.255.0
!
router isis
net 49.0012.0000.0000.0002.00
is-type level-1
log-adjacency-changes
!
end
Level 1-2 Router
R2 is supposed to connect to area 34 so it has to become a level 1-2 router. I’d like to show you
the differences in the database when we change R2 from level 1 to level 1-2. To do this, I will
shut the interface that connects to R1 and we will clear the IS-IS neighbor adjacency:
Clearing the process manually will speed things up. Otherwise, you have to wait until the hold
time has expired:
Page 24 of 104
R2#clear isis *
R2(config)#router isis
config-router)#is-type ?
level-1 Act as a station router only
level-1-2 Act as both a station router and an area router
level-2-only Act as an area router only
R2(config-router)#is-type level-1-2
The first thing we see is that R2 now creates two databases; one for level 1 and another for level
2. Let’s take a look at the level 1 database:
Above we see the LSP that R2 created for level 1. There is only one prefix (2.2.2.2/32) because I
shut the GigabitEthernet 0/1 interface. Let’s check the level 2 database:
Page 25 of 104
The level 2 database is the same, R2 generated an LSP with the 2.2.2.2/32 prefix in it. Let’s
enable the GigabitEthernet 0/1 interface so that R1 and R2 form a level 1 neighbor adjacency:
Wait for a few seconds until the neighbor adjacency is established, then check the level 2
database:
Above we now see that R2 has added 1.1.1.1/32 in its own LSP in the level 2 database. R2 learns
about 1.1.1.1/32 from R1’s level 1 LSP and adds this prefix in its own level 2 database.
When we now look at the routing table of R1, you will only see the 2.2.2.2/32 prefix:
Once R2 is connected to another area, you will find a default route here.
Area 34
Let’s continue with our configuration. First, we will configure R3 and R4 so that they form a
level 1 neighbor adjacency. Let’s start with R3:
R3(config)#router isis
R3(config-router)#net 49.0034.0000.0000.0003.00
R3(config-router)#is-type level-1
R3(config-router)#log-adjacency-changes
R3(config)#interface Loopback 0
R3(config-if)#ip router isis
Page 26 of 104
And here’s R4:
R4(config)#router isis
R4(config-router)#net 49.0034.0000.0000.0004.00
R4(config-router)#log-adjacency-changes
R4(config)#interface Loopback 0
R4(config-if)#ip router isis
Now it’s time to connect area 12 and area 34 to each other. Before we do, let’s take a quick look
at the level 2 databases of R2 and R4 so that you can see the difference later:
Above we see that R2 has its own directly connected interfaces (2.2.2.2/32 and 192.168.12.0/24)
and the prefix from R1 (1.1.1.1/32) in its LSP. Here’s R4:
Page 27 of 104
IP Address: 4.4.4.4
Metric: 10 IP 192.168.34.0 255.255.255.0
Metric: 10 IP 4.4.4.4 255.255.255.255
Metric: 20 IP 3.3.3.3 255.255.255.255
R4 has its directly connected interfaces (192.168.34.0/24 and 4.4.4.4/32) and the prefix from R3
(3.3.3.3/32) in its LSP.
Let’s configure R2 and R4 to run IS-IS on the interfaces that connect them:
R2 & R4
(config)#interface GigabitEthernet 0/2
(config-if)#ip router isis
R2#
%CLNS-5-ADJCHANGE: ISIS: Adjacency to 0000.0000.0004 (GigabitEthernet0/2) Up,
new adjacency
R4#
%CLNS-5-ADJCHANGE: ISIS: Adjacency to 0000.0000.0002 (GigabitEthernet0/2) Up,
new adjacency
Let’s see what the level 2 databases now look like. We start with R2:
Page 28 of 104
Above we see that R2 has added 192.168.24.0/24 to its own LSP. R2 also has received the LSP
from R4 and added this to its level 2 database. Let’s check its routing table:
We can now see that R2 has added the level 2 prefixes that it has learned in the routing table.
Let’s check R4:
R4 receives the level 2 LSP from R2 with all its prefixes. It also adds 192.168.24.0/24 to its own
LSP since IS-IS was activated on this interface. Let’s check its routing table:
Page 29 of 104
i L1 3.3.3.3 [115/20] via 192.168.34.3, 00:08:19, GigabitEthernet0/1
i L2 192.168.12.0/24 [115/20] via 192.168.24.2, 00:02:00, GigabitEthernet0/2
We see that R4 has added these new prefixes to its routing table. They show up as level 2 routes.
What about the intra-area routers, R1 and R3? Once R2 and R4 got connected to another area,
they set the attached bit in their level 1 LSPs. When the intra-area routers receive this, they
generate a default router that points to the level 1-2 router. Let’s check R1:
We now see a default route in R1’s routing table that points to R2. The same thing applies to R3:
R3 has a default route that points to R4. Everything is looking good but just in case and to get a
bit of satisfaction, let’s try a quick ping between R1 and R3:
Want to take a look for yourself? Here you will find the configuration of each device.
hostname R1
!
ip cef
!
interface Loopback0
ip address 1.1.1.1 255.255.255.255
ip router isis
!
interface GigabitEthernet0/1
ip address 192.168.12.1 255.255.255.0
ip router isis
!
Page 30 of 104
router isis
net 49.0012.0000.0000.0001.00
is-type level-1
log-adjacency-changes
!
end
hostname R2
!
ip cef
!
interface Loopback0
ip address 2.2.2.2 255.255.255.255
ip router isis
!
interface GigabitEthernet0/1
ip address 192.168.12.2 255.255.255.0
ip router isis
!
interface GigabitEthernet0/2
ip address 192.168.24.2 255.255.255.0
ip router isis
!
router isis
net 49.0012.0000.0000.0002.00
log-adjacency-changes
!
end
hostname R3
!
ip cef
!
interface Loopback0
ip address 3.3.3.3 255.255.255.255
ip router isis
!
interface GigabitEthernet0/1
ip address 192.168.34.3 255.255.255.0
ip router isis
!
router isis
net 49.0034.0000.0000.0003.00
is-type level-1
log-adjacency-changes
!
end
hostname R4
!
ip cef
!
Page 31 of 104
interface Loopback0
ip address 4.4.4.4 255.255.255.255
ip router isis
!
interface GigabitEthernet0/1
ip address 192.168.34.4 255.255.255.0
ip router isis
!
interface GigabitEthernet0/2
ip address 192.168.24.4 255.255.255.0
ip router isis
!
router isis
net 49.0034.0000.0000.0004.00
log-adjacency-changes
!
end
Conclusion
You have now learned how to configure integrated IS-IS on a small network with two areas and
four routers. You have also learned how to view the level 1 and level 2 databases and the
changes that occur.
IS-IS Authentication
Like any other routing protocol, IS-IS supports authentication. You can choose between plain
text or HMAC-MD5 authentication, and there are some different options that define which
packets will be authenticated. In this lesson, I’ll walk you through the different options.
Configuration
Here’s the topology I will use:
Page 32 of 104
We have two routers in the same area. Both routers are configured as level 1-2 routers (the
default).
Want to take a look for yourself? Here you will find the configuration of each device.
Let’s start with clear text (plain text) authentication. There are three options to choose from:
Interface authentication
Area authentication
Domain authentication
As the names imply, you can enable authentication on the interface level, per area or domain.
However, these three options also define which packets will be authenticated! These commands
that I’m about to show you are the “old” method of configuring IS-IS authentication.
Let’s take a look at each authentication method, and you will see what I’m talking about.
Interface Authentication
Let’s go to the interface. We use the isis password command here to set a password for
authentication:
Optionally, you can choose for which level you want to enable authentication. If you don’t add
this, then it will be applied to both level 1 and 2 neighbor adjacencies. Let’s do this on both
routers:
Once you enable this, authentication is only enabled for hello packets. LSPs and SNPs are still
unauthenticated. Here’s an example of an authenticated hello packet:
Page 33 of 104
As you can see above, the password is sent in clear text.
There is no command that shows you whether authentication is enabled or not. You can, however, use
the debug isis adj-packets and debug isis update-packets commands to quickly catch authentication
errors.
Page 34 of 104
Area Authentication
This enabled authentication for the area. In my example, R1 and R2 are in area 0012. This option
will authenticate LSPs that are exchanged and optionally, SNPs. Hello packets are not
authenticated.
R1(config)#router isis
R1(config-router)#area-password MY_PASSWORD ?
authenticate Authentication
<cr>
Above you can see that I have set a password. The authenticate parameter has one option:
This is how you can include SNPs. I’ll stick to LSPs for now. Let’s configure this on both
routers:
R1(config)#router isis
R1(config-router)#area-password MY_PASSWORD
R2(config)#router isis
R2(config-router)#area-password MY_PASSWORD
After enabling area authentication, you will see that LSPs are now authenticated:
Page 35 of 104
As expected, the password shows up in clear text.
If you want your SNPs to be authenticated as well, then we can enable that extra parameter.
There is one more option, however:
R1(config)#router isis
R1(config-router)#area-password MY_PASSWORD authenticate snp ?
send-only Send but do not check PDUs on receiving
validate Send and check PDUs on receiving
You can choose if you want to send authenticated packets but accept unauthenticated packets.
This can be useful if you are migrating from a non-authenticated scenario to an authenticated
scenario. In our lab, we’ll validate everything right away:
R1(config)#router isis
Page 36 of 104
R1(config-router)#area-password MY_PASSWORD authenticate snp validate
R2(config)#router isis
R2(config-router)#area-password MY_PASSWORD authenticate snp validate
Domain Authentication
The last option for plain text authentication is domain authentication. This works similar to area
authentication expect it is all applied to all routers in the same IS-IS domain. In my case, I’m
using the private domain 49. If you do this, authentication will be applied to all routers in the 49
domain. Let’s try this:
R1(config)#router isis
R1(config-router)#domain-password MY_PASSWORD
Page 37 of 104
R2(config)#router isis
R2(config-router)#domain-password MY_PASSWORD
The behavior is the same as area authentication. Hello packets are unauthenticated, LSPs will be
authenticated. If you also want to authenticate SNPs, you’ll have to include the authenticate snp
validate parameter.
HMAC-MD5 Authentication
Clear text authentication is fun but not very safe. A quick Wireshark capture shows us the
password. Instead, we can use HMAC-MD5 authentication. It is similar to clear text
authentication, but there are only two options:
Interface authentication
Instance authentication
There is no area or domain authentication. Instead, authentication can be applied to the IS-IS
routing instance. The password is not configured directly, but we use a key-chain instead. I’ll
create one on both routers:
R1 & R2
(config)#key chain ISIS_AUTH
(config-keychain)#key 1
(config-keychain-key)#key-string MY_PASSWORD
The name of the keychain and key number can be different (unlike most protocols, the key
number is not checked in IS-IS). The key string has to match on both ends.
Interface Authentication
Let’s start with interface authentication. We have to use the isis authentication mode command:
As you can see above, this command is the “new” way of configuring authentication, and it also
supports clear text authentication. We are going to use HDMAC-MD5 however:
The next thing we have to do is to tell the router which keychain we want to use. Optionally, you
can decide if you want to use HMAC-MD5 authentication for level 1, level 2 or both:
Page 38 of 104
I’ll go for the default option which means authentication is enabled for both level 1 and level 2
adjacencies:
Once you configure this, only hello packets will be authenticated. Here’s a capture of an
authenticated hello packet:
Page 39 of 104
IS-IS HMAC-MD5 authentication hello-packet
Instance Authentication
R1(config)#router isis
R1(config-router)#authentication mode md5
R1(config-router)#authentication key-chain ISIS_AUTH
Page 40 of 104
R2(config)#router isis
R2(config-router)#authentication mode md5
R2(config-router)#authentication key-chain ISIS_AUTH
The authentication key-chain command allows you to choose if you want to activate this for
level 1, level 2 or both. If you don’t supply it as I did, then it will be applied to both levels.
Once you enable this, your LSPs and SNPs will be authenticated. Not your hello packets! Here’s
an example of a CSNP that is now authenticated:
Page 41 of 104
IS-IS HMAC-MD5 authentication CSNP
If you want all packets to be authenticated, you should combine interface and instance
authentication.
Page 42 of 104
Conclusion
In this lesson, you have learned how to authenticate IS-IS packets:
Page 43 of 104
Above we have four routers connected to a LAN segment. These routers will send hello packets
to each other and when they see other routers, they will become neighbors. In IS-IS, all routers
establish a full neighbor adjacency with each other (unlike OSPF where routers only form a
full neighbor adjacency with the DR/BDR). Once the routers are neighbors, they will flood their
LSP to a multicast destination; all other routers will receive this LSP and add it to their database.
Above we see that R1 floods its LSP on the LAN.
The LSP from R1 might make it to R2, R3, and R4 but there is no way for R1 to know. We need
an acknowledgment so that R1 knows that its LSP made it to the other routers. We could let R2,
R3, and R4 send a unicast acknowledgment to R1 but that’s not how IS-IS works.
Another issue is that the link-state database can grow exponentially. With four routers on a LAN,
each router will have three neighbor adjacencies. There will be six neighbor adjacencies to
consider in total.
To solve the acknowledgment problem and to reduce the size of the link-state database, we use a
special mechanism. When IS-IS routers become neighbors, they also do an election to decide
who becomes the DIS (Designated IS). The decision which becomes the DIS is based on certain
criteria:
Page 44 of 104
1. On a LAN, this is the MAC address.
2. On frame-relay, this is the DLCI number.
1. If the DLCI number is the same, the system ID is the tie-breaker.
We can change the priority, but by default, on a LAN the router with the highest MAC address
will become the DIS. There is only one DIS, there is no backup router, and the election is
preemptive. If you configure a router with a better priority or one that has a higher MAC
address, it will become the new DIS immediately.
The DIS is responsible for creating a pseudonode. This is a virtual node created by the DIS. The
pseudonode will do two things:
Create and update a pseudonode LSP that reports links to all neighbors.
Create a CSNP (Complete Sequence Numbers Protocol).
The pseudonode will send the pseudonode LSP that contains a list of all neighbors that it is
connected to with a metric of 0. This pseudonode LSP is sent to a multicast address, all IS-IS
routers receive it. This turns the multi-access network into a “point-to-point” topology where the
pseudonode sits in the middle:
Page 45 of 104
This simplifies the link-state topology There are now only four neighbor adjacencies to consider:
R1-Pseudonode
R2-Pseudonode
R3-Pseudonode
R4-Pseudonode
Which is far less than the six neighbor adjacencies we would have without the pseudonode
where each router would report three neighbor adjacencies.
Page 46 of 104
In the CSNP we will find a summary of each LSP that was flooded in the area:
LSP ID
LSP sequence number
LSP remaining lifetime
LSP checksum
You won’t find any prefixes in the CSNP. It’s just a simple overview with the latest LSPs. Why
do we use this? Here’s an example:
Page 47 of 104
Previously, R1 has flooded its LSP on the LAN but didn’t know if R2, R3 or R4 received it or
not. It now sees the CSNP from the pseudonode which includes a summary of the LSP from R1.
This acts like an acknowledgment, R1 now knows that the pseudonode has seen its LSP.
What if R1 doesn’t see its own LSP in the CSNP? That tells R1 that the LAN doesn’t know
about its LSP and it will flood its LSP again.
If one of the routers receives the CSNP and sees that one of the LSPs in the CSNP has a higher
sequence number than the one in its own database, then it will send a PSNP (Partial Sequence
Numbers PDU), requesting the newer information. The PSNP is sent with multicast so all
routers receive it. Only the DIS will respond to this message. We do this because if all routers
would respond, we would waste network resources.
The CSNP is sent every 10 seconds so there will be plenty of opportunities for the routers to
check if their latest LSP is known on the LAN and if their current information is up-to-date.
The DIS is elected for each level. If your routers run both level 1 and level 2, you will have two
separate DIS elections and two pseudonodes.
Configuration
Page 48 of 104
Let’s take a look at the DIS and pseudonode in action. I will use the following topology for this
example:
Above we have four routers that are connected to a single switch. We use the 192.168.1.0/24
subnet. R1 has a loopback that I will use to trigger it to update its LSP. I will configure all
routers as level 1 routers.
Want to take a look for yourself? Here you will find the startup configuration of each device.
hostname R1
!
ip cef
!
interface Loopback0
ip address 1.1.1.1 255.255.255.255
ip router isis
!
interface GigabitEthernet0/1
ip address 192.168.1.1 255.255.255.0
ip router isis
!
router isis
net 49.1234.0000.0000.0001.00
is-type level-1
log-adjacency-changes
Page 49 of 104
!
end
hostname R2
!
ip cef
!
interface GigabitEthernet0/1
ip address 192.168.1.2 255.255.255.0
ip router isis
!
router isis
net 49.1234.0000.0000.0002.00
is-type level-1
log-adjacency-changes
!
end
hostname R3
!
ip cef
!
interface GigabitEthernet0/1
ip address 192.168.1.3 255.255.255.0
ip router isis
!
router isis
net 49.1234.0000.0000.0003.00
is-type level-1
log-adjacency-changes
!
end
hostname R4
!
ip cef
!
interface GigabitEthernet0/1
ip address 192.168.1.4 255.255.255.0
ip router isis
!
router isis
net 49.1234.0000.0000.0004.00
is-type level-1
log-adjacency-changes
!
end
Verification
Let’s start by looking at the neighbor adjacencies:
Page 50 of 104
R1#show isis neighbors
In the output above, we see that we have a full-mesh of neighbor adjacencies. Each router has
become neighbors with all other routers. The other thing we see is the circuit ID. The circuit ID
is a one octet value that uniquely identifies the interface that IS-IS runs on. On a multi-access
network, the circuit ID is concatenated with the system ID of the DIS. Looking at the value
(R2.01), this tells us that R2 must be the DIS.
Once the routers are neighbors, they will flood their LSPs. Here’s an example of the LSP that R1
floods:
Page 51 of 104
Above you can see that the LSP gets flooded to 01:80:c2:00:00:14, the multicast address for all
level 1 IS-IS routers.
IS-IS R1 LSP
Page 52 of 104
Page 53 of 104
Above you can see an overview of all neighbors that are connected (including R2) to the
pseudonode with a metric of 0.
The database of each router is the same. We can see an LSP for R1, R2, R3, and R4. The second
LSP that you see (R2.01-00) is the pseudonode LSP, generated by R2 our DIS. Let’s take a look
at one of the regular LSPs. For example, the LSP of R1:
Page 54 of 104
Area Address: 49.1234
NLPID: 0xCC
Hostname: R1
Metric: 10 IS R2.01
IP Address: 192.168.1.1
Metric: 10 IP 192.168.1.0 255.255.255.0
In the pseudonode LSP, we find an entry for each neighbor with a metric of 0.
What about the CSNP? It is sent by the pseudonode every 10 seconds. Here’s what this packet
looks like:
Page 55 of 104
Above you can see that it is destined to 01:80:c2:00:00:14, this is a multicast address that is
destined to all level 1 IS-IS routers. The source address is the MAC address of R2. In the LSP
entries, we find a summary of each LSP that was flooded on the LAN. The one I highlighted is
the LSP that R1 has flooded. There is no prefix information here; we only see the LSP-ID (R1),
the sequence number, remaining lifetime, and checksum.
Page 56 of 104
Let’s see what happens when something changes. I’m going to activate IS-IS on the loopback
interface of R1:
R1(config)#interface Loopback 0
R1(config-if)#ip router isis
This will trigger R1 to update and flood its LSP. Here’s what the LSP of R1 looks like in
Wireshark:
Above we see that the sequence number for the LSP has increased from 0x0000000E to
0x0000000F and that prefix 1.1.1.1/32 was added. All routers that receive this LSP will update it
in their database. R2, our DIS and responsible for the pseudonode will update its CSNP:
Page 57 of 104
Above we see the new sequence number in the CSNP that the pseudonode floods every 10
seconds. You can see the new sequence number in the database of each router:
Page 58 of 104
R3.00-00 0x0000000C 0xC0A3 587 0/0/0
R4.00-00 0x0000000C 0xE878 607 0/0/0
R2#show isis database
Just in case one of our routers missed the initial LSP flooding of R1, they will see they have an
outdated LSP once they receive the CSNP. This allows them to request the new LSP from the
DIS with a PSNP and update their database.
I captured this process in Wireshark. You can see the initial CSNP, the updated LSP from R1
when the loopback is advertised and the updated CSNP from the pseudonode:
The last thing I’d like to show you is how to change the DIS. We can change the priority on any
of our routers, and it will be effective immediately. Let’s make R4 our new DIS. Here’s how:
R4(config-if)#isis priority ?
<0-127> Priority value
You can use the show isis neighbor command, but this time, I will use the show clns is-neighbor.
The output is similar, but it will show you the priority:
Page 59 of 104
R1#show clns is-neighbor
System Id Interface State Type Priority Circuit Id Format
R2 Gi0/1 Up L1 64 R4.01 Phase V
R3 Gi0/1 Up L1 64 R4.01 Phase V
R4 Gi0/1 Up L1 100 R4.01 Phase V
Above you can see the priority of R4. The new circuit ID (R4.01) tells us that R4 is now the DIS.
We can also verify this by looking at the database:
Above we see the new pseudonode LSP (R4.01-00). The one from R2 is still visible but will
removed after a while. Let’s take a closer look:
Here we see the new pseudonode LSP with all neighbors in it.
Conclusion
In this lesson, you have learned what the DIS and pseudonode are:
IS-IS elects a single DIS on multi-access networks. The election is based on:
o The interface priority (default 64)
o Highest SNPA (Subnetwork Point of Attachment)
MAC address on a LAN
DLCI on frame-relay
System ID if the DLCI is the same
There is only one DIS, there is no backup DIS and the election is preemptive. If another
router has a higher priority (or higher MAC address / DLC) then it will take over the DIS
role immediately.
The DIS is responsible for creating the pseudonode. The pseudonode has two roles:
Page 60 of 104
o Creating a pseudonode LSP that has an overview of all links to neighbors with a
metric of 0.
o Creating the CSNP, a summary of all LSPs on the multi-access network:
LSP ID
LSP sequence number
LSP remaining lifetime
LSP checksum
o The CSNP is sent every 10 seconds
o The CSNP helps routers to figure out if they have the latest LSPs. If not, they can
request an update so that they can update their databases.
Cisco IOS routers, however, only support the default metric. The other metric values are not
used. The default metric is always set to 10, no matter the interface. A Ten Gigabit interface gets
the same metric as a slow serial link.
In practice, this means that IS-IS will act similar to RIP, the path with the least amount of hops
will be used. This is something you might want to change.
In this lesson, I’ll show you how we can configure the metric and some other tricks.
Configuration
Here’s the topology I will use:
Page 61 of 104
We have four routers in a single area, these routers are configured as level 1 routers.
Want to take a look for yourself? Here you will find the startup configuration of each device.
hostname R1
!
ip cef
!
interface GigabitEthernet0/1
ip address 192.168.12.1 255.255.255.0
ip router isis
!
interface GigabitEthernet0/2
ip address 192.168.13.1 255.255.255.0
ip router isis
!
router isis
net 49.1234.0000.0000.0001.00
is-type level-1
log-adjacency-changes
!
end
Page 62 of 104
hostname R2
!
ip cef
!
interface GigabitEthernet0/1
ip address 192.168.12.2 255.255.255.0
ip router isis
!
interface GigabitEthernet0/2
ip address 192.168.24.2 255.255.255.0
ip router isis
!
router isis
net 49.1234.0000.0000.0002.00
is-type level-1
log-adjacency-changes
!
end
hostname R3
!
ip cef
!
interface GigabitEthernet0/1
ip address 192.168.34.3 255.255.255.0
ip router isis
!
interface GigabitEthernet0/2
ip address 192.168.13.3 255.255.255.0
ip router isis
!
router isis
net 49.1234.0000.0000.0003.00
is-type level-1
log-adjacency-changes
!
end
hostname R4
!
ip cef
!
interface Loopback0
ip address 4.4.4.4 255.255.255.255
ip router isis
!
interface GigabitEthernet0/1
ip address 192.168.34.4 255.255.255.0
ip router isis
!
interface GigabitEthernet0/2
ip address 192.168.24.4 255.255.255.0
ip router isis
!
router isis
Page 63 of 104
net 49.1234.0000.0000.0004.00
is-type level-1
log-adjacency-changes
!
end
Above we see that R1 has two equal metric paths for 4.4.4.4/32. Both have a metric of 30 in
total. We have to cross two GigabitEthernet interfaces and the loopback interface is added as
well. What if we want to change this? We can do so by setting the metric manually. This is done
on the interface level:
We can select a different metric or use the maximum command. I’ll show you what this
command does is in a minute, let’s start with a custom metric first:
R1(config-if)#isis metric 50 ?
<1-16777214> Delay metric
level-1 Apply metric to level-1 links
level-2 Apply metric to level-2 links
<cr>
We can make one more change. You can choose if this metric should apply to level 1, level 2
links or both. If you don’t specify this then it will apply to both. Let’s set the metric of this
interface to 50:
R1(config-if)#isis metric 50
Page 64 of 104
Route metric is 30, traffic share count is 1
Since the path through R2 now has the lowest metric, this is the path that IS-IS will use. We can
see the metric that was set to 50 in the database though:
There is a limit to the metric you can set on an interface. For example, if I try to change it 100
this will happen:
By default, the maximum metric that IS-IS supports to reach any destination is 1023. The
maximum metric for an interface is 63. We can change this behavior by using “wide” metrics.
We should do this on all routers:
With wide metrics. The highest metric value you can select is 16777214.
The last thing I’d like to show you is the metric maximum command. You can configure this on
an interface and if you do, that link will never be used in your IS-IS topology for transit traffic.
For example, let’s configure this on R2:
R2 will now advertise a metric of 16777215 for 192.168.24.0/24, this is considered unreachable.
You can see it in this wireshark capture of R2’s LSP:
Page 65 of 104
IS-IS R2 LSP Metric Maximum
Page 66 of 104
i L1 192.168.34.0/24 [115/60] via 192.168.13.3, 00:03:45, GigabitEthernet0/2
As you can see, R1 no longer uses R2 to reach any destinations. It uses R3 for everything.
Something to keep in mind is that IS-IS always prefers level 1 (intra-area) over level 2 (inter-
area) routes, even if your level 2 routes have a lower metric.
Conclusion
In this lesson, you have learned how the IS-IS metrics work and how to manipule metrics.
IS-IS Redistribution
IS-IS, like any other other routing protocol supports redistribution. Configuring this is pretty
straight-forward so that’s what I will show you in this lesson.
Configuration
Here is the topology that we will use:
Page 67 of 104
Above we have four routers. R2 and R3 are in area 23, R4 is sitting alone in area 4. R1 is running
EIGRP and we use it to advertise its loopback interface to R2. Redistribution will be configured
on R2.
Want to take a look for yourself? Here you will find the startup configuration of each device.
hostname R1
!
ip cef
!
interface Loopback0
ip address 1.1.1.1 255.255.255.255
!
interface GigabitEthernet0/1
ip address 192.168.12.1 255.255.255.0
!
router eigrp 12
network 1.1.1.1 0.0.0.0
network 192.168.12.0
!
end
hostname R2
Page 68 of 104
!
ip cef
!
interface GigabitEthernet0/1
ip address 192.168.12.2 255.255.255.0
!
interface GigabitEthernet0/2
ip address 192.168.23.2 255.255.255.0
ip router isis
!
router eigrp 12
network 192.168.12.0
!
router isis
net 49.0023.0000.0000.0002.00
is-type level-1
log-adjacency-changes
!
end
hostname R3
!
ip cef
!
interface GigabitEthernet0/1
ip address 192.168.23.3 255.255.255.0
ip router isis
!
interface GigabitEthernet0/2
ip address 192.168.34.3 255.255.255.0
ip router isis
!
router isis
net 49.0023.0000.0000.0003.00
log-adjacency-changes
!
end
hostname R4
!
ip cef
!
interface GigabitEthernet0/1
ip address 192.168.34.4 255.255.255.0
ip router isis
!
router isis
net 49.0004.0000.0000.0004.00
is-type level-2-only
log-adjacency-changes
!
end
Page 69 of 104
Let’s make sure that R2 has an EIGRP route in its routing table:
Above we see the 1.1.1.1/32 prefix that we learned from R1. Let’s see if we can redistribute this
into IS-IS:
R2(config)#router isis
R2(config-router)#redistribute eigrp 12 ?
level-1 IS-IS level-1 routes only
level-1-2 IS-IS level-1 and level-2 routes
level-2 IS-IS level-2 routes only
metric Metric for redistributed routes
metric-type OSPF/IS-IS exterior metric type for redistributed routes
route-map Route map reference
<cr>
When you redistribute something into IS-IS, you can choose if it should be added to the level 1
LSP, the level 2 LSP or in both LSPs. Since R2 is a level 1 router, we don’t have much choice.
We still have to specify it though:
This will redistribute all EIGRP routes into the level 1 database of R2. Let’s also redistribute the
IS-IS routes back into EIGRP so that we have full connectivity:
R2(config-router)#router eigrp 12
R2(config-router)#redistribute isis level-1 metric 1 1 1 1 1
Verification
Let’s see if R3 learned anything from R2:
Page 70 of 104
R3.00-00 * 0x00000005 0x46E2 520 1/0/0
Area Address: 49.0023
NLPID: 0xCC
Hostname: R3
Metric: 10 IS R3.01
IP Address: 192.168.34.3
Metric: 10 IP 192.168.23.0 255.255.255.0
Metric: 10 IP 192.168.34.0 255.255.255.0
R3.01-00 * 0x00000002 0x9BB1 540 0/0/0
Metric: 0 IS R3.00
Metric: 0 IS R2.00
Above we see the two EIGRP networks that have been redistributed into IS-IS. There’s
1.1.1.1/32 and 192.168.12.0/24 (the link in between R1 and R2). Note that the default metric of
external routes is 0. These will be installed in the routing table of R3:
In the routing table itself, these routes show up as regular level 1 routes. You won’t see that they
are external.
In the database of R3, we see that the redistributed routes are external. This information,
however, is lost when R3 copies the prefixes from its level 1 to level 2 database:
We see the two redistributed prefixes in the level 2 LSP of R2 but there’s no reference to
external anymore.
When you redistribute something into level-2 directly, it will show up as external. This will even remain
when advertised to other level 2 routers in different areas.
Page 71 of 104
R4#show isis database level-2 verbose
R4 has received the level 2 LSP from R3 and will install the prefixes in its routing table:
Want to take a look for yourself? Here you will find the configuration of each device.
hostname R1
!
ip cef
!
interface Loopback0
ip address 1.1.1.1 255.255.255.255
!
interface GigabitEthernet0/1
ip address 192.168.12.1 255.255.255.0
!
router eigrp 12
network 1.1.1.1 0.0.0.0
network 192.168.12.0
!
end
Page 72 of 104
hostname R2
!
ip cef
!
interface GigabitEthernet0/1
ip address 192.168.12.2 255.255.255.0
!
interface GigabitEthernet0/2
ip address 192.168.23.2 255.255.255.0
ip router isis
!
router eigrp 12
network 192.168.12.0
redistribute isis level-1 metric 1 1 1 1 1
!
router isis
net 49.0023.0000.0000.0002.00
is-type level-1
log-adjacency-changes
redistribute eigrp 12 level-1
!
end
hostname R3
!
ip cef
!
interface GigabitEthernet0/1
ip address 192.168.23.3 255.255.255.0
ip router isis
!
interface GigabitEthernet0/2
ip address 192.168.34.3 255.255.255.0
ip router isis
!
router isis
net 49.0023.0000.0000.0003.00
log-adjacency-changes
!
end
hostname R4
!
ip cef
!
interface GigabitEthernet0/1
ip address 192.168.34.4 255.255.255.0
ip router isis
!
router isis
net 49.0004.0000.0000.0004.00
is-type level-2-only
log-adjacency-changes
!
end
Page 73 of 104
Conclusion
When redistributing into IS-IS, you have to specify if the redistributed routes have to be added to
the level 1 or level 2 LSP, or both. If you don’t specify a metric, then the default metric is 0.
Redistributed routes will show up as “external” in the database but this information is lost when
the LSP is copied from level 1 to level 2.
IS-IS Summarization
IS-IS supports summarization but since it is a link-state routing protocol, you can’t do this within
an area as the link-state database have to be the same on all routers within the area. You can only
configure summarization on a “border”. That would be an area border router or a router that is
doing redistribution..
Configuration
This is the topology we will use:
Page 74 of 104
Above we have R1 and R3 in area 12. R3 is in area 3. On R1 we have two loopback interfaces.
Loopback 0 will be advertised in IS-IS, loopback 1 will be redistributed. I will show you how to
summarize both routes.
Want to take a look for yourself? Here you will find the startup configuration of each device.
hostname R1
!
ip cef
!
interface Loopback0
ip address 1.1.1.1 255.255.255.255
!
interface Loopback1
ip address 11.11.11.11 255.255.255.255
!
interface GigabitEthernet0/1
ip address 192.168.12.1 255.255.255.0
ip router isis
!
router isis
net 49.0012.0000.0000.0001.00
Page 75 of 104
is-type level-1
log-adjacency-changes
!
end
hostname R2
!
ip cef
!
interface GigabitEthernet0/1
ip address 192.168.12.2 255.255.255.0
ip router isis
!
interface GigabitEthernet0/2
ip address 192.168.23.2 255.255.255.0
ip router isis
!
router isis
net 49.0012.0000.0000.0002.00
log-adjacency-changes
!
end
hostname R3
!
ip cef
!
interface GigabitEthernet0/1
ip address 192.168.23.3 255.255.255.0
ip router isis
!
router isis
net 49.0003.0000.0000.0003.00
log-adjacency-changes
!
end
Summarization
R1(config)#interface Loopback 0
R1(config-if)#ip router isis
This loopback has the 1.1.1.1/32 prefix which will show up on R2’s level 1 database:
Page 76 of 104
Metric: 10 IS R2.01
IP Address: 1.1.1.1
Metric: 10 IP 192.168.12.0 255.255.255.0
Metric: 10 IP 1.1.1.1 255.255.255.255
R2(config)#router isis
R2(config-router)#summary-address 1.0.0.0 255.0.0.0 ?
level-1 Summarize into level-1 area
level-1-2 Summarize into both area and sub-domain
level-2 Summarize into level-2 sub-domain
metric Set metric for summay route
tag Set tag
<cr>
Now let’s take a look how this influences R2’s database. Nothing will change in its level 1
database but the LSP in the level 2 database will change:
Page 77 of 104
NLPID: 0xCC
Hostname: R2
Metric: 10 IS R2.02
IP Address: 192.168.23.2
Metric: 10 IP 192.168.12.0 255.255.255.0
Metric: 10 IP 192.168.23.0 255.255.255.0
Metric: 20 IP 1.0.0.0 255.0.0.0
Above we see that R2 now shows 1.0.0.0 255.0.0.0 in its database. Let’s check its routing table:
R2 has created a discard route to null 0 for the 1.0.0.0/8 summary. Let’s take a look at R3 now:
R3 receives R2’s LSP with the summary route so that’s what it will install in its routing table:
Redistribution Summarization
Now let’s see how we can summarize redistributed routes. I will redistribute the second loopback
interface of R1 into IS-IS with a simple route-map:
R1(config)#route-map L1_ONLY
R1(config-route-map)#match interface Loopback 1
R1(config)#router isis
Page 78 of 104
R1(config-router)#redistribute connected route-map L1_ONLY level-1
Let’s summarize this redistribute route on R1. You can do this with the same summary-address
command:
R1(config)#router isis
R1(config-router)#summary-address 11.0.0.0 255.0.0.0 level-1
If you summarize into level 1, make sure you add the level-1 parameter or nothing will happen.
Let’s check the routing table of R1:
We can see that R1 has installed a discard route for this summary. Let’s check the level 1
database:
Page 79 of 104
R1.00-00 0x00000009 0xD76F 1139 0/0/0
Area Address: 49.0012
NLPID: 0xCC
Hostname: R1
Metric: 10 IS R2.01
IP Address: 1.1.1.1
Metric: 10 IP 192.168.12.0 255.255.255.0
Metric: 10 IP 1.1.1.1 255.255.255.255
Metric: 0 IP-External 11.0.0.0 255.0.0.0
Above we can see that the route was summarized directly in the level 1 database. We can find
the summarized route in the routing table of R2:
That’s it.
Want to take a look for yourself? Here you will find the configuration of each device.
hostname R1
!
ip cef
!
interface Loopback0
ip address 1.1.1.1 255.255.255.255
ip router isis
!
interface Loopback1
ip address 11.11.11.11 255.255.255.255
!
interface GigabitEthernet0/1
ip address 192.168.12.1 255.255.255.0
ip router isis
!
router isis
net 49.0012.0000.0000.0001.00
is-type level-1
log-adjacency-changes
summary-address 11.0.0.0 255.0.0.0 level-1
redistribute connected route-map L1_ONLY level-1
!
route-map L1_ONLY permit 10
match interface Loopback1
!
end
hostname R2
!
ip cef
Page 80 of 104
!
interface GigabitEthernet0/1
ip address 192.168.12.2 255.255.255.0
ip router isis
!
interface GigabitEthernet0/2
ip address 192.168.23.2 255.255.255.0
ip router isis
!
router isis
net 49.0012.0000.0000.0002.00
log-adjacency-changes
summary-address 1.0.0.0 255.0.0.0
!
end
hostname R3
!
ip cef
!
interface GigabitEthernet0/1
ip address 192.168.23.3 255.255.255.0
ip router isis
!
router isis
net 49.0003.0000.0000.0003.00
log-adjacency-changes
!
end
Conclusion
IS-IS supports summarization but as a link-state routing protocol, there are some limitations.
You can only configure summarization between areas or on a router that is doing redistribution.
If you configure summarization on an area border router for routes in the level 1 database then it
will add the summary route in the level 2 LSP which is advertised to other areas. If you use
redistribution, then the summary route will be added directly in the level 1 or level 2 LSP.
IS-IS Filtering
IS-IS as a link-state routing protocol is a bit restrictive when it comes to filtering. All routers
within an area require a synchronized level 1 database, the same thing applies to all level 2
routers. The level 2 database has to be the same on all routers. Once an LSP is generated, you
can’t filter it anymore.
Page 81 of 104
Filtering between level 1 and level 2.
Inbound filtering is possible, this doesn’t prevent an LSP from being installed in the database but
it does prevent an LSP from being installed in the routing table. It is also possible to filter level
1 LSPs from being copied to the level 2 database.
Configuration
Here is the topology we will use:
We have three routers in area 123 and one in area 4. R1 has a loopback interface with a prefix
that we will filter.
Want to take a look for yourself? Here you will find the startup configuration of each device.
hostname R1
!
Page 82 of 104
ip cef
!
interface Loopback0
ip address 1.1.1.1 255.255.255.255
ip router isis
!
interface GigabitEthernet0/1
ip address 192.168.12.1 255.255.255.0
ip router isis
!
router isis
net 49.0123.0000.0000.0001.00
is-type level-1
log-adjacency-changes
!
end
hostname R2
!
ip cef
!
interface GigabitEthernet0/1
ip address 192.168.12.2 255.255.255.0
ip router isis
!
interface GigabitEthernet0/2
ip address 192.168.23.2 255.255.255.0
ip router isis
!
router isis
net 49.0123.0000.0002.00
is-type level-1
log-adjacency-changes
!
end
hostname R3
!
ip cef
!
interface GigabitEthernet0/1
ip address 192.168.34.3 255.255.255.0
ip router isis
!
interface GigabitEthernet0/2
ip address 192.168.23.3 255.255.255.0
ip router isis
!
router isis
net 49.0123.0000.0000.0003.00
log-adjacency-changes
!
end
Page 83 of 104
hostname R4
!
ip cef
!
interface GigabitEthernet0/1
ip address 192.168.34.4 255.255.255.0
ip router isis
!
router isis
net 49.0004.0000.0000.0004.00
is-type level-2-only
log-adjacency-changes
!
end
We’ll start with the distribute-list which allows us to prevent something from being installed in
the routing table. Let’s take a look at R2:
Let’s get rid of the 1.1.1.1/32 prefix. I will use an access-list for this:
R2(config)#router isis
R2(config-router)#distribute-list R1_L0 in
When you look at the level 1 database, you will see that the prefix is still there:
Page 84 of 104
Metric: 10 IP 192.168.12.0 255.255.255.0
We can’t remove it from the database but it will be gone from the routing table:
Since it’s still in the database, other routers will learn about. For example, here’s R3:
This introduces a problem. Since R2 is a transit router, R3 will never be able to reach 1.1.1.1/32.
That’s something to keep in mind…
Let’s continue. R3 and R4 still have 1.1.1.1/32 in their routing tables. Let’s see if we can prevent
this prefix from being installed on R4. Right now it does have this route in its routing table:
R4 has learned this from the level 2 LSP that R3 has generated. We can see it here:
R3 added 1.1.1.1/32 by copying it from its level 1 database to its level 2 database. Let’s see if we
can prevent that from happening…
Page 85 of 104
There are two methods. You can use a distribute-list with extended access-list numbers or a
route-map. I prefer the route-map since it allows you to use named access-lists. Let’s create an
access-list that matches the loopback interface of R1:
The only thing left to do is to activate it. This is done with the redistribute command:
R3(config)#router isis
R3(config-router)#redistribute isis ip level-1 into level-2 route-map
L1_L2_FILTER
This tells R3 to redistribute everything from level 1 to level 2 except for the things that we added
in our route-map. Let’s take another look at R3’s level 2 database:
As you can see, 1.1.1.1/32 is nowhere to be found anymore. This prevents R4 from learning it:
Want to take a look for yourself? Here you will find the configuration of each device.
hostname R1
!
Page 86 of 104
ip cef
!
interface Loopback0
ip address 1.1.1.1 255.255.255.255
ip router isis
!
interface GigabitEthernet0/1
ip address 192.168.12.1 255.255.255.0
ip router isis
!
router isis
net 49.0123.0000.0000.0001.00
is-type level-1
log-adjacency-changes
!
end
hostname R2
!
ip cef
!
interface GigabitEthernet0/1
ip address 192.168.12.2 255.255.255.0
ip router isis
!
interface GigabitEthernet0/2
ip address 192.168.23.2 255.255.255.0
ip router isis
!
router isis
net 49.0123.0000.0000.0002.00
is-type level-1
log-adjacency-changes
distribute-list R1_L0 in
!
ip access-list standard R1_L0
deny 1.1.1.1
permit any
!
end
hostname R3
!
ip cef
!
interface GigabitEthernet0/1
ip address 192.168.34.3 255.255.255.0
ip router isis
!
interface GigabitEthernet0/2
ip address 192.168.23.3 255.255.255.0
ip router isis
!
router isis
net 49.0123.0000.0000.0003.00
Page 87 of 104
log-adjacency-changes
redistribute isis ip level-1 into level-2 route-map L1_L2_FILTER
!
ip access-list extended R1_L0
deny ip host 1.1.1.1 any
permit ip any any
!
route-map L1_L2_FILTER permit 10
match ip address R1_L0
!
end
hostname R4
!
ip cef
!
interface GigabitEthernet0/1
ip address 192.168.34.4 255.255.255.0
ip router isis
!
router isis
net 49.0004.0000.0000.0004.00
is-type level-2-only
log-adjacency-changes
!
end
Conclusion
IS-IS as a link-state routing protocol, is a bit limited when it comes to filtering. You can’t just
filter on any interface. Once a LSP is generated, it has to be synchronized in all databases. There
are two filtering methods however:
Distribute-list inbound filtering: prevents a LSP from being installed in the routing table.
Filtering between levels: allows you to prevent a level 1 LSP from being installed in the
level 2 database.
We can deal with this by leaking prefixes from level 2 into level 1.
A level 1-2 router has access to the local area and also knows all prefixes because of its level 2
database. We can redistribute one or more prefixes from level 2 into the local area so that level 1
routers can select the most optimal path in the network.
Page 88 of 104
This is best explained with an example, so in this lesson, I’ll show you what route leaking is and
how it solves sub-optimal routing. This is the topology we will use:
Page 89 of 104
Page 90 of 104
We have a bunch of IS-IS routers. R8 has a loopback interface that we will try to reach from R1.
All interfaces are Gigabit Ethernet with the default metric of 10.
Want to take a look for yourself? Here you will find the startup configuration of each device.
hostname R1
!
ip cef
!
interface GigabitEthernet0/1
ip address 192.168.12.1 255.255.255.0
ip router isis
!
interface GigabitEthernet0/2
ip address 192.168.13.1 255.255.255.0
ip router isis
!
router isis
net 49.1234.0000.0000.0001.00
log-adjacency-changes
!
end
hostname R2
!
ip cef
!
interface GigabitEthernet0/1
ip address 192.168.12.2 255.255.255.0
ip router isis
!
interface GigabitEthernet0/2
ip address 192.168.24.2 255.255.255.0
ip router isis
!
router isis
net 49.1234.0000.0000.0002.00
is-type level-1
log-adjacency-changes
!
end
hostname R3
!
ip cef
!
interface GigabitEthernet0/1
ip address 192.168.13.3 255.255.255.0
ip router isis
!
interface GigabitEthernet0/2
ip address 192.168.35.3 255.255.255.0
ip router isis
Page 91 of 104
!
router isis
net 49.1234.0000.0000.0003.00
log-adjacency-changes
!
end
hostname R4
!
ip cef
!
interface GigabitEthernet0/1
ip address 192.168.24.4 255.255.255.0
ip router isis
!
interface GigabitEthernet0/2
ip address 192.168.47.4 255.255.255.0
ip router isis
!
router isis
net 49.1234.0000.0000.0004.00
log-adjacency-changes
!
end
hostname R5
!
ip cef
!
interface GigabitEthernet0/1
ip address 192.168.35.5 255.255.255.0
ip router isis
!
interface GigabitEthernet0/2
ip address 192.168.56.5 255.255.255.0
ip router isis
!
router isis
net 49.5678.0000.0000.0005.00
log-adjacency-changes
!
end
hostname R6
!
ip cef
!
interface GigabitEthernet0/1
ip address 192.168.56.6 255.255.255.0
ip router isis
!
interface GigabitEthernet0/2
ip address 192.168.67.6 255.255.255.0
ip router isis
Page 92 of 104
!
router isis
net 49.5678.0000.0000.0006.00
log-adjacency-changes
!
end
hostname R7
!
ip cef
!
interface GigabitEthernet0/1
ip address 192.168.47.7 255.255.255.0
ip router isis
!
interface GigabitEthernet0/2
ip address 192.168.67.7 255.255.255.0
ip router isis
!
interface GigabitEthernet0/3
ip address 192.168.78.7 255.255.255.0
ip router isis
!
router isis
net 49.5678.0000.0000.0007.00
log-adjacency-changes
!
end
hostname R8
!
ip cef
!
interface Loopback0
ip address 8.8.8.8 255.255.255.255
ip router isis
!
interface GigabitEthernet0/1
ip address 192.168.78.8 255.255.255.0
ip router isis
!
router isis
net 49.5678.0000.0000.0008.00
is-type level-1
log-adjacency-changes
!
end
Page 93 of 104
i L1 192.168.24.0/24 [115/20] via 192.168.12.2, 00:04:21, GigabitEthernet0/1
i L1 192.168.35.0/24 [115/20] via 192.168.13.3, 00:04:11, GigabitEthernet0/2
i L1 192.168.47.0/24 [115/30] via 192.168.12.2, 00:04:11, GigabitEthernet0/1
R3 is the closest level 1-2 router for R1 so R1 generates a default route to R3. When we try to
reach 8.8.8.8, this is the path we use:
R1#traceroute 8.8.8.8
Type escape sequence to abort.
Tracing the route to 8.8.8.8
VRF info: (vrf in name/id, vrf out name/id)
1 192.168.13.3 5 msec 10 msec 5 msec
2 192.168.35.5 7 msec 11 msec 7 msec
3 192.168.56.6 11 msec 13 msec 16 msec
4 192.168.67.7 11 msec 16 msec 11 msec
5 192.168.78.8 12 msec 10 msec *
R1 uses R3 to get to 8.8.8.8. This makes sense since R3 is the closest level 1-2 router.To reach
any networks outside of area 1234, R1 will use the default route from R3. It’s not the shortest
path however since R6 is in between R5 and R7:
Page 94 of 104
Page 95 of 104
We can solve this by leaking information about 8.8.8.8/32 into area 1234. When R1 learns about
8.8.8.8/32, it will no longer use the default route to reach this network.
On R4, we’ll configure route leaking. You can use a distribute-list or a route-map to select the
networks you want to leak. I’ll use a route-map since it allows you to use named access-lists.
First, we create an access-list that matches 8.8.8.8/32:
And then we create a route-map that matches the access-list we just created:
R4(config)#router isis
R4(config-router)#redistribute isis ip level-2 into level-1 route-map
ROUTE_LEAKING
The command above tells R4 to leak level 2 prefixes into level 1 but only those that are
configured in the route-map. Let’s take a look at R1:
Above we see an IS-IS “ia” (interarea) route for 8.8.8.8/32 via R2. This is the leaked route. We
can also see it in the level 1 link-state database:
Page 96 of 104
Above we see the interarea route that was leaked into level 1. With this specific entry, R1 will
use the most optimal path to reach 8.8.8.8:
R1#traceroute 8.8.8.8
Type escape sequence to abort.
Tracing the route to 8.8.8.8
VRF info: (vrf in name/id, vrf out name/id)
1 192.168.12.2 10 msec 4 msec 6 msec
2 192.168.24.4 5 msec 7 msec 7 msec
3 192.168.47.7 9 msec 10 msec 10 msec
4 192.168.78.8 7 msec 19 msec *
Page 97 of 104
Page 98 of 104
The last thing we need to discuss are routing loops. R4 redistributes 8.8.8.8/32 into area 1234 so
R3 will also learn this prefix from R1.
What prevents R3 from redistributing 8.8.8.8/32 back into the level 2 database? When a prefix is
redistributed like this, the router that does the redistribution will set the distribution up/down bit.
For example, here’s the level 1 LSP from R4:
Page 99 of 104
Page 100 of 104
IS-IS Route Leaking Redistribution up/down bit
Above we see that R4 is advertising 192.168.24.0/24, 192.168.47.0/24 and 8.8.8.8/32 in its level
1 LSP. For 8.8.8.8/32 it has set the distribution bit to 1 (up). Another level 1-2 router like R3 will
never redistribute this back into the level 2 database.
Want to take a look for yourself? Here you will find the configuration of each device.
hostname R1
!
ip cef
!
interface GigabitEthernet0/1
ip address 192.168.12.1 255.255.255.0
ip router isis
!
interface GigabitEthernet0/2
ip address 192.168.13.1 255.255.255.0
ip router isis
!
router isis
net 49.1234.0000.0000.0001.00
is-type level-1
log-adjacency-changes
!
end
hostname R2
!
ip cef
!
interface GigabitEthernet0/1
ip address 192.168.12.2 255.255.255.0
ip router isis
!
interface GigabitEthernet0/2
ip address 192.168.24.2 255.255.255.0
ip router isis
!
router isis
net 49.1234.0000.0000.0002.00
is-type level-1
log-adjacency-changes
!
end
hostname R3
!
ip cef
!
interface GigabitEthernet0/1
ip address 192.168.13.3 255.255.255.0
ip router isis
hostname R4
!
ip cef
!
interface GigabitEthernet0/1
ip address 192.168.24.4 255.255.255.0
ip router isis
!
interface GigabitEthernet0/2
ip address 192.168.47.4 255.255.255.0
ip router isis
!
router isis
net 49.1234.0000.0000.0004.00
log-adjacency-changes
redistribute isis ip level-2 into level-1 route-map ROUTE_LEAKING
!
ip access-list extended R8_L0
permit ip host 8.8.8.8 any
!
route-map ROUTE_LEAKING permit 10
match ip address R8_L0
!
end
hostname R5
!
ip cef
!
interface GigabitEthernet0/1
ip address 192.168.35.5 255.255.255.0
ip router isis
!
interface GigabitEthernet0/2
ip address 192.168.56.5 255.255.255.0
ip router isis
!
router isis
net 49.5678.0000.0000.0005.00
log-adjacency-changes
!
end
hostname R7
!
ip cef
!
interface GigabitEthernet0/1
ip address 192.168.47.7 255.255.255.0
ip router isis
!
interface GigabitEthernet0/2
ip address 192.168.67.7 255.255.255.0
ip router isis
!
interface GigabitEthernet0/3
ip address 192.168.78.7 255.255.255.0
ip router isis
!
router isis
net 49.5678.0000.0000.0007.00
log-adjacency-changes
!
end
hostname R8
!
ip cef
!
interface Loopback0
ip address 8.8.8.8 255.255.255.255
ip router isis
!
interface GigabitEthernet0/1
ip address 192.168.78.8 255.255.255.0
ip router isis
!
router isis
net 49.5678.0000.0000.0008.00
Conclusion
In this lesson, you have learned how to use route leaking to ensure level 1 routers pick the most
optimal path in the network:
level 1 routers generate a default route to the closest level 1-2 router to reach prefixes outside
of their own area.
level 1-2 routers can redistribute prefixes from level 2 to level 1 so that level 1 routes can
choose the most optimal path.
prefixes that were redistributed from level 2 to level 1 have their distribution up/down bit set to
up so that they are not redistributed back into level 2 by another level 1-2 router.