Configuring Integrated IS-IS

Integrated IS-IS is unique among the IP routing protocols covered in this book for a couple of reasons. First, it is the only protocol that must be enabled both as a process and on individual interfaces. Second, it is the only IP routing protocol that was not originally designed for IP. Because Integrated IS-IS uses CLNS PDUs rather than IP packets, the configuration is not always as obvious as that of the other protocols.

An interesting side effect of the fact that Integrated IS-IS is a CLNS protocol is that the IP addresses of neighboring routers have no influence on the formation of adjacencies. As a result, IS-IS does not have the adjacency restrictions concerning secondary IP addresses that OSPF has. However, another result is that two interfaces with IP addresses from completely different subnets can become adjacent. IP will not work in such a situation, but the fact that the adjacency makes the link only "half broken" can cause some troubleshooting confusion.

Case Study: A Basic Integrated IS-IS Configuration

A basic Integrated IS-IS process is configured on a Cisco router in four steps:

1. Determine the area in which the router is to be located and the interfaces on which IS-IS is to be enabled.

2. Enable IS-IS with the command router isis. ^[19]

   ^[19] The router isis command can also be given a name , such as router isis Warsaw . If IS-IS and ISO-IGRP are configured on the same router, one or both of the processes must be named. If ISO-IGRFP is not configured, naming is unnecessary.

3. Configure the NET with the net command.

4. Enable Integrated IS-IS on the proper interfaces with the command ip router isis . This command must be added not only to transit interfaces (interfaces connected to IS-IS neighbors) but also to interfaces connected to stub networks whose IP addresses should be advertised by IS-IS.

Figure 10.41 shows a small six-router internetwork divided into two areas. In the NETs, areas 1 and 2 will be encoded as 00.0001 and 00.0002, respectively, and the System IDs will be the MAC identifiers of the E0 or TO0 interfaces of each router. Table 10.4 shows the NETs encoded with this information.

Table 10.4. The NETs used for the IS-IS configurations of the routers in Figure 10.41.

The configurations of Paris, London, Brussels, and Amsterdam are:

Paris

 
 clnsrouting 
 ! 
 interfaceSerial0 
 ipaddress10.1.255.5255.255.255.252 
 iprouterisis 
 ! 
 interfaceTokenRing0 
 ipaddress10.1.2.1255.255.255.0 
 iprouterisis 
 ring-speed16 
 ! 
 interfaceTokenRing1 
 ipaddress10.1.7.1255.255.255.0 
 iprouterisis 
 ring-speed16 
 ! 
 routerisis 
 net00.0001.0000.3090.6756.00 
 

London

 
 clnsrouting 
 ! 
 interfaceEthernet0 
 ipaddress10.1.3.2255.255.255.0 
 iprouterisis 
 ! 
 interfaceSerial0 
 ipaddress10.1.255.6255.255.255.252 
 iprouterisis 
 ! 
 routerisis 
 net00.0001.0000.0c0a.2c51.00 
 

Brussels

 
 clnsrouting 
 ! 
 interfaceEthernet0 
 ipaddress10.1.3.1255.255.255.0 
 iprouterisis 
 ! 
 interfaceEthernet1 
 ipaddress10.1.4.1255.255.255.0 
 iprouterisis 
 ! 
 routerisis 
 net00.0002.0000.0c76.5b7c.00 
 

Amsterdam

 
 clnsrouting 
 ! 
 interfaceEthernet0 
 ipaddress10.1.4.2255.255.255.0 
 iprouterisis 
 ! 
 interfaceEthernet1 
 ipaddress10.1.5.1255.255.255.0 
 iprouterisis 
 ! 
 interfaceEthernet2 
 ipaddress10.1.6.241255.255.255.240 
 iprouterisis 
 ! 
 routerisis 
 net00.0002.0000.0c04.dcc0.00 
 

The configurations of Berlin and Rome are similar. A detail that you should notice is that CLNS routing is enabled in these configurations. The CLNS routing is necessary to handle the CLNS PDUs used by IS-IS. However, the clns routing command was not entered as a configuration step. Rather, the router entered it automatically when IS-IS was enabled.

Figure 10.42 shows Paris' route table. Notice that the table contains both L1 and L2 routes. By default, Cisco routers are L1/L2 routers. This fact is also apparent by observing the routers' IS neighbor tables, as in Figure 10.43.

Because every router in the internetwork of Figure 10.41 is an L1/L2, every router has formed both an L1 adjacency and an L2 adjacency. Consequently, every router has both an L1 and an L2 LS database. For example, Figure 10.44 shows the LS databases of Amsterdam. The L1 database contains an LSP originated by Amsterdam (0000.0c04.dcc0.00-00) ^[20] and an LSP originated by Brussels (0000.0c76.5b7c.00-00). It also contains a pseudonode LSP (0000.0c76.5b7c.03-00) originated by Brussels, representing the Ethernet link between Brussels and Amsterdam. Remember that the LSP ID is recognizable as that of a pseudonode LSP because the next -to-last octet, the Pseudonode ID, is non-zero .

^[20] As discussed earlier, the asterisk after the LSP ID indicates that the LSP was originated by this router.

The three LSPs indicate that Amsterdam's only L1 adjacency is with Brussels. This single adjacency is expected because Brussels is the only other router in area 2. Comparing Amsterdam's L2 database with the System IDs in Table 10.4 reveals that Amsterdam has an L2 adjacency with every router in the IS-IS domain, which is also expected because every router is an L1/L2.

Case Study: Changing the Router Types

In a small internetwork like the one in Figure 10.41, leaving all routers at their default type is acceptable. As the internetwork grows, these defaults become less and less acceptable. Not only is the processing and maintenance of two LS databases a burden on the router's CPU and memory, the L1 and L2 IS-IS PDUs being originated by every router become a burden on the buffers and bandwidth.

Paris, Berlin, and Amsterdam in Figure 10.41 can be configured as L1 routers, because they have no direct connection to another area. To change the default router type, use the command is-type . For example, to make Berlin an L1 router its configuration is:

 
 routerisis 
 net00.0001.0000.3090.c7df.00 
 is-typelevel-1 
 

Paris and Amsterdam are configured similarly. Comparing Paris' route table in Figure 10.45 with its route table in Figure 10.42 shows that the L2 routes have been deleted. Similarly, comparing Figure 10.46 with Figure 10.44 shows that Amsterdam now has only an L1 LS database.

With the L1 configurations shown so far, IP routing is not completely functional. Recall from the earlier discussion of the ATT bit in the LSPs that an L1/L2 router uses the ATT bit to tell L1 routers that it has an inter-area connection. Figure 10.47 shows that both London's LSP (0000.0c0a.2c51.00-00) and Rome's LSP (0000.0c0aA.2aa9.00-00) have ATT = 1. So Paris should know to send inter-area traffic to either London or Rome. In other words, Paris should have a default route to London or Rome, with London being preferred because it is metrically closer. Unfortunately, Figure 10.45 shows that there is no default route (0.0.0.0) in Paris' route table.

The problem is that the ATT bit is a CLNS function, and the IP process cannot directly interpret the bit. There are two solutions to the problem. The first solution is to enable IS-IS for CLNS on the interfaces in addition to IS-IS for IP. For example, the serial interface configurations for London and Paris are:

London

 
 interfaceSerial0 
 ipaddress10.1.255.6255.255.255.252 
 iprouterisis 
 clnsrouterisis 
 

Paris

 
 interfaceSerial0 
 ipaddress10.1.255.5255.255.255.252 
 iprouterisis 
 clnsrouterisis 
 

Figure 10.48 shows that Paris now has a default IP route pointing to London and that a ping to an inter-area destination is successful.

This first solution works in a dual CLNP/IP environment, but if IS-IS is being used as an IP-only routing protocol, enabling CLNS routing just for default IP routes may be undesirable. A second solution to the default route problem is to configure a static default route on the L1/L2 router and configure IS-IS to advertise the default with the command default-information originate . Using this method in area 2 of Figure 10.41, the Brussels' configuration is:

 
 routerisis 
 net00.0002.0000.0c76.5b7c.00 
 default-informationoriginate 
 ! 
 iproute0.0.0.00.0.0.0Null0 
 

Figure 10.49 shows Amsterdam's route table with the default route that has been advertised by Brussels and a successful ping to an inter-area destination. Default routes and the default-information originate command are discussed in more detail in Chapter 12, "Default Routes and On-Demand Routing."

Case Study: An Area Migration

To change area addresses in an OSPF domain, downtime must be scheduled. However, IS-IS is designed to allow areas to be changed nondisruptively. As discussed in "Operation of Integrated IS-IS," Cisco routers can be configured with up to three area addresses. For two routers to form an L1 adjacency, they must have at least one area address in common. With multiple area addresses allowed, a new adjacency can take over while an old adjacency is being broken. This approach is useful when areas are being consolidated or split, when an area is being renumbered, or when area addresses assigned by multiple addressing authorities are being used in the same IS-IS domain.

For example, the routers in Figure 10.50(a) all have an area address of 01. (A NET of one of these routers would look like 01.0000.0c12.3456.00.) In Figure 10.50(b), the routers have been assigned an additional area address of 03. Although multiple adjacencies are not actually formed, the routers do recognize that they have multiple area addresses in common. In Figure 10.50(c), area 01 has been removed from one of the routers. All three routers remain adjacent, because they all have at least one area address in common. Finally, in Figure 10.50(d), all of the 01 area addresses have been removed and the routers are all in area 03. At no time during the area migration was an adjacency lost.

Suppose that the "powers that be" over the internetwork in Figure 10.41 decree that the area addressing scheme being used is inappropriate and should become GOSIP compliant. After registering with the U.S. GSA, the following components are to be used to construct the NETs:

The new NETs are shown in Table 10.5.

Table 10.5. The new GOSIP-format NETs to be assigned to the routers in Figure 10.41.

The first step in changing the area addresses is to add the new NETs to the routers without changing the old NETs. Rome's IS-IS configuration is:

 
 routerisis 
 net00.0001.0000.0c0a.2aa9.00 
 net47.0005.8000.ab7c.0000.ffe9.0001.0000.0c0a.2aa9.00 
 

The other five routers are configured similarly. The results can be observed by using the detail keyword with either the show isis database command (Figure 10.51) or the show clns is-neighbors command (Figure 10.52). In both databases, multiple areas are associated with each router in the internetwork.

The last step of the migration is to delete the old NET statements from all routers. For example, under Rome's IS-IS configuration the command no net 00.0001.0000.0c0a.2aa9.00 is entered. Figure 10.53 shows some of the LSPs in Rome's database after the old NET statements have been removed from the routers.

Case Study: Route Summarization

Route summarization between areas in a link state protocol is introduced in Chapter 9. A more complete discussion of summarization, in the context of default routes, is presented in Chapter 12. Briefly, summary routes are useful because:

• They reduce the size of LSPs, which reduces the size of the link state database; consequently, memory and CPU are conserved.

• They hide instabilities within areas. If an address within a summary range changes or a link changes state, the change is not advertised outside of the summarized area.

The primary disadvantages of summary routes are:

• Their effectiveness is dependent on being able to summarize a contiguous range of IP addresses, so addresses must be planned carefully .

• They can reduce route precision by hiding the details of the area. If there are multiple paths into a summarized area, the best path cannot be determined.

Summarization is enabled under the IS-IS configuration with the summary-address command. Any more-specific destination addresses that fall within the summarization range are suppressed, and the metric of the summary route is the smallest metric of all the more-specific addresses.

Figure 10.54 shows an IS-IS internetwork with three areas. The addresses within area 1 can be summarized with 172.16.0.0/21, and the addresses within area 3 can be summarized with 172.16.16.0/21. The configurations of Zurich, Madrid, and Bonn are ^[21] :

^[21] Notice that Madrid, which has no L1 neighbors, is configured as an L2 router.

Zurich

 
 routerisis 
 net01.0000.0c76.5b7c.00 
 summary-address172.16.0.0255.255.248.0 
 

Madrid

 
 routerisis 
 net02.0000.3090.6756.00 
 is-typelevel-2-only 
 

Bonn

 
 routerisis 
 net03.0000.0c0a.2aa9.00 
 summary-address172.16.16.0255.255.248.0 
 

Notice that Madrid, which has no L1 neighbors, is configured as an L2 router. Zurich and Bonn are summarizing their areas into the level 2 backbone. The results of the summarization can be seen in Madrid's route table (Figure 10.55).

Case Study: Authentication

IS-IS authentication is limited to cleartext passwords only. This mode of authentication provides weak security against a determined attack on the internetwork but is effective for preventing service disruptions from misconfigured or unauthorized routers.

Cisco IOS supports IS-IS authentication on three levels: between neighbors, area wide, and domain wide. The three authentication levels can be used by themselves or together. The rules for IS-IS authentication are:

• When authenticating between neighbors, the same password must be configured on the connecting interfaces.

• When authenticating between neighbors, authentication must be configured separately for L1 and L2 adjacencies.

• When performing area-wide authentication, every router in the area must perform authentication and must have the same password.

• When performing domain-wide authentication, every L2 and L1/L2 router in the IS-IS domain must perform authentication and must have the same password.

To authenticate between neighbors, the isis password command is used to configure a password on the connected interfaces. The command specifies a password and specifies whether the password is for L1 or L2 adjacencies. Passwords for either or both levels can be specified on an interface, and the passwords for each level can be the same or different passwords. When configured, the passwords are carried in authentication information CLVs in the L1 or L2 Hellos between IS-IS neighbors.

For example, to authenticate between Geneva, Zurich, and Madrid in Figure 10.54, the configurations are:

Geneva

 
 interfaceEthernet0 
 ipaddress172.16.4.1255.255.255.0 
 iprouterisis 
 isispasswordAlpslevel-1 
 

Zurich

 
 interfaceEthernet0 
 ipaddress172.16.4.2255.255.255.0 
 iprouterisis 
 isispasswordAlpslevel-1 
 ! 
 interfaceSerial0 
 ipaddress172.16.8.2255.255.255.0 
 iprouterisis 
 isispasswordPyreneeslevel-2 
 

Madrid

 
 interfaceSerial1 
 ipaddress172.16.8.1255.255.255.0 
 iprouterisis 
 isispasswordPyreneeslevel-2 
 

Since the adjacency between Geneva and Zurich is L1, only a level 1 password (Alps) is specified. Between Zurich and Madrid, only an L2 adjacency exists, so a level 2 password (Pyranees) is used. Note that if no level-1 or level-2 keyword is specified, the isis password command defaults to level 1.

To authenticate within an area, the area-password command is used to specify a password under the IS-IS configuration. Whereas the password specified by the isis password command is carried in Hellos, the password specified by the area-password command is carried in all L1 LSPs, CSNPs, and PSNPs. So the neighbor-level password regulates the establishment of adjacencies, and the area-level password regulates the exchange of level 1 link state information. If area authentication is not configured correctly, routers will still become adjacent but L1 LSPs will not be exchanged.

To configure area passwords in area 3 of Figure 10.54, the configurations of Bonn and Frankfurt are:

Bonn

 
 routerisis 
 net03.0000.0c0a.2aa9.00 
 area-passwordRhine 
 summary-address172.16.16.0255.255.248.0 
 

Frankfurt

 
 routerisis 
 net03.0000.0c04.dcc0.00 
 is-typelevel-1 
 area-passwordRhine 
 

To authenticate domain wide, the domain-password command is used. The password specified by this command is carried in L2 LSPs, CSNPs, and PSNPs. As a result, domain authentication regulates the exchange of level 2 route information. Like area authentication, domain authentication does not authenticate L2 adjacencies, but does authenticate the exchange of L2 LSPs.

To configure domain authentication in the internetwork of Figure 10.54, only Zurich, Madrid, and Bonn must be configured because Geneva and Frankfurt are L1 routers. The configurations are:

Zurich

 
 routerisis 
 net01.0000.0c76.5b7c.00 
 domain-passwordBlackForest 
 area-passwordSwitzerland 
 summary-address172.16.0.0255.255.248.0 
 

Madrid

 
 routerisis 
 net02.0000.3090.6756.00 
 is-typelevel-2-only 
 domain-passwordBlackForest 
 

Bonn

 
 routerisis 
 net03.0000.0c0a.2aa9.00 
 domain-passwordBlackforest 
 area-passwordRhine 
 summary-address172.16.16.0255.255.248.0