IS-IS

The Intermediate System-to-Intermediate System (IS-IS) protocol is an IGP that uses link-state information to make routing decisions.This protocol originally was developed for routing International Organization for Standardization (ISO) Connectionless Network Protocol (CLNP) packets.

An IS-IS network is a single AS, also called a routing domain , that consists of end systems and intermediate systems. End systems are network entities that send and receive packets. Intermediate systems send and receive packets and relay (forward) packets. (Intermediate system is the Open System Interconnection [OSI] term for a router.) ISO packets are called network protocol data units ( PDUs ).

In IS-IS, a single AS can be divided into smaller groups called areas. Routing between areas is organized hierarchically, allowing a domain to be administratively divided into smaller areas. This organization is accomplished by configuring Level 1 and Level 2 intermediate systems. Level 1 systems route within an area, and when the destination is outside an area, they route toward a Level 2 system. Level 2 intermediate systems route between areas and toward other ASs.

IS-IS uses ISO network addresses. Each address identifies a point of connection to the network, such as a router interface, and is called a network service access point ( NSAP ). An end system can have multiple NSAP addresses, in which case the addresses differ only by the last byte (called the n-selector ). Each NSAP represents a service that is available at that node. In addition to having multiple services, a single node can belong to multiple areas.

Each network entity also has a special network address called a network entity title ( NET ). Structurally, an NET is identical to an NSAP address but has an n-selector of 00. Most end systems and intermediate systems have one NET. Intermediate systems that participate in multiple areas can have multiple NETs.

The following ISO addresses illustrate the IS-IS address format:

 49.0001.00a0.c96b.c490.00 49.0001.2081.9716.9018.00 

The first portion of the address is the area number, which is a variable number from 1 through 13 bytes. The first byte of the area number (49) is the authority and format indicator (AFI). The next bytes are the assigned domain (area) identifier, which can be from 0 through 12 bytes. In the examples above, the area identifier is 0001.

The next six bytes form the system identifier (sysid), which can be any six bytes that are unique throughout the entire domain. The system identifier commonly is the Media Access Control (MAC) address (as in the first example, 00a0.c96b.c490 ) or the IP address expressed in binary-coded decimal (BCD) (as in the second example, 2081.9716.9018 , which corresponds to IP address 208.197.169.18 ). The last byte ( 00 ) is the n-selector.

To provide help with IS-IS debugging, the JUNOS software supports dynamic mapping of ISO sysids to the hostname. Each system can be configured with a host name , which allows the sysid-to-hostname mapping to be carried in a dynamic hostname type length value (TLV) in IS-IS LSP packets. This permits ISs in the routing domain to learn about the ISO sysid of a particular IS.

To help provide traffic engineering and MPLS with information about network topology and loading, extensions have been added to the JUNOS implementation of IS-IS. Specifically, IS-IS supports new TLVs that specify link attributes. These TLVs are included in the IS-IS link-state PDUs. The link-attribute information is used to populate the traffic engineering database (TED), which is used by the Constrained Shortest-Path First (CSPF) algorithm to compute the paths that MPLS LSPs will take. This path information is used by RSVP to set up LSPs and reserve bandwidth for them.

In IS-IS, you can configure shortcuts, which allow IS-IS to use an LSP as the next hop as if it were a logical interface from the ingress router to the egress router. When used in this way, LSPs are no different than ATM and Frame Relay VCs, except that LSPs carry only IPv4 traffic.

Table 9.4 lists the IS-IS standards and protocol extensions supported by the JUNOS software.

Table 9.4. IS-IS Standards Supported by the JUNOS Software

IS-IS Packets

IS-IS uses the following PDUs to exchange protocol information:

• IS-IS hello (IIH) PDUs ”Broadcast to discover the identity of neighboring IS-IS systems and to determine whether the neighbors are Level 1 or Level 2 intermediate systems.

• Link-state PDUs (LSPs) ”Contain information about the state of adjacencies to neighboring IS-IS systems. LSPs are flooded periodically throughout an area.

• Complete sequence number PDUs (CSNPs) ”Contain a complete list of all LSPs in the IS-IS database. CSNPs are sent periodically on all links, and the receiving systems use the information in the CSNP to update and synchronize their LSP databases. The designated router multicasts CSNPs on broadcast links in place of sending explicit acknowledgments for each LSP.

• Partial sequence number PDUs (PSNPs) ”Multicast by a receiver when it detects that it is missing an LSP; that is, when its LSP database is out of date. The receiver sends a PSNP to the system that transmitted the CSNP, effectively requesting that the missing LSP be transmitted. That router, in turn , forwards the missing LSP to the requesting router.

Configuring IS-IS

To configure IS-IS, include the following statements in the configuration. For IS-IS to run on the router, you must enable IS-IS on the router, configure a network entity title (NET) on one of the router's interfaces (preferably the loopback interface, lo0 ), and configure the ISO family on all interfaces on which you want IS-IS to run. When you enable IS-IS, Level 1 and Level 2 are enabled by default. In the address statement, address is the NET.

 [edit]  interfaces {   lo0 {     unit  logical-unit-number  {       family iso {         address  address  ;       }     }   }  type-fpc/pic/port  {     unit  logical-unit-number  {       family iso;     }   } } protocols {   isis {     disable;     authentication-key  key  ;     authentication-type  authentication  ;     export [  policy-names  ];     ignore-attached-bit;     label-switched-path  name  level  level  metric  metric  ;     level  level-number  {       authentication-key  key  ;       authentication-type  authentication  ;       external-preference  preference  ;       preference preference;       wide-metrics-only;     }     lsp-lifetime  seconds  ;     multicast-topology;     no-authentication-check;     reference-bandwidth  reference-bandwidth  ;     rib-group  group-name  ;     overload <timeout  seconds  >;     traffic-engineering {       disable;       shortcuts;     }     traceoptions {       file  name  <replace> <size  size  > <files  number  > <no-stamp>         <(world-readable  no-world-readable)>;       flag  flag  <  flag-modifier  > <disable>;     }     interface  interface-name  {       authentication-key  key  ;       authentication-type  authentication  ;       disable;       checksum;       csnp-interval (  seconds  disable);       hello-authentication-key  key  ;       hello-authentication-type  authentication  ;       lsp-interval  milliseconds  ;       mesh-group (  value  blocked);       passive;       level  level-number  {         authentication-key  key  ;         authentication-type  authentication  ;         disable;         hello-authentication-key  key  ;         hello-authentication-type  authentication  ;         hello-interval  seconds  ;         hold-time  seconds  ;         metric  metric  ;         multicast-metric  metric  ;         passive;         priority  number  ;         te-metric  metric  ;       }     }   } } 

Configuring IS-IS Authentication

All IS-IS protocol exchanges can be authenticated to guarantee that only trusted routers participate in the AS's routing. By default, IS-IS authentication is disabled on the router. To configure IS-IS authentication, define an authentication password and specify the authentication type. You can configure one of the following authentication methods :

• Simple authentication ”Uses a text password that is included in the transmitted packet. The receiving router uses an authentication key (password) to verify the packet. Simple authentication is included for compatibility with existing IS-IS implementations . However, it is recommended that you do not use this authentication method because it is insecure (the text can be "sniffed").

• HMAC-MD5 authentication ”Uses an iterated cryptographic hash function. The receiving router uses an authentication key (password) to verify the packet. HMAC-MD5 authentication is defined in RFC 2104. Note that this RFC presents only a proposal for using HMAC-MD5 with IS-IS; it is currently not a standard.

To enable authentication and specify an authentication method, include the authentication-type statement, specifying the simple or md5 authentication type:

 authentication-type  authentication  ; 

To configure a password, include the authentication-key statement. The authentication password for all routers in a domain must be the same. The password can contain up to 255 characters. If you include spaces, enclose all characters in quotation marks (" ").

 authentication-key  key  ; 

When using the JUNOS IS-IS software with another implementation of IS-IS, the other implementation must be configured to use the same password for the domain, the area, and all interfaces that are shared with a JUNOS implementation.

To configure IS-IS to generate authenticated packets, but not to check the authentication on received packets, include the no-authentication-check statement:

 [edit protocols isis]  no-authentication-check; 

Configuring Interface-Specific Properties

To configure interface-specific IS-IS properties, include the interface statement:

 [edit protocols isis]  interface  interface-name  {   authentication-key  key  ;   authentication-type  authentication  ;   disable;   checksum;   csnp-interval (  seconds  disable);   hello-authentication-key  key  ;   hello-authentication-type  authentication  ;   lsp-interval  milliseconds  ;   mesh-group (  value  blocked);   passive;   level  level-number  {     authentication-key  key  ;     authentication-type  authentication  ;     disable;     hello-authentication-type  authentication  ;     hello-authentication-key  key  ;     hello-interval  seconds  ;     hold-time  seconds  ;     metric  metric  ;     passive;     priority  number  ;     te-metric  metric  ;   } } 

Configuring the CSNP Interval

By default, IS-IS sends CSN packets periodically. If the router is the designated router on a LAN, IS-IS sends CSN packets every 10 seconds. If the router is on a point-to-point interface, it sends CSN packets every 5 seconds. You might want to modify the default interval to protect against LSP flooding. To modify the CSNP interval, include the csnp-interval statement. The time can range from 1 through 65,535 seconds.

 [edit protocols isis interface  interface-name  ]  csnp-interval  seconds  ; 

To configure the interface not to send any CSN packets, specify the disable option:

 [edit protocols isis interface  interface-name  ]  csnp-interval disable; 

Configuring Mesh Groups

A mesh group is a set of routers that are fully connected; that is, they have a fully meshed topology. When LSP packets are being flooded throughout an area, each router within a mesh group receives only a single copy of an LSP packet instead of receiving one copy from each neighbor, thus minimizing the overhead associated with the flooding of LSP packets. To create a mesh group and designate that an interface is part of the group, assign a mesh-group number to all the router interfaces in the group:

 [edit protocols isis interface  interface-name  ]  mesh-group  value  ; 

To prevent an interface in the mesh group from flooding LSPs, configure blocking on that interface:

 [edit protocols isis interface  interface-name  ]  mesh-group blocked; 

Modifying the Interface Metric

All IS-IS interfaces have a cost, which is a routing metric used in the IS-IS link-state calculation. Routes with lower total path metrics are preferred over those with higher path metrics. When several equal-cost routes to a destination exist, traffic is distributed equally among them. The cost of a route is described by a single dimensionless metric that is determined using the following formula:

  cost = reference-bandwidth / bandwidth  

reference-bandwidth is the reference bandwidth. If the reference bandwidth is not configured, all interfaces have a default metric of 10 (with the exception of the lo0 interface, which has a default metric of 0).

To modify the reference bandwidth, include the reference-bandwidth statement at the [edit protocols isis] hierarchy level:

 [edit protocols isis]  reference-bandwidth  reference-bandwidth  ; 

For example, if you set the reference bandwidth to 1 Gbps (that is, reference-bandwidth is set to 1,000,000,000), a 100-Mbps interface has a default metric of 10.

Configuring Route Preferences

Route preferences are used to select which route is installed in the forwarding table when several protocols calculate routes to the same destination. The route with the lowest preference value is selected.

By default, Level 1 IS-IS internal routes have a preference value of 15, Level 2 IS-IS internal routes have a preference of 18, Level 1 IS-IS external routes have a preference of 160, and Level 2 external routes have a preference of 165. To change the preference values, include the preference statement (for internal routes) or the external-preference statement (for external routes). The preference value can range from 0 through 255.

 [edit protocols isis level  level-number  ]  external-preference  preference  ; preference  preference  ; 

Configuring IS-IS Levels on an Interface

You can administratively divide a single AS into smaller groups called areas. There are two types of areas: Level 1 areas and Level 2 areas. Routers in Level 1 areas route within the area and, when the destination is outside the area, toward a Level 2 router. Routers in Level 2 areas route between areas and toward other ASs. You configure each router interface to be in an area. Any interface can be in any area. You can configure one Level 1 routing process and one Level 2 routing process on each interface, and you can configure the two levels differently. To configure an area, include the level statement:

 [edit protocols isis interface  interface-name  ]  level  level-number  {     authentication-key  key  ;     authentication-type  authentication  ;     disable;     hello-authentication-key  key  ;     hello-authentication-type  authentication  ;     hello-interval  seconds  ;     hold-time  seconds  ;     metric  metric  ;     passive;     priority  number  ;     te-metric  metric  ; } 

By default, IS-IS is enabled for Level 1 and Level 2 areas on all enabled interfaces on which the iso protocol family is enabled (at the [edit interfaces interface unit logical-unit-number ] hierarchy level). To disable IS-IS at any particular level on an interface, include the disable statement:

 [edit protocols isis interface  interface-name  level  level-number  ]  disable; 

Enabling IS-IS on an interface (by including the interface statement at the [edit protocols isis] hierarchy level), disabling it (by including the disable statement), and not actually having IS-IS run on an interface (by including the passive statement) are mutually exclusive states.

By default, IS-IS must be configured on an interface or a level for direct interface addresses to be advertised into that level. To advertise the direct interface addresses without actually running IS-IS on that interface or level, include the passive statement:

 passive; 

You can configure authentication for all IS-IS hello packets for an interface and, to achieve a more fine-grained authentication, you can configure authentication for a given IS-IS level on that interface. If you configure a point-to-point link and if you enable both levels, the hello packets are sent with the password configured for Level 1. By default, hello authentication is not configured on an interface. However, if IS-IS authentication is configured, the hello packets are authenticated using the IS-IS authentication type and password. To configure IS-IS hello packet authentication, you must define an authentication password and specify the authentication type. To enable hello authentication for an interface or level, include the hello-authentication-type statement:

 [edit protocols isis interface  interface-name  ] or  [edit protocols isis interface  interface-name  level  level-number  ] hello-authentication-type  authentication  ; 

Routers send hello packets at a fixed interval on all interfaces to establish and maintain neighbor relationships. This interval is advertised in the hello interval field in the hello packet. By default, a designated intersystem (DIS) router sends hello packets every 3 seconds, and a non-DIS router sends hello packets every 9 seconds. To modify how often the router sends hello packets out of an interface, include the hello-interval statement:

 [edit protocols isis interface  interface-name  level  level-number  ]  hello-interval  seconds  ; 

The hold time is how long a neighbor should consider this router to be operative without receiving another hello packet. If the neighbor does not receive a hello packet from this router within the hold time, it marks the router as being unavailable. The default hold-time value is three times the default hello interval: 9 seconds for a DIS router and 27 seconds for a non-DIS router. To modify the hold-time value on the local router, include the hold-time statement:

 [edit protocols isis interface  interface-name  level  level-number  ]  hold-time seconds; 

All IS-IS routes have a cost, which is a routing metric used in the IS-IS link-state calculation. The cost is an arbitrary, dimensionless integer that can range from 1 through 63, or from 1 through 2 ²⁴ “ 1 (16,777,215) if you are using wide metrics. The default metric value is 10 (with the exception of the lo0 interface, which has a default metric of 0). To modify the default value, include the metric statement:

 [edit protocols isis interface  interface-name  level  level-number  ]  metric  metric  ; 

When traffic engineering is enabled on the router, you can configure an IS-IS metric that is used exclusively for traffic engineering. The traffic engineering metric is used for information injected into the traffic engineering database (TED). Its value does not affect normal IS-IS forwarding. To modify the default value, include the te-metric statement:

 [edit protocols isis interface  interface-name  level  level-number  ]  te-metric  metric  ; 

A router advertises its priority to become a designated router in its hello packets. On all multiaccess networks, IS-IS uses the advertised priorities to elect a designated router for the network. This router is responsible for sending network link-state advertisements, which describe all the routers attached to the network. These advertisements are flooded throughout a single area. The priority value is meaningful only on a multiaccess network. It has no meaning on a point-to-point interface. A router's priority for becoming the designated router is indicated by an arbitrary number from 0 through 127; routers with a higher value are more likely to become the designated router. By default, routers have a priority value of 64. To modify the interface's priority value, include the priority statement:

 [edit protocols isis interface  interface-name  level  level-number  ]  priority  number  ; 

Modifying the LSP Interval

By default, the router sends one link-state PDU (LSP) packet out an interface every 100 milliseconds. To modify this interval, include the lsp-interval statement. To disable the transmission of all LSP packets, set the interval to 0.

 [edit protocols isis interface  interface-name  ]  lsp-interval  milliseconds  ; 

Modifying the LSP Lifetime

By default, link-state PDUs (LSPs) are maintained in network databases for 1,200 seconds (20 minutes) before being considered invalid. This length of time, called the LSP lifetime, normally is sufficient to guarantee that LSPs never expire. To modify the LSP lifetime, include the lsp-lifetime statement. The time can range from 350 to 65,535 seconds. The LSP refresh interval is derived from the LSP lifetime and is equal to the lifetime minus 317 seconds.

 [edit protocols isis]  lsp-lifetime  seconds  ; 

Advertising Label-Switched Paths into IS-IS

You can advertise label-switched paths into IS-IS as point-to-point links, and the label-switched paths can be used in SPF calculations. The advertisement contains a local address (the from address of the label-switched path), a remote address (the to address of the label-switched path), and a metric with a precedence that either uses the label-switched path metric defined under IS-IS, uses the label-switched path metric configured for the label-switched path under MPLS, or, if you do not configure any of the above, uses the default IS-IS metric of 10. To advertise label-switched paths, include the label-switched-path statement, with a specified level and metric :

 [edit protocols isis]  label-switched-path  name  level  level  metric  metric  ; 

Before a label-switched path can be announced as a link and used in SPF calculations, you must configure a label-switched path in both directions between two label-switched routers.

Configuring the Router to Appear Overloaded

You can configure the local router so that it appears to be overloaded. You might want to do this when you want the router to participate in IS-IS routing, but do not want it to be used for transit traffic. (Note that traffic to immediately attached interfaces continues to transit the router.) To mark the router as overloaded, include the overload statement:

 [edit protocols isis]  overload; 

To specify the number of seconds at which overload is reset, include the timeout option when specifying the overload statement. The time can range from 60 through 1,800 seconds.

 [edit protocols isis]  overload timeout  seconds  ; 

IS-IS and Multipoint Configurations

IS-IS does not support multipoint configurations. Therefore, when configuring Frame Relay or ATM networks, you must configure them as collections of point-to-point links, not as multipoint clouds.

Configuring IS-IS Traffic Engineering Attributes

You can configure various attributes related to IS-IS traffic engineering Normally, IS-IS metrics can have values up to 63, and IS-IS generates two TLVs, one for an IS-IS adjacency and the second for an IP prefix. To allow IS-IS to support traffic engineering, a second pair of TLVs has been added to IS-IS, one for IP prefixes and the second for IS-IS adjacency and traffic engineering information. With these TLVs, IS-IS metrics can have values up to 2 ²⁴ “ 1 (16,777,215). By default, the JUNOS software allows a maximum metric value of 63 and generates both pairs of TLVs. To configure IS-IS to generate only the new pair of TLVs and thus to allow the wider range of metric values, include the wide-metrics-only statement. By default, the JUNOS software supports the sending and receiving of wide metrics.

 [edit protocols isis]  wide-metrics-only; 

IS-IS always performs SPF calculations to determine next hops. For prefixes reachable through a particular next hop, IS-IS places that next hop for that prefix in the inet.0 routing table. In addition, for routers running MPLS, IS-IS also installs the prefix in the inet.3 routing table. The inet.3 table, which is present on the ingress router, contains the host address of each MPLS label-switched path's egress router. BGP uses this routing table to resolve next-hop addresses. If you enable IS-IS traffic engineering shortcuts, and if there is a label-switched path to a point along the path to that prefix, IS-IS installs the prefix in the inet.3 routing table and uses the label-switched path as a next hop. The net result is that for BGP egress routers for which there is no label-switched path, BGP automatically uses a label-switched path along the path to reach the egress router. To configure IS-IS so that it uses label-switched paths as shortcuts when installing information in the inet.3 routing table, include the shortcuts statement. Because the inet.3 routing table is present only on ingress routers, you can configure label-switched path shortcuts only on these routers.

 [edit protocols isis]  traffic-engineering {   shortcuts; } 

By default, IS-IS supports traffic engineering by exchanging basic information with the traffic engineering database (TED). To disable this support, and to disable IS-IS shortcuts if they are configured, include the disable statement:

 [edit protocols isis]  traffic-engineering {   disable; } 

Configuring IS-IS Multicast Extensions

Most multicast routing protocols perform a reverse-path forwarding (RPF) check on the source of multicast data packets. If a packet comes in on the interface that is used to send data to the source, the packet is accepted and forwarded to one or more downstream interfaces. Otherwise, the packet is discarded and a notification is sent to the multicast routing protocol running on the interface. In certain instances, the unicast routing table used for the RPF check is also the table used for forwarding unicast data packets. Thus, unicast and multicast routing are congruent. In cases in which it is preferred that multicast routing be independent of unicast routing, the multicast routing protocols are configured to perform the RPF check using an alternate unicast routing table, inet.2 . You can configure IS-IS to calculate an alternate multicast topology in addition to the normal unicast topology, and add the corresponding routes to the inet.2 routing table. The IS-IS interface metrics for the multicast topology can be configured independently of the unicast metrics. You can also selectively disable interfaces from participating in the multicast topology while continuing to participate in the regular unicast topology. This lets you exercise control over the paths that multicast data takes through a network so that it is independent of unicast data paths.

To enable support for multicast extensions, include the multicast-topology statement:

 [edit protocols isis]  multicast-topology; 

To set the multicast metric on a level, include the multicast-metric statement:

 [edit protocols isis interface  interface-name  level  level-number  ]  multicast-metric  metric  ; 

isabling IS-IS on the Router

To disable IS-IS on the router without removing the IS-IS configuration statements from the configuration, include the disable statement:

 [edit protocols] isis {   disable; } 

Configuring IS-IS Routing Policy

For IS-IS, you can apply routing policies that affect how routing protocol process ( rpd ) exports routes into IS-IS. You should not apply routing policies that affect how routes are imported into the routing table; doing so with a link-state protocol could easily lead to an inconsistent topology database. To apply routing policies, include the export statement:

 [edit protocols isis]  export [  policy-names  ]; 

Tracing IS-IS Protocol Traffic

To trace IS-IS protocol traffic, include the traceoptions statement:

 [edit protocols isis]  traceoptions {   file  name  <replace> <size  size  > <files  number  > <no-       stamp>     <(world-readable  no-world-readable)>;   flag  flag  <  flag-modifier  > <disable>; } 

You can specify the following IS-IS “specific options:

• all ” All IS-IS information

• csn ” Complete sequence number PDU (CSNP) packets

• error ” Errored packets

• general ” General events

• hello ” Hello packets

• lsp ” Link-state PDU (LSP) packets

• lsp-generation ” Link-state PDU generation packets

• normal ” Normal events

• packets ” All IS-IS protocol packets

• policy ” Policy processing

• psn ” Partial sequence number PDU (PSNP) packets

• route ” Routing information

• spf ” Shortest-path-first (SPF) calculations

• state ” State transitions

• task ” Routing protocol task processing

• timer ” Routing protocol timer processing

You can optionally specify one or more of the following flag modifiers:

• detail ” Detailed trace information

• receive ” Packets being received

• send ” Packets being transmitted