is-is operation · is-is terminologies •end system –host •intermediate system –router...
TRANSCRIPT
12/10/19
1
IS-IS Operation
1
IS-IS
• Intermediate System to Intermediate System
• Designed for OSI networks to carry CLNS traffic (RFC1142 - ISO 10859)– CLNP was to OSI, what IPv4/IPv6 is to TCP/IP
• TCP/IP (IPv4) support added with RFC 1195
• RFC 5308 added IPv6 capability (two new TLVs)
• RFC 5120 allowed multi-topology– Separate topologies for IPv4 and IPv6 (separate SPF graphs for
each AF)
2
12/10/19
2
IS-IS Terminologies
• End System – Host• Intermediate System – Router
• Circuit – Interface• Domain – Autonomous System
3
3
IS-IS
• Runs natively on Layer 2 (Data Link)
– Agnostic to Layer-3 protocols– Not vulnerable to IP based attacks!
• Is a link state routing protocol
• All IS-IS packets are sent to two well-known L2 multicast address– 0180:C200:0014 (L1- Edge)– 0180:C200:0015 (L2- Backbone)
4
TLV (subTLV)IS-IS HeaderFrame Header
Frame Trailer
4
12/10/19
3
Link State Operation• Each IS (router) learns about its links and
connected networks– builds a link state packet – LSP
• Floods LSP to all its neighbors– Stores all LSPs learned from its neighbors in a LSDB, and
floods to other neighbors
• Computes the best path to each destination using the SPF algorithm– One all routers have received all LSPs (same view of the
network!)
5
5
Link State Operation
Topology Information is kept in a Database separate from the Routing Table
ABC
21313
QZX
Z’s Link State
Q’s Link State
X’s Link State
Z
Q Y
X
6
12/10/19
4
Shortest Path First (SPF) Tree
• Router places itself at the root of SPF tree when calculating the best path
7
IS-IS Addressing
• e2e communication requires a unique address at the network layer– OSI networks use NSAP addressing– Assigned to an entire node (not on individual interfaces)
• IS-IS uses one NSAP address per router– Also called Network Entity Title (NET)– Similar to router-ID in uniquely identifying
8
8
12/10/19
5
NSAP Address
• NSEL (selector)– always zero (00) for IS-IS - indicates “this System”– No adjacency if otherwise
• System ID– Uniquely identifies the router– Link-state routing requires every router to be unique
(router-id)– Generally using BCD encoding• Ex: take 32bit loopback address (192.168.2.117), write every number as
3-digit (192168002117), place a dot after each 4-digit (1921.6800.2117)
9
AFI (1 byte)
Area-ID(2 bytes)
Sys-ID (6 bytes)
N-SEL (1 byte)
Area (1-13 bytes)
9
NSAP Address
• AFI (first byte)– Address family ID: tells how to interpret the Area-ID– 39: per country code (DCC)– 45: E.164 (phone numbering)– 46: international organization code– 49: private addressing (think RFC1918 for OSI)
• Area-ID– Indicates the area (generally 2-byte)– Ex: 0001 – Area-1
10
AFI (1 byte)
Area-ID(2 bytes)
Sys-ID (6 bytes)
N-SEL (1 byte)
Area (1-13 bytes)
10
12/10/19
6
NSAP Address• Example:– IPv4 loopback: 192.168.1.1– Router in Area-1
• NSAP address:– 49.0001.1921.6800.1001.00
11
AFI (1 byte)
Area-ID(2 bytes)
Sys-ID (6 bytes)
N-SEL (1 byte)
11
IS-IS Routing Hierarchy
• Uses a 2-level hierarchy – Level-1 (areas/edge)– Level-2 (backbone)
• Level-1 routing– Routing within same area
(intra-area)
• Level-2 routing– Routing between different
areas (inter-area)
12
Area-2
Area-1
Area-3
L1L2
L1
L1
L1 L1
L1
L1
L1
L2 L2
L2
L1L2
L1L2
12
12/10/19
7
IS-IS Routing Hierarchy
• Each link in IS-IS carries one of the three tags– L1, L2, or L1L2– Tells the router which topology/routing level the link
participates in
• L1 router– Neighbors only in the same area– Advertise list of directly connected ES/hosts (directly
connected networks)– Maintains Level-1 LSDB
13
13
IS-IS Routing Hierarchy
• L2 router– Could have neighbors in different areas (area-ID does not
have to match for adjacency)– Exchange area prefixes (so that areas can reach each other)– Maintains L2 LSDB
• L1L2 router:– Can have neighbors in any area– Separate LSDBs for each Level– Forms both L1 and L2 adjacencies
14
14
12/10/19
8
IS-IS Route Leaking
• Leaks routing information from L1 (areas) to L2 (backbone)– Similar to OSPF
• Does NOT leak routes down from L2 to L1– L2/L1L2 routers set the Attach (ATT) bit in their routing
messages (LSPDUs) to respective areas (L1 routers).– L1 routers calculate shortest path to the nearest L2/L1L2
router (that sent the message), – install a default route to the L2/L1L2 router.
15
15
IS-IS Packet Types• IIH (IS-IS Hello)– For neighbor discovery and maintaining adjacency• P2P links, a single IIH PDU for both L1 and L2 adjacencies (receipt of a
IIH resets the hold-timer for both levels)• Broadcast links, separate IIH PDU for L1 and L2 adjacencies
– IIH PDU contains:• Source ID (Sys-ID of the sender)• Holding Time – 30 secs (time until the neighbor is declared dead)• PDU length (includes the 8 byte common header and TLVs)• *The hold-timer (hello interval) do not have to match in IS-IS!
– Hellos are sent periodically to maintain neighbor adjacency (Hold-timer/Hello multiplier)
16
16
12/10/19
9
IS-IS Neighbor Discovery• Once IS-IS is enabled on a interface– The router sends out Hello to discover any IS-IS speaking
router on the other end
– Generally uses 3-way handshake• A sends out Hello to B• B responds with its own Hello as an Ack• IS Neighbor TLV#6 – neighbor’s MAC address for bcast, and Adj State
TLV#240 for P2P - DIU• A responds with one more Hello to acknowledge B’s hello
– Once the 3-way handshake is complete, neighbor relationship is established!• IS-IS adjacent or neighbors
17
17
IS-IS Packet Types
• LSP (link-state PDU)– smallest element of LSDB– LSPDU has:• Common header and Payload (TLVs)
– Headers:• LSP-ID• Lifetime (aging of LSPs – 1200 secs)• Sequence Number (newness of the info)
– LSP-ID:• Sys-ID: uniquely identify router• Pseudonode-ID: identify a designated router• Fragment-ID: if TLVs exceed the MTU, router creates several LSPs with the
same S-ID, P-ID but increasing F-ID, each carries a subset of the TLVs.
18
18
12/10/19
10
LSP Flooding• Once adjacency is formed– The router floods its link-state info (LSP) to all its neighbors– Receiving routers store the LSP in LSDB, and floods it to all
its other neighbors• Eventually, every router receives the LSP
– New LSPs are generated and flooded whenever there is a topology change• Link failure or new networks being added• Rerun the SPF algorithm to compute best paths
19
19
IS-IS Packet Types• CSNP– Complete sequence number PDUs– Similar in function to DBDs in OSPF• To synchronise the LSDB
– CSNP carries a complete list of LSPs in the sender’s LSDB• Receiver compares the LSPs in the CSNP with its LSPs• Requests missing LSPs
– CSNPs are exchanged:• P2P: during initial adjacency build up• Broadcast: originated periodically by the DIS
20
20
12/10/19
11
IS-IS Packet Types• PSNP– Partial sequence number PDUs– Similar in function to LS Request and LS Ack in OSPF• To request a particular LSPs or acknowledge a LSP
21
21
IS-IS Link Types• Point-to-Point links– Only one possible neighbor (adjacency) on the link
• Broadcast/Multi-access links– More than one neighbor (adjacencies) on the link
22
22
12/10/19
12
Designated IS• To scale adjacencies on multi-access links– Number of adjacencies– Number of LSPs flooded• Contains the same information
• One DIS elected (pre-emptive!)– Router with highest IS-IS interface priority• Priority filed in IIH
– Else, router with highest MAC address• Source SNPA (subnetwork point of attachment)
• All other routers form adjacency with the DIS– LSPs only sent to DIS, DIS floods to others– Else, router with highest MAC address
23
23
IPv4 Encoding• ISO 10589– IS Reachability TLV#2• For neighbor adjacency• Only default metric propagated and used
for SPF (default SPF topology)• Only 6-bits for metric (old/narrow metrics)!• Neighbor ID: System-ID + Pseudonode-ID
• RFC1195– IP Reachability TLV#128• Directly connected routes• When IS-IS is enabled on a interface
(adjacency formed), all IPv4 addresses are encoded in TLV#128 and announced
24
24
12/10/19
13
IPv4 Encoding• RFC1195 (IP Support)
• IS-IS for TCP/IP
– Protocols Supported TLV#129• Allowed IS-IS to be multiprotocol• 1-byte network layer protocol ID (NLPID)• 0xCC for IPv4 and 0x8E for IPv6
– Interface Address TLV#132• The source interface address of the LSP• Adjacency validity: If an IS (router) sees
its own IP address in a received IIH, adjacency wont be established
25
25
IPv4 Encoding• RFC3784 (IS-IS Extensions)
• To overcome the 6-bit metric space• And allow more information to be carried
– Extended IS Reachability TLV#22• Replaces TLV#2• 24-bit metric (16,777,216) – wide metrics!• Variable length TLV (sub-TLVs) : additional link information -
neighbor address, link bandwidth, etc.
26
26
12/10/19
14
IPv4 Encoding• RFC3784 (IS-IS Extensions)
– Extended IP Reachability TLV#135• Replaces TLV#128• Allows encoding of variable length IPv4 prefixes (only encode/decode
those bits which contain useful information)
27
27
IPv6 Encoding• RFC5308 (IPv6 support)
• Two new TLVs defined to support IPv6 AF
– IPv6 Interface TLV#232• Similar in function to TLV#132• Source interface address of a LSP (link-local
address)
– IPv6 Reachability TLV#236• similar in function to TLV#135• Encodes directly connected IPv6 prefixes
28
28
12/10/19
15
IS-IS Multi-topology • RFC5120– Single topology: both IPv4 and IPv6 shares the same SPF
topology• Per-link orientation
– Multi-topology: separate SPF topology for IPv4 and IPv6 AF• Per-AF/per-protocol orientation• Each router maintains separate adjacencies per topology and runs per-
topology SPF• Allows incremental IPv6 rollout
– Topologies Supported TLV#229• 12-bit Top-ID in IIH• Informs that a link can be a part of both IPv4 (0) and IPv6 (2) topologies
29
29
IS-IS Metric • Cisco IOS- all interfaces have a default metric of 10– No granularity for different link capacities
• ISPs define static interface metric
– Sets the interface metric to 1000
• The path with the lowest cumulative metric to a destination is chosen as the best path!– Load balances over equal cost paths!
30
is-is metric 1000 level-2
30
12/10/19
16
IS-IS best-path • Lowest cumulative metric = best path
• Load balances over equal cost paths
31
FE
FE
FE
GE1
1010
10
FE
FE
GE
GE1
1010
1
31
IS-IS Design Considerations• IGP design goal is ensure scalability and
convergence– Fewer the prefixes carried, faster the convergence– primarily used for BGP next-hop reachability– Only carries infra addresses (P2P and loopbacks) but NEVER
customer routes
• Suppress unnecessary IIH– Where no adjacency is expected
• Suppress DIS election on p2p links
32
passive-interface <int-ID>
isis network point-to-point
32
12/10/19
17
IS-IS Design Considerations• Use wide-metrics only– Generate extended TLVs (suppress RFC1195 TLVs)
• Use single level (multi-level only if you must)– Multi-levels could slow convergence!• For BGP reachability, we will need to leak /32 (/128) prefixes between
levels (L1->L2) and rerun SPF– Start with a single L2 network (extend to L1 if necessary)• Up to 500-800 routers in one L2• Areas must match in L1
33
metric-style wide
is-type level-2-only
33
IS-IS Design Considerations• Avoid black holes– Use the Overload bit (O-bit)• When a router sends a LSP with the O-bit set, routers will ignore the
LSPs from this router in their SPF calculation• Compute paths that do no traverse this router!• BGP (iBGP!) has to wait for IS-IS to converge and is slower after that too
• Default 5 mins
34
set-overload-bit on-startup wait-for-bgp
34
12/10/19
18
IS-IS Design Considerations• Enable Authentication– Authenticate source of IIH/LSPs• No unauthorised neighbor relationships and route injections
– Either plain-text or HMAC-MD5 (recommended)• Requires a key chain
– Per-interface authenticates IIH (adjacency)• Both levels on P2P; separate for each level on broadcast
– Per-level authenticates LSP/SNPs
35
(config-if)#isis authentication mode md5 [level-1/2]#isis authentication key-chain <name> [level-1/2]
key chain <name>key <ID>key-string <password>
(config-router)#authentication mode md5 [level-1/2]#authentication key-chain <name> [level-1/2]
35
IS-IS Design Considerations• Disable IIH Padding– IIH has a dedicate Padding TLV#8 to test the MTU of a link
(bloat the IIH up to 1492 bytes)• Could waste bandwidth (IOS pads every IIH!)
– Disable IIH padding if the link supports 1492 bytes
• Enable neighbor aliveness tracking– Instead of relying on IIH timers (30s) use bidirectional
failure detection (BFD)• BFD detects link failures within milli/micro seconds
36
(config-if)#bfd interval 50 min_rx 50 multiplier 5#isis bfdOR
(config-router)#bfd all-interfaces
no hello padding
36
12/10/19
19
IOS Configuration
37
router isis 17821net 49.0001.1921.6800.1001.00is-type level-2-onlymetric-style wideset-overload-bit on-startup wait-for-bgplog-adjaceny-changespassive-interface loopback0!address-family ipv6set-overload-bit on-startup wait-for-bgpmulti-topology
interface Loopback0 ip address 192.168.1.1 255.255.255.255ipv6 address 2406:6400::2/128 !interface GigaEthernet0/1/0 ip address 192.168.10.1 255.255.255.252ip router isis 17821ipv6 address 2406:6400:E::/127ipv6 router isis 17821isis network point-to-pointisis metric 1 level-2isis ipv6 metric 1 level-2!
- Start IS-IS process- Set the NSAP/NET address- Define it as a L2 router (default is
L1L2 – up to 800 routers in a level)- Log neighbor changes- Use wide metrics (extended TLVs)- Suppress IIH on Lo0
- use O-bit- Separate SPF topology for each AF
(protocol)
- Enable IS-IS for IPv4/IPv6 AF on the interface (advertise prefixes and send IIH for adjacency)
- Suppress DIS election (P-ID)- Set interface metric to 1 for both
topologies
- passive command enough to advertise the prefixes (without ip/ipv6 router isis 17821)
37
IS-IS verification
38
sh isis/clns neighbor - To see neighbor adjacencies (Sys-ID replaced by hostname)
sh clns interface <int-ID> - Details about IS-IS on a interface
sh isis database - To see the LSDB for each level- LSP-ID (Sys-ID.PID.Frag), Seq#, Hold
time, ATT/P/OL
sh clns protocol - More details about IS-IS configuration- Process-ID, Sys-ID, area, IS-IS enabled
interfaces, metric type
38
12/10/19
20
39
39