Unlike the IP routing proto-cols like RIP, OSPF and BGP, IS-IS does not need valid interface addressing information to transmit a message.. Netware uses a clone of IS-IS calledNetware Li
Trang 1The above example shows a very simple policy It creates a policy named all-statics under
the policy-options branch of the configuration hierarchy Next, it defines the match and actionclauses If the route’s originating protocol is “from” static, then accept that prefix Note that
in the “then” part no detailed action is actually specified for the prefix This is largely ent on which routing protocol has called the policy, and where the policy is applied.For example, if the policy is applied as an export policy within OSPF:
This means that all prefixes that are installed in the inet.0 routing table and are static
routes (these alone match the policy all-statics) will be redistributed into OSPFand announced to all OSPF neighbours
But if the same policy is applied as an export policy within BGP:
3.3.9 Further Documentation
The entire documentation about Juniper Networks Routers is available on the JuniperNetworks public website at http://www.juniper.net/techpubs/ Further documentation andbooks about JUNOS routing technology is posted at http://www.juniper.net/company/jnbi/
3.4 Conclusion
Both JUNOS and IOS offer the network operator powerful user interfaces to provision,troubleshoot and change the network and router configurations Interestingly, although
Conclusion 77
Trang 2both IOS and JUNOS) user interfaces are different, there are plenty of common ments, such as plain-text ASCII configuration files, two working modes (operationalmode and configuration mode), auto-completion of commands, Emacs-style keyboardsequences, and a rich debugging facility Experience from training NOC teams has shownthat because of these common elements, an engineer that is used to one router OS can,after a short learning and introduction phase, pick up the necessary skills to adapt to a newenvironment quickly and easily.
Trang 3This chapter provides a quick overview of IS-IS A lot of the topics introduced in thischapter will be explained in more detail in subsequent chapters If you just want to get aquick overview of how IS-IS works all you have to do is read this chapter.
Readers of the basic specification of IS-IS (ISO 10589) will most likely be surprised bythe constant use of OSI jargon that tries to invent an OSI counterpart for every term andacronym used in IP and the Internet So reading this often arcane language for under-standing can be very difficult Also, there is a lot of extra information contained in thebase specification unrelated to the protocol itself, like implementation details and evenadvice on how to code However, most of this advice is completely outdated and it hasbecome common to ignore most of the specification text Once you have developed an
understanding about the jargon and what paragraphs not to read and consider, you will
find that IS-IS is a lean but powerful protocol, easy to use and even simpler to understand.However, jargon cannot be completely avoided in IS-IS This chapter also assumesthat readers are familiar with the basic concepts of the OSPF routing protocol and theterms used in the IP protocol family At first, there will be translation of OSI jargon to IPterminology, but later in the book we use the OSI terms, which should become familiar
as the book progresses
4.1 IS-IS and the OSI Reference Model
IS-IS is very different than other network routing protocols because it runs natively onLayer 2 of the OSI Reference Model What does that mean? Unlike the IP routing proto-cols like RIP, OSPF and BGP, IS-IS does not need valid interface addressing information
to transmit a message Of course IS-IS needs some information to properly transmit ing messages, but compared to other IP routing protocols, the IS-IS configuration file isfar smaller
rout-Running natively on Layer 2 of the OSI Reference Model has another importantaspect, which is suitability for routing multiple protocols In fact IS-IS is totally agnosticabout what kind of prefixes it transports in its message Figure 4.1 shows the position ofIS-IS in the networking stack Here, IS-IS messages are directly encapsulated for an
Trang 4802.3 Ethernet And in the message is reachability information from the various networklayer protocols such as IPv4, IPv6 and even IPX Netware uses a clone of IS-IS called
Netware Link State Routing Protocol (NLSRP), which shares most of the message types
with IS-IS, and it is used for conveying Netware’s IPX reachability information Figure 4.1also shows, somewhat surprisingly for those used to IP, that ISO’s Layer 3 protocol, CLNP,
is dependent on IS-IS and not the other way around as it would be with IP and OSPF.This misconception is common, as we have learned over and over again when givingIS-IS training classes Most students think that running CLNP is the prerequisite for run-ning IS-IS This belief is reinforced if the students first learn about IS-IS on Cisco’s IOS.For code legacy reasons, you have to enable CLNS routing first before you can run IS-IS
on IOS platforms Even for the majority of IOS show commands there is still only theshow clns …syntax instead of show isis … Therefore most people think that IS-IS
runs over CLNP, even though the contrary is the case IS-IS is an independent protocol
and CLNP is just one of the many protocol address families it can transport
IS-IS only understands two interface types: broadcast and point-to-point (p2p) media.The most common example of broadcast media is of course the family of Ethernet speeds(10, 100, 1000, 10,000 Mbps) But there are also older technologies like Token Ring, and
FDDI In recent years there has been increased demand for Resilient Packet Ring (RPR)
technology, which is mostly an FDDI knockoff, but augmented with SONET/SDH ers, which makes the frames transportable using SONET/SDH Time Division Multiplexing(TDM) equipment Resilient Packet Rings appear to IS-IS as broadcast media using theusual LAN 48-bit IEEE MAC addresses Of all these media types, Ethernet is the mostcommonplace by far and is also the only broadcast media type that will be referencedthroughout the book Figure 4.2 shows how a native IS-IS message is encapsulated inEthernet frames All IS-IS messages are sent to one of the two well-known multicastMAC addresses 0180:c200:0014 or 0180:c200:0014 On broadcast media such as Ethernet
head-there are no IS-IS unicast messages IS-IS wants to make sure that every router nected to the LAN hears all of its messages The source MAC address is typically the
con-burned-in-address (BIA) of the sending Ethernet port Next is the length field, which tellsthe receiver how long the entire Ethernet frame will be The next two bytes indicate thedestination service attachment point (DSAP) and source service attachment point(SSAP) Each major networking protocol has an SAP code point assigned The twoSAPs indicate which parts of the system talk to each other A DSAP of 0xFE and a SSAP
of 0xFE means that an OSI protocol on the sender side wants to talk to an OSI protocol
on the receiver side (oddly, the DSAP and SSAP don’t have to match, but most protocols
IS-IS common header
OSI Reference Model Layer 2
CLNP
IEEE 802.3 Physical Layer OSI Reference Model Layer 1
F IGURE 4.1 IS-IS is a true multiprotocol IGP as it runs native on Layer-2
Trang 5only understand other versions of themselves) The last byte before the common IS-ISheader is the control byte which tells the receiver if the sender desires flow-control at theEthernet level IS-IS does not do flow-control at the MAC level, and turns it off using thecode point value of 3.
For Ethernet there are in general three different methods of encapsulating higher layer information (packets) inside Ethernet frames The encapsulation method shown in
Figure 4.2 is called 802.3 or, in Cisco Systems-IOS-speak, SAP encapsulation There is
also the Ethernet II encapsulation also known as DIX or ARPA encapsulation, whichreplaces the length field of the 802.3 encapsulation format with a 16-bit type code.Assigning all type codes with values greater than 1500 (the limit for the length field)avoids collisions between code points and valid frame lengths, which must be less than
1518 bytes altogether The final encapsulation method is called sub-network access col (SNAP), and is an extension of the IEEE 802.3 encapsulation The DSAP and SSAPare set to 0xAA (the “SNAP SAP”) and this indicates that another 5-byte header follows,which gives the protocols inside more room for type information and eases the allocation
proto-of code points for vendor-proprietary protocols This is achieved by prepending the 3-byte organizational unit identifier (OUI) that each Ethernet vendor has been assignedbefore the 2-byte protocol code point (which is actually the DIX Ethernet type field thatthe length field replaced!)
Interestingly, IS-IS never used any other encapsulation than 802.3 So although there
are OSI code points for the two other encapsulation methods (Ethernet II and SNAP)
they have never been widely used for IS-IS Most IS-IS implementations did not even
accept IS-IS messages with a non-IEEE 802.3 encapsulation style Today, IEEE 802.3encapsulation is the only possible Ethernet encapsulation for IS-IS and the two others areconsidered to be “illegal”
IS-IS and the OSI Reference Model 81
Destination MAC Address or 0180:c200:0015 0180:c200:0014
Bytes 6 6 2 1 1 1
min.: 27 max.: Link MTU-21
Source MAC Address IEEE 802.3 Length field IEEE 802.3 DSAP IEEE 802.3 SSAP IEEE 802.3 Control
IS-IS common header & TLVs
FCS
0xFE 0xFE 0x03
4
F IGURE 4.2 IS-IS messages are transported over Ethernet using IEEE 820.3 (802.2 LLC) sulation only
Trang 6encap-Inside the frame is the native IS-IS message, which can be a minimum of 27 bytes and
at maximum the size of the link MTU size minus 21 bytes If you do the mathematics,
21 bytes is the sum of the two MAC address, DSAP, SSAP, Control byte fields, plus the
4 bytes of trailing frame check sequence (FCS) at the end of the frame The link MTU sizevaries with the type of Ethernet chipset in use All Ethernet network interface cards (NICs)must support at least the standard Ethernet MTU of 1518 bytes (including FCS) However,
there are chipsets around which can generate jumbo frames which generate Ethernet
frames up to 9000 bytes in length That’s the reason the maximum IS-IS packet length isdependent on the actual link MTU size and is not a simple number The maximumamount of IS-IS information that can be stored in a standard Ethernet Frame is 1518 minus
21, or 1497 bytes IS-IS must ensure that it does not transmit frames any larger than that even if it has to fragment the IS-IS message and scatter pieces across several Ethernetframes (there is no support for fragmentation on the Ethernet level) There is more aboutfragmentation and how IS-IS deals with larger than link-MTU-sized packets in Chapter 9.For point-to-point media there are a variety of encapsulations like PPP, Cisco-HDLC,Frame Relay and ATM RFC1483/2684 encapsulation However, the most commonencapsulation is the Point-to-Point-Protocol (PPP), which will be the only one that isused throughout the book PPP has been designed to carry multiple network layer proto-cols Figure 4.3 shows the PPP model of multiplexing several protocols over a single link.First, a protocol called the PPP line control protocol (LCP) opens up the circuit and firstnegotiates parameters concerning the link Examples of LCP duties are negotiation ofauthentication, compression, three-way handshake etc
Next, for each network protocol like IP, IPX, IPv6 and OSI, there is a dedicated controlprotocol (CP) For instance, the IP Control Protocol (IPCP) assigns an IP address whendialling in to a service provider’s access server So the control protocol negotiates per-network-protocol properties For encapsulation of IS-IS messages over the point-to-pointcircuit, first, the OSICP has to come up successfully OSICP is a very lightweight protocol,sometimes not even considered a protocol, more like something along the lines of a cap-ability announcement like “Hey! I can speak OSI, so you can send me OSI frames if youwant.” Once the control protocol is done, the payload frames are transported using a pre-protocol assigned code point Figure 4.4 shows the structure of an IS-IS frame that hasbeen encapsulated in PPP The frame simply gets prepended using the OSI code point0x0023 Minimum frame size (assuming the smallest possible IS-IS message of 27 bytes)
is 27 plus 4 (PPP overhead), or 31 bytes The biggest frame once again depends on the linkMTU size of the underlying circuit Typically, SONET/SDH circuits have a maximum
PPP LCP
PPP IPCP PPP IP6CP PPP OSICP
F IGURE 4.3 Before traffic is transported the OSI control protocol and PPP line control protocol
have to get into opened state
Trang 7transmission unit of 4474 bytes By subtracting the PPP overhead (4 bytes) from the 4474bytes, this results in 4470 being the maximum MTU size on most point-to-point circuits.IS-IS skipped all the hassle of complicated varieties of encapsulation and interfacemodels by specifying very clearly in the specification how the format of the final framelooks This clearly helped interoperable implementations to exist right from the beginning.
4.2 Areas
OSI structures its network topology in a distinctive way IS-IS is much more flexiblewhen it comes down to migrating parts of the network to another routing protocol or
grooming existing ones The tool to make that happen is called an area.
In the infancy of link-state protocols, the whole network consisted of a single set ofrouters that all shared a common database to compute the best paths through the network
At this time almost everybody working in standardization bodies seemed to be concernedabout the nature of the SPF algorithm and doubted the scaling abilities of link-state routingprotocols in general In light of the exponential nature of the SPF algorithm, where theCPU demand seemed to grow infinite, the IS-IS protocol developers made an interest-ing move
The idea was to structure a large network in smaller parts called areas The cal horizon of the IS-IS routers becomes smaller to keep the CPU less busy during theroute calculation process But if a bigger network is split into smaller networks, then aset of disjoint sub-networks results In order to connect these islands there need to be
topologi-routers that route traffic between the areas Even if the topological horizon and hence the
computational complexity of the SPF run has been reduced, the network still has to retainall available reachability information and the routers at the area borders inject that reach-ability information into each other’s areas Figure 4.5 shows how this is done The BigIS-IS network 4711 is split into two areas: Area 47 and Area 11 The computational com-plexity has been halved; however, in order to ensure full connectivity the router betweenArea 47 and Area 11, Router A, summarizes and injects all the reachable prefixes fromArea 47 to Area 11, and Router B does the reverse The IP prefixes in this exampleassume the reader is familiar with IP addressing and style However, the transported pre-fixes are not restricted to just IP, they could be from any address family Router A andRouter B summarize their local prefixes and advertise them into the other areas Router Asends a summary route 172.16/16 representing the local 172.16.X/24 prefixes (including
Areas 83
Bytes 2 2 min.: 31 max.: Link MTU-4
PPP Header PPP OSI Protocol
IS-IS common header & TLVs
0xFF03 0x0023
F IGURE 4.4 IS-IS over PPP
Trang 8its own) towards Area 11 and Router B sends a summary route 172.17/16, resulting fromall the local 172.17.X/24 prefixes in Area 11, to Area 47.
The effect is remarkable – today, 1000–2000 routers in a single area are said to sent the upper boundary of IS-IS With support of areas the network can grow to arbitrarysize – today the biggest multi-area networks have about 12,000–15,000 routers Theauthors do not endorse these optimistic area numbers, since a lot, is dependent on otherfactors than just the raw number of routers But the above example should make it clearthat by splitting up a large network into several smaller areas, the result is a network that
repre-is much more scalable than with a single-area approach
Note that in Figure 4.5 Router A and Router B are members of their assigned areas andare not part of both areas To those familiar with OSPF, this may seem odd at first, but IS-ISmakes a distinction between area boundaries and the routing hierarchy levels that result.Decoupling area boundaries from routing hierarchy levels allows greater flexibility formigrating, joining, or splitting areas The tool in IS-IS for creating routing hierarchies is
called a level.
Area 11 Area 47
F IGURE 4.5 For a working hierarchical routing, the border routers need to summarize the bility information of their areas and inject it to the other areas
Trang 9reacha-4.3 Levels
To understand why the introduction of an area leads to the idea of a level scheme to
denote routing hierarchies, compare the OSPF routing hierarchy with IS-IS Figure 4.6shows the differences between OSPF areas and IS-IS areas In OSPF, the area borderrouter (ABR) has two interfaces in each area: one interface in Area 51 and another inter-face in Area 0 One could say the demarcation line between the two areas is through the
“middle” of the ABR In IS-IS, it is the other way around: there is not a special ABR thatsits between two areas Routers stay in their assigned areas One could say here that thedemarcation line is through the middle on the link between the routers in two areas.How can two routers ever exchange routing information if they are in two entirely sep-arate areas? In OSPF, the Area-ID of the routers at each end of the link has to match, other-
wise no adjacency will form between the two routers An adjacency is a kind of promise
that a pair of routers can mutually exchange traffic More about adjacencies and how theyare formed is found in Chapter 5
In IS-IS, the Area-ID does not necessarily have to match for an adjacency to come up.The reason is that for every link that runs IS-IS, there is a little tag indicating the kind of
topology level to which the link should belong Each router in an IS-IS network builds
two different topologies: the Level-1 topology and the Level-2 topology Figure 4.7shows this Each link carries one of three possible tags: L1, L2 or L1L2, which tells therouter in which topology level the link wishes to participate: Level-1, Level-2, or both.Based on the level tags shown in Figure 4.7, the resulting topology is illustrated inFigure 4.8 There are links in the figure that have non-matching Area-IDs on both ends
of the links (like the L2-only links between Areas 47, 11 and 12) However, Level-2
adja-cencies are a bit kludgy by nature All routers participating in the Level-1 topology do have
to share their Area-IDs; otherwise no adjacencies will form up, just as in OSPF But when
a link is configured for Level-2, a matching Area-ID is not important as far as adjacencyformation is concerned An adjacency will form no matter if the Area-IDs match or not.For the IS-IS Level-2 backbone, the only constraint is that the Level-2 topology must becontinguous, and no Level-2 routers are isolated from any others
Area 52
F 4.6 OSPF vs IS-IS topological boundaries
Trang 104.3.1 IS-IS Routing Hierarchy Rule
Routers that share the same Area-IDs determine the Level-1 topology, and Routers that share a
continguous set of Level-2 circuits determine the Level-2 topology
The interesting thing here is that a link can participate in both (Level-1 and Level-2)topologies And having a (logical) extra link handy is useful and helps to avoid
F IGURE 4.7 The level information is configured on a per interface basis; three tags are possible per circuit – L1, L2 and L1L2
Area 11
Area 12 Area 47
Level 2 Topology Level 1 Topology
F IGURE 4.8 The resulting Level-1 and Level-2 topology based on Figure 4.7
Trang 11sub-optimal routing Figure 4.9 shows how OSPF routes inter-area versus intra-area
traf-fic Consider traffic flowing between the two leaf-sites S (source) and D (destination).Traffic arrives at the ABR and OSPF has two routes available to route that traffic – onedirect route (the intra-area) over two low-speed T1 circuits, and another route that leadsover the backbone (the inter-area route), which has one T1 segment less and plenty ofbandwidth available, as there is a Gigabit Ethernet segment in the path But just like anyother hierarchical routing protocol, OSPF prefers to get inter-area backbone traffic tointra-area routes as soon as possible So ultimately the traffic takes the path indicated bythe gray arrow
Common practice to fix that problem in OSPF is to spend money to put another linkbetween the two Area Border Routers as indicated by the thick black dotted line Thislink is configured to run in Area 52 and produces a lot of new, low-cost paths to avoid theslower T1 hopping of traffic In IS-IS the problem is solved similarly, except that you do
not have to expense two Gigabit Ethernet router ports! Figure 4.10 shows how IS-IS
avoids this expense by the level between the routers that were OSPF Area Border RoutersIS-IS L1L2 capable Now, over the same physical circuit (the Gigabit Ethernet Segment),
IS-IS forms adjacencies on a per-level basis, and both Level-1 and Level-2 adjacencies
form on the same link Therefore, the Gigabit Ethernet link is an integral part of Area 52and preferred when traffic travels from S to D
4.3.2 Route Leaking Between Levels
Every routing protocol passes a certain amount of routing information up the routinghierarchy, and other routing information is passed down the routing hierarchy There is a
bi-directional flow of routing information known as route leaking To better understand
how IS-IS leaks routes between levels, first look at how OSPF passes routing information
up and down Figure 4.11 shows how OSPF leaks information between levels For
sim-plicity reasons, this example uses the default behaviour of how OSPF leaks routes Of
Levels 87
Area 52
Area 0 (Backbone)
F IGURE 4.9 The OSPF constraint that one interface can only be in one area can cause sub-optimal routing
Trang 12routes from BB
routes from BB
F IGURE 4.11 OSPF short-circuits reachability information between all areas, which can be a scaling harm
Trang 13course, there are lots of other ways to leak OSPF routes between areas, such as
Totally-Stubby-Areas, Stub-Areas and Not-So-Stubby-Areas (NSSA), but this is just an example.
In our example network, there are three areas interconnected by three OSPF Area BorderRouters, and the backbone is OSPF Area 0 In OSPF, each ABR takes the routes it cal-culated from the non-zero areas and redistributes it automatically to the backbone Thegray arrow indicates this step The backbone in turn redistributes all the routes it haslearned from all of the areas and feeds back that information to each as well Ultimately,each router gets all the routing information This is one of the scaling issues of OSPF: thefact that each area sees all the routes This has resulted in all the add-on OSPF concepts(Totally-Stubby-Areas, NSSA) to fix that behaviour
IS-IS is very different in this respect Similarly to OSPF, it leaks information from
Level-1 to Level-2 However, IS-IS does not leak down any information from Level-2 to
Level-1 Figure 4.12 shows how IS-IS deals with route distribution in a hierarchical routingenvironment IS-IS sets a bit in its routing messages for the respective areas This particu-lar bit is called the Attach bit or, for short, the ATT bit Any router that is part of the Level-2topology (that is, the router has at least one adjacency on a Level-2 circuit in the “Up” state)must set the ATT bit on messages The routers in the areas simply calculate their shortest
F IGURE 4.12 IS-IS does not distribute all reachability information down to the Level-2 Routes just flow up and never down the hierarchy, which is a good scaling property
Trang 14path to the closest router that has sent messages with the ATT bit set and installs a default
0/0 route in its routing/forwarding table pointing to the closest L1L2 router This is exactly
the behaviour of Totally-Stubby-Areas in OSPF, and no wonder, since both address thesame issue However, in IS-IS you can do a few things that cannot be achieved usingTotally-Stubby-Areas in OSPF, like injecting external routing information into the cloud.Luckily, OSPF NSSAs fix that problem So to quickly explain to those familiar with OSPFthe way that IS-IS leaks its routing information, it is safe to say “Almost like NSSA!”.There will be more details on how exactly route leakage works in IS-IS, using a lot ofexamples and router configurations, in Chapter 12 “IP Reachability Information”
Assigning links arbitrarily to the two topologies proved to be a very flexible designtool that today no network designer would be without It would seem, then, that address-ing and address allocation is not an important aspect of an IS-IS network design, but donot be misled A careful area design is what prepares an IS-IS network for all kinds ofmigration and expansion A clear understanding of the differences between area address-ing and the routing hierarchy is at first a bit difficult to understand in IS-IS However,there is also a lot of operational flexibility that results from this differentiation, particu-
larly when it comes to migrating areas.
4.4 Area Migration Scenarios
In contrast to OSPF, an IS-IS router can be in multiple areas at the same time Having
support for more than one area is mandatory to migrate area addresses If a routing col has only support for one area at a time, then the change of area addresses becomeshighly disruptive Just think about the disruptive nature of migrating an OSPF area,which is a routing protocol that supports just one area address per adjacency You cannotmigrate an OSPF network’s area during normal business hours: you need to allocate amaintenance window for it
proto-IS-IS is friendlier to migrations in this respect In the proto-IS-IS Hello messages there isroom enough to support more than one Area-ID In each IS-IS message, the first 8 bytes are
called the common header Figure 4.13 shows the common header that is prepended to
all IS-IS messages The last byte in the common header is a pre-indicator of the maximumamount of Area-IDs the system is going to advertise However, most IS-IS implementa-tions (including IOS and JUNOS) do not support more than 3 areas in these messages (of course, the total number of areas in the network is another matter)
This is no real limitation in practice, as support for three areas for one router at thesame time supports all the area migration scenarios of interest, which are:
• Merging two areas into a single area
• Splitting one area into two areas
• Renumbering two areas to a new area
How does IS-IS treat a pair of routers that have different Area-IDs? And how is cency formation affected by different Area-IDs? IS-IS does not require that the Area-IDmatches before a Level-1 adjacency comes up – support for multiple Area-IDs has been
adja-mentioned already So there is no single Area-ID that has to match But first IS-IS collects
Trang 15the advertised Area-IDs from both sides of the link Then IS-IS looks to see if there is an Area-ID in common If there is at least one matching area address then the Level-1 adja-
cency goes into the Up state Figure 4.14 shows four routers (A, B, C, D), and not all ofthem are in the same area No problem! As long as there is at least a single pair of routersthat is present in both areas (Router A and B), the adjacency between A and B goes into the
Up state and the routes of all four routers get distributed and finally received by all therouters in the Level-1 network
Area Migration Scenarios 91
Intra-domain Routing Protocol Discriminator
Header Length Indicator Version/Protocol ID Extension
0x83
Bytes 1 1 1 1 1 1 1 1
1
ID Length PDU Type R
0 R0 R0
PDU Version Reserved Maximum Area Addresses
6 (0)
1
3 (0) 0
Level 2 Topology Level 1 Topology
F IGURE 4.14 In an IS-IS Level-1 network there can even be multiple area addresses as long there
is at least a pair of routers present in both areas