IS-IS

Configuring IS-IS

Intermediate-system-to-intermediate-system (IS-IS) is a link-state interior gateway protocol (IGP) which uses the Shortest Path First (SPF) algorithm to determine routes. Routing decisions are made using the link-state information. IS-IS evaluates topology changes and, if necessary, performs SPF recalculations.

Entities within IS-IS include networks, intermediate systems, and end systems. In IS-IS, a network is an autonomous system (AS), or routing domain, with end systems and intermediate systems. A router is an intermediate system. End systems are network devices which send and receive protocol data units (PDUs), the OSI term for packets. Intermediate systems send, receive, and forward PDUs.

End system and intermediate system protocols allow routers and nodes to identify each other. IS-IS sends out link-state updates periodically throughout the network, so each router can maintain current network topology information.

IS-IS supports large ASs by using a two-level hierarchy. A large AS can be administratively divided into smaller, more manageable areas. A system logically belongs to one area. Level 1 routing is performed within an area. Level 2 routing is performed between areas. The routers can be configured as level 1, level 2, or both level 1/2.

IS-IS routing domain displays an example of an IS-IS routing domain.

Figure 1. IS-IS routing domain

Routing

OSI IS-IS routing uses two-level hierarchical routing. A routing domain can be partitioned into areas. Level 1 routers know the topology in their area, including all routers and end systems in their area but do not know the identity of routers or destinations outside of their area. Level 1 routers forward traffic with destinations outside of their area to a level 2 router in their area.

Level 2 routers know the level 2 topology, and know which addresses are reachable by each level 2 router. Level 2 routers do not need to know the topology within any level 1 area, except to the extent that a level 2 router can also be a level 1 router within a single area. By default, only level 2 routers can exchange PDUs or routing information directly with external routers located outside the routing domain.

The two types of routers in IS-IS are described below.

  • Level 1 intermediate systems

    Routing is performed based on the area ID portion of the ISO address called the Network Entity Title (NET). Level 1 systems route within an area. They recognize, based on the destination address, whether the destination is within the area. If so, they route toward the destination. If not, they route to the nearest level 2 router.

  • Level 2 intermediate systems

    Routing is performed based on the area address. They route toward other areas, regardless of other area’s internal structure. A level 2 intermediate system can also be configured as a level 1 intermediate system in the same area.

The level 1 router’s area address portion is manually configured (see ISO network addressing). A level 1 router does not become a neighbor with a node that does not have a common area address. However, if a level 1 router has area addresses A, B, and C, and a neighbor has area addresses B and D, then the level 1 router accepts the other node as a neighbor, as address B is common to both routers. Level 2 adjacencies are formed with other level 2 nodes whose area addresses do not overlap. If the area addresses do not overlap, the link is considered by both routers to be level 2 only and only level 2 LSPDUs flow on the link.

Within an area, level 1 routers exchange LSPs which identify the IP addresses reachable by each router. Specifically, zero or more IP address, subnet mask, and metric combinations can be included in each LSP. Each level 1 router is manually configured with the IP address, subnet mask, and metric combinations, which are reachable on each interface. A level 1 router routes as follows:

  • if a specified destination address matches an IP address, subnet mask, or metric reachable within the area; the PDU is routed via level 1 routing

  • if a specified destination address does not match any IP address, subnet mask, or metric combinations listed as reachable within the area; the PDU is routed toward the nearest level 2 router

Level 2 routers include in their LSPs, a complete list of IP address, subnet mask, and metrics specifying all the IP addresses which reachable in their area. This information can be obtained from a combination of the level 1 LSPs (by level 1 routers in the same area). Level 2 routers can also report external reachability information, corresponding to addresses reachable by routers in other routing domains or autonomous systems.

IS-IS frequently used terms

  • Area

    An area is a routing sub-domain which maintains detailed routing information about its own internal composition, and also maintains routing information which allows it to reach other routing sub-domains. Areas correspond to the level 1 sub-domain.

  • End system

    End systems send NPDUs to other systems and receive NPDUs from other systems, but do not relay NPDUs. This International Standard does not specify any additional end system functions beyond those supplied by ISO 8473 and ISO 9542.

  • Neighbor

    A neighbor is an adjacent system reachable by traversing a single sub-network by a PDU.

  • Adjacency

    An adjacency is a portion of the local routing information which pertains to the reachability of a single neighboring end or intermediate system over a single circuit. Adjacencies are used as input to the decision process to form paths through the routing domain. A separate adjacency is created for each neighbor on a circuit and for each level of routing (level 1 and level 2) on a broadcast circuit.

  • Circuit

    The subset of the local routing information base pertinent to a single local Subnetwork Point of Attachments (SNPAs).

  • Link

    The communication path between two neighbors. A link is up when communication is possible between the two SNPAs.

  • Designated IS

    The intermediate system on a LAN which is designated to perform additional duties. In particular, the designated IS generates link-state PDUs on behalf of the LAN, treating the LAN as a pseudonode.

  • Pseudonode

    Where a broadcast sub-network has n connected intermediate systems, the broadcast sub-network itself is considered to be a pseudonode. The pseudonode has links to each of the n intermediate systems and each of the ISs has a single link to the pseudonode (instead of n-1 links to each of the other intermediate systems). Link-state PDUs are generated on behalf of the pseudonode by the designated IS.

  • Broadcast sub-network

    A multi-access subnetwork that supports the capability of addressing a group of attached systems with a single PDU.

  • General topology sub-network

    A topology that is modeled as a set of point-to-point links, each of which connects two systems. There are several generic types of general topology subnetworks, multipoint links, permanent point-to-point links, dynamic and static point-to-point links.

  • Routing sub-domain

    A routing sub-domain consists of a set of intermediate systems and end systems located within the same routing domain.

  • Level 2 sub-domain

    Level 2 sub-domain is the set of all level 2 intermediate systems in a routing domain.

ISO network addressing

IS-IS uses ISO network addresses. Each address identifies a point of connection to the network, such as a router interface, and is called a Network Service Access Point (NSAP).

An end system can have multiple NSAP addresses, in which case the addresses differ only by the last byte (called the n selector). Each NSAP represents a service that is available at that node. In addition to having multiple services, a single node can belong to multiple areas.

Each network entity has a special network address called a Network Entity Title (NET). Structurally, a NET is identical to an NSAP address but has an n-selector of 00. Most end systems have one NET. Intermediate systems can have up to three area IDs (area addresses).

NSAP addresses are divided into three parts. Only the area ID portion is configurable.

  • Area ID

    A variable length field between 1 and 13 bytes long. This includes the Authority and Format Identifier (AFI) as the most significant byte and the area ID.

  • System ID

    A six-byte system identification. This value is not configurable. The system ID is derived from the system or router ID.

  • Selector ID

    A one-byte selector identification that must contain zeros when configuring a NET. This value is not configurable. The selector ID is always 00.

Of the total 20 bytes comprising the NET, only the first 13 bytes, the area ID portion, can be manually configured. As few as one byte can be entered or, at most, 13 bytes. If less than 13 bytes are entered, the rest is padded with zeros.

Routers with common area addresses form level 1 adjacencies. Routers with no common NET addresses form level 2 adjacencies, if they are capable (Using area addresses to form adjacencies).

Figure 2. Using area addresses to form adjacencies

IS-IS PDU configuration

The following PDUs are used by IS-IS to exchange protocol information:

  • IS-IS hello PDU

    Routers with IS-IS enabled send hello PDUs to IS-IS-enabled interfaces to discover neighbors and establish adjacencies.

  • Link-state PDUs

    Contain information about the state of adjacencies to neighboring IS-IS systems. LSPs are flooded periodically throughout an area.

  • Complete sequence number PDUs

    In order for all routers to maintain the same information, CSNPs inform other routers that some LSPs can be outdated or missing from their database. CSNPs contain a complete list of all LSPs in the current IS-IS database.

  • Partial sequence number PDUs (PSNPs)

    PSNPs are used to request missing LSPs and acknowledge that an LSP was received.

IS-IS operations

The routers perform IS-IS routing as follows.
  1. Hello PDUs are sent to the IS-IS-enabled interfaces to discover neighbors and establish adjacencies.

  2. IS-IS neighbor relationships are formed if the hello PDUs contain information that meets the criteria for forming an adjacency.

  3. The routers can build a link-state PDU based upon their local interfaces that are configured for IS-IS and prefixes learned from other adjacent routers.

  4. The routers flood LSPs to the adjacent neighbors except the neighbor from which they received the same LSP. The link-state database is constructed from these LSPs.

  5. A Shortest Path Tree (SPT) is calculated by each IS, and from this SPT the routing table is built.

IS-IS route summarization

IS-IS route summarization allows users to create aggregate IPv4 or IPv6 addresses that include multiple groups of IPv4 or IPv6 addresses for a specific IS-IS level. IPv4 and IPv6 routes redistributed from other routing protocols can also be summarized, similar to OSPF configuration using the area-range command. IS-IS IPv4 and IPv6 route summarization helps to reduce the size of the Link-State Database (LSDB) and the IPv4 or IPv6 routing table, and reduces the chance of route flapping.

IS-IS route summarization supports:

  • level 1, level 1-2, and level 2

  • route summarization for the IPv4 or IPv6 routes redistributed from other protocols

  • the smallest metric used to advertise summary addresses of all the more specific IPv4 or IPv6 routes

  • IS-IS IPv6 route summarization algorithm and SRv6 locator awareness

  • full Multitopology Intermediate System to Intermediate System (MT-ISIS) MT0 and MT2 support:

    • The MT0 summary summarizes the MT0 routes and advertises them as an MT0 route.
    • The MT2 summary summarizes the MT2 routes and advertises them as an MT2 route.
  • IS-IS Unreachable Prefix Announcement (UPA), as defined in draft-ietf-lsr-igp-ureach-prefix-announce-01, to assist BGP FRR for SRv6.

IS-IS UPA

Organizing networks into levels, areas, or IGP domains serves to confine link-state information within specific boundaries. However, the dissemination of state information related to prefix reachability often necessitates propagation across these areas (level 1 and level 2) or domains (through an Autonomous System Boundary Router [ASBR]).

An ASBR, running multiple protocols, acts as a gateway to routers outside the IS-IS domain and those operating with different protocols. The introduction of SRv6 rekindles the significance of summarization and necessitates improved visibility for fast convergence in the reachability of summary member prefixes. However, summarization involves suppressing the individual prefix state, crucial for triggering fast-convergence mechanisms outside the Interior Gateway Routing Protocols (IGPs), such as the Border Gateway Protocol Fast Reroute (FRR) feature.

The UPA technology facilitates the notification of individual prefixes that become unreachable in their area or domain when summarization is employed between areas or domains to advertise reachability. UPA technology allows existing SRv6 deployments that use summarization to react faster after network failures. SRv6 deployments require prompt detection of an unreachable egress router failure. The prompt failure detection can be achieved through UPAs so that BGP SRv6 triggers the SRv6 data plane to switch to the backup path. The MT-ISIS instance on the Area Boundary Router (ABR) monitors and detects events where a summarized member prefix suddenly disappears, leading it to originate a corresponding UPA for a configurable short duration. Simultaneously, the BGP SRv6 component can leverage UPA as a trigger for FRR.

UPA is defined by draft-ietf-lsr-igp-ureach-prefix-announce-01. At a high level, a UPA is a regular IS‑IS prefix advertised with an exceptionally high metric. In MT-ISIS, a prefix can be advertised with a metric higher than 0xFE000000.

Note: Additionally, for further identification purposes, the Unreachable Prefix Flag (U-Flag) and Unreachable Planned Prefix Flags (UP-Flags) in the IPv4/IPv6 Extended Reachability Attribute Flags, as defined in RFC 7794, exist. These flags are not supported by Nokia, but can be displayed in the LSDB and leaked along the UPA prefix between IS-IS levels and MT-ISIS instances.

The following behavior along a UPA applies:

  • The IS-IS support for UPA is for algorithm 0 and flexible algorithm 0 to 255 prefixes advertised in an ABR base routing instance IP Reachability TLV and the SRv6 Locator TLV (in either MT-ISIS MT0 or MT-ISIS MT2).
  • The IS-IS algorithm 0 can be used to detect sudden unreachability of the BGP NLRI next-hop address. A received UPA cannot be used to trigger FRR when suddenly an SRv6 locator becomes unreachable.
  • UPAs originated on an ABR must have originally been member prefixes of a configured summary prefix.
  • Originated UPAs can be host route prefixes (/32 for IPv4 or /128 for IPv6) or a shorter prefix.
  • Use the following IS-IS configuration commands to control IS-IS UPAs.
configure router isis summary-address advertise-unreachable match-route-tag
configure router isis summary-address advertise-unreachable advertise-route-tag
configure router isis prefix-unreachable maximum-number-upas
configure router isis prefix-unreachable process-received-upa
configure router isis prefix-unreachable upa-lifetime
configure router isis prefix-unreachable upa-metric
  • Consider the following for the IS-IS configuration commands to control IS-IS UPAs:
    • For backward compatibility, use the process-received-upa command to insert received UPAs into the local UPA routing table, where all unreachable routes are stored.
    • A UPA configurable metric using the max-metric range exists using the upa-metric command.
    • Support with match-route-tag is provided to use route tags on received prefixes to distinguish monitored summary member prefixes, which can trigger a UPA.
    • The origin of an IS-IS UPA is limited to a brief duration, within the range of the upa-lifetime command.
    • Use the advertise-route-tag command to filter UPAs when there are multiple ABRs to contain UPAs to an area, and to avoid IGP routing instability.
    • ABRs have a configurable maximum limit for the number of UPAs a router can originate within the range of the maximum-number-upas command.
    • UPA flags are not supported; however:
      • IS-IS will interpret and display the flags in the LSDB.
      • Additionally, IS-IS will redistribute these flags in an ABR from level 1 to level 2 by default. Through a configured policy these flags can also be leaked from level 2 to level 1 or between base MT-ISIS instances.
  • IS-IS can leak UPAs between base MT-ISIS levels and between base MT-ISIS instances.
  • ABRs can filter UPAs while leaking by using route tags and existing export policies, and policy filtering commands apply to UPA prefixes.
  • While leaking UPAs between MT-ISIS levels or instances, the metric of a UPA is irrelevant and remains unchanged when leaked.
  • BGP listens to the UPA routing table to trigger BGP next-hop resolution, but no UPA is exported through an export policy from the MT-ISIS UPA routing table to BGP.
  • BGP conditional expression logic applied toward MT-ISIS prefixes for BGP export are not supported. The conditional expression logic only looks at normal RTM prefixes and not UPA RTM prefixes.

Partial SPF calculation

IS-IS supports partial SPF calculation, also referred to as partial route calculation. When an event does not change the topology of the network, IS-IS is not perform full SPF but instead performs an IP reach calculation for the impacted routes. Partial SPF is performed at the receipt of IS-IS LSPs with changes to IP reach TLVs and in general, for any IS-IS LSP TLV and sub-TLV change that does not impact the network topology.

IS-IS multitopology support

Multitopology IS-IS (MT-ISIS) support within SR OS allows for the creation of different topologies within IS-IS that contribute routes to specific route tables for IPv4 unicast, IPv6 unicast, IPv4 multicast, and IPv6 multicast. This capability allows for non-congruent topologies between these different routing tables. As a result, networks are able to control which links or nodes are to be used for forwarding different types of traffic.

For example, MT-ISIS could allow all links to carry IPv4 traffic, while only a subset of links can also carry IPv6 traffic.

SR OS supports the following multitopologies:

  • IPv4 Unicast – MT-ID 0

  • IPv6 Unicast – MT-ID 2

  • IPv4 Multicast – MT-ID 3

  • IPv6 Multicast – MT-ID 4

Native IPv6 support

IS-IS IPv6 TLVs for IPV6 routing is supported in SR OS. This support is considered native IPv6 routing within IS-IS. However, it has limitations in that IPv4 and IPv6 topologies must be congruent, otherwise traffic may be blackholed. Service providers should ensure that the IPv4 topology and IPv6 topologies are the same if native IPv6 routing is used within IS-IS.

IS-IS administrative tags

IS-IS administrative tags enable a network administrator to configure route tags to tag IS-IS route prefixes. These tags can subsequently be used to control IS-IS route redistribution or route leaking.

IS-IS route tagging can be applied to IP addresses of an interface and to administrative policies with a route map. A network administrator can tag a summary route and then use a route policy to match the tag with one or more attributes for the route.

Using these administrative policies, the operator can control how a router handles route exchanges with its IS-IS neighboring routers. Administrative policies are also used to govern the installation of routes in the routing table.

Route tags allow policies to do the following:

  • redistribute routes received from other protocols in the routing table to IS-IS

  • redistribute routes or SRv6 locators between levels in an IS-IS routing hierarchy

  • summarize routes redistributed into IS-IS or within IS-IS by creating aggregate (summary) addresses

Setting route tags

IS-IS route tags are configurable in the following ways:

  • for an IS-IS interface

  • on an IS-IS passive interface

  • for a route redistributed from another protocol to IS-IS

  • for a route redistributed from one IS-IS level to another IS-IS level

  • for an IS-IS default route

  • for an IS-IS summary address or SRv6 locator

Using route tags

The configured setting of the IS-IS administrative tags on this or on a neighboring IS-IS router only takes effect if policies are configured to instruct how to process the specified tag value.

Policies configured in the following contexts can process tags where IS-IS is the origin, destination, or both origin and destination protocol:
  • MD-CLI
    configure policy-options policy-statement entry from
    configure policy-options policy-statement entry action tag
    configure policy-options policy-statement default-action tag
  • classic CLI
    Note: To configure policy-statements, use the begin command to enter the edit mode and use the commit command to save your changes.
    configure router policy-options policy-statement entry from
    configure router policy-options policy-statement entry action tag
    configure router policy-options policy-statement default-action tag

Unnumbered interface support

IS-IS supports unnumbered point-to-point interface with both Ethernet and PPP encapsulations.

Unnumbered interfaces borrow the address from other interfaces such as system or loopback interfaces and uses it as the source IP address for packets originated from the interface. This feature supports both dynamic and static ARP for unnumbered interfaces to allow interworking with unnumbered interfaces that may not support dynamic ARP.

An unnumbered interface is an IPv4 capability only used in cases where IPv4 is active (IPv4-only and mixed IPv4/IPv6 environments). When configuring an unnumbered interface, the interface specified for the unnumbered interface (system or other) must have an IPv4 address. Also, the interface type for the unnumbered interface automatically is point-to-point. The unnumbered option can be used in IES and VPRN access interfaces, as well as in a network interface with MPLS support.

Multihomed prefix LFA extensions in IS-IS

Feature configuration

Use the following command to configure the Multihomed Prefix (MHP) LFA feature for IP FRR for IS-IS routes, SR-ISIS tunnel, and SRv6-ISIS tunnel FRR:

  • MD-CLI
    configure router isis loopfree-alternate multi-homed-prefix preference
  • classic CLI
    configure router isis loopfree-alternates multi-homed-prefix preference

When applied to IP prefixes, IP FRR must also be enabled. Use the following command to allow the programming of the backup paths in the FIB:

  • MD-CLI
    configure routing-options ip-fast-reroute
  • classic CLI
    configure router ip-fast-reroute

This feature uses the multihomed prefix model described in RFC 8518 to compute a backup IP next hop via an alternate ABR or ASBR for external prefixes and to an alternate router owner for local anycast prefixes. Without this feature, the backup path is computed to the ASBR, ABR, or router owner, which is the best path for the prefix.

This feature further enhances the multihomed prefix backup path calculation beyond RFC 8518 with the addition of repair tunnels that make use of a PQ node or a P-Q set to reach the alternate exit ABR or ASBR of external prefixes or the alternate owner router of intra-area anycast prefixes.

The base LFA algorithm is applied to all intra-area and external prefixes of IP routes (IP FRR), of SR-ISIS node SID tunnels (SR-ISIS FRR), and to SRv6-ISIS remote locator tunnels (SRv6-ISIS FRR), as usual. Then the MHP LFA is applied to improve the protection coverage for external prefixes and anycast prefixes. For external /32 IPv4 prefixes and /128 IPv6 prefixes and for intra-area /32 IPv4 and /128 IPv6 prefixes with multiple owner routers (anycast prefixes), the base LFA backup path, if found, is preferred over the MHP LFA backup path in the default behavior with the preference command set to a value of none. The user can force the programming of the MHP LFA backup path by setting preference command value to all.

After the IP next-hop based MHP LFA is enabled, the extensions to MHP LFA to compute an SR-TE repair tunnel for an SR-ISIS or SRv6-ISIS tunnel are automatically enabled when the following CLI command is configured to enable Topology-Independent Loop-Free Alternate (TI-LFA) or Remote Loop-Free Alternate (RLFA). The computation reuses the SID list of the primary path or the TI-LFA or RLFA backup path of the alternate ABR, ASBR, or alternate owner router.

  • MD-CLI
    configure router isis loopfree-alternate remote-lfa
    configure router isis loopfree-alternate ti-lfa
  • classic CLI
    configure router isis loopfree-alternates remote-lfa
    configure router isis loopfree-alternates ti-lfa

TI-LFA, base LFA, and RLFA (if enabled) are applied to the SR-ISIS node SID tunnels of all intra-area and external /32 IPv4 and /128 IPv6 prefixes as usual, and to all SRv6-ISIS locator tunnels of intra-area and external prefixes of any size.

For node SID SR-ISIS tunnels of external /32 IPv4 and /128 IPv6 prefixes or intra-area /32 IPv4 and /128 IPv6 anycast prefixes, the LFA, TI-LFA, or RLFA backup path is preferred over the MHP LFA backup path in the default behavior with the preference command set to a value of none. The user can force the programming of the MHP LFA backup by setting the preference command value to all. Finally, the same preference rule also applies to SRv6-ISIS remote locator tunnels of external prefixes and intra-area prefixes with multiple router owners.

The MHP LFA backup path protects SR-ISIS tunnels and SRv6-ISIS locator tunnels in both algorithm 0 and flexible-algorithm numbers. Therefore, it also extends the protection to any SR-TE LSP, SR-MPLS policy, or SRv6 policy that uses an SR-ISIS SID or an SRv6-ISIS SID of those same prefixes in its configured or computed SID list.

Feature applicability

The multi-homed-prefix command enables the feature, but its applicability depends on the LFA flavor enabled in the IS-IS instance. The following scenarios are possible:

  • Scenario 1
    • MD-CLI

      The loopfree-alternate and multi-homed-prefix commands are enabled.

    • classic CLI

      The loopfree-alternates and multi-homed-prefix commands are enabled.

    The IP next-hop based MHP LFA feature enhances base LFA only; it applies to IP FRR (when the ip-fast-reroute command is also enabled) and to SR-ISIS tunnels and SRv6-ISIS tunnels.

  • Scenario 2
    • MD-CLI

      The loopfree-alternate remote-lfa and loopfree-alternate ti-lfa commands are enabled, or both commands and the multi-homed-prefix command is enabled.

    • classic CLI

      The loopfree-alternates remote-lfa and loopfree-alternates ti-lfa commands are enabled, or both commands and the multi-homed-prefix command is enabled.

    The enabling of RLFA, TI-LFA, or both on top of the MHP LFA automatically enables the SR OS specific enhancements to RFC 8518 that compute a repair tunnel to the alternate exit ABR or ASBR of external prefixes or to the alternate owner router for intra-area anycast prefixes. This enhancement improves coverage because it computes a SR-TE or SRv6 backup repair tunnel to an alternate ASBR. This forces the packet to go to the alternate ASBR because the RFC 8518 MHP LFA may not find a loop-free path to this alternate ASBR.

FIB prioritization

The RIB processing of specific routes can be prioritized through the use of the rib-priority command. This command allows specific routes to be prioritized through the protocol processing so that updates are propagated to the FIB as quickly as possible.

The rib-priority command is configured within the global IS-IS routing context, and the administrator has the option to either specify a prefix list or an IS-IS tag value. If a prefix list is specified, route prefixes matching any of the prefix list criteria is considered high priority. If instead an IS-IS tag value is specified, any IS-IS route with that tag value is considered high priority.

Routes designated as high priority are the first routes processed and passed to the FIB update process so that the forwarding engine can be updated. All known high priority routes should be processed before the IS-IS routing protocol moves on to other standard priority routes. This feature has the most impact when a large number of routes are learned through the IS-IS routing protocols.

IS-IS graceful restart helper

IS-IS supports the graceful restart helper function which provides an IS-IS neighbor a grace period during a control plane restart to minimize service disruption. When the control plane of a GR-capable router fails or restarts, the neighboring routers supporting the graceful restart helper mode (GR helpers) temporarily preserve IS-IS forwarding information. Traffic continues to be forwarded to the restarting router using the last known forwarding tables. If the control plane of the restarting router comes back up within the grace period, the restarting router resumes normal IS-IS operation. If the grace period expires, then the restarting router is presumed inactive and the IS-IS topology is recalculated to route traffic around the failure.

BFD interaction with graceful restart

If the SR OS router is providing a grace period to an adjacent neighbor and the BFD session associated with that neighbor fails, the behavior is determined by the C-bit values sent by each neighbor.

  • If both BFD end-points have set their C-bit value, then the graceful restart helper mode is canceled and any routes from that neighbor that are marked as stale are removed from the forwarding table.

  • If either of the BFD end-points has not set their C-bit value, then the graceful restart helper mode continues.

Configuration notes

This section describes IS-IS configuration restrictions.

General

  • IS-IS must be enabled on each participating router.

  • There are no default network entity titles.

  • There are no default interfaces.

  • By default, the routers are assigned a level 1/level 2 level capability.

Configuring IS-IS with CLI

This section provides information to configure IS-IS using the command line interface.

IS-IS configuration overview

Router levels

The router’s level capability can be configured globally and on a per-interface basis. The interface-level command options specify the interface’s routing level. The neighbor capability and command options define the adjacencies that are established.

IS-IS is not enabled by default. When IS-IS is enabled, the global default level capability is level 1/2 which enables the router to operate as either a level 1, a level 2 router with the associated databases, or both. The router runs separate shortest path first (SPF) calculations for the level 1 area routing and for the level 2 multi-area routing to create the IS-IS routing table.

The level value can be modified on both or either of the global and interface levels to be only level 1-capable, only level 2-capable or level 1 and level 2-capable.

If the default value is not modified on any routers in the area, then the routers try to form both level 1 and level 2 adjacencies on all IS-IS interfaces. If the default values are modified to level 1 or level 2, then the number of adjacencies formed are limited to that level only.

Configuring area address attributes

The area ID, also called an area address, specifies the area address portion of the NET which is used to define the IS-IS area to which the router belongs. At least one area ID should be configured on each router participating in IS-IS. You can configure a maximum of three area IDs per router.

Use the following command to configure the area ID:
  • MD-CLI
    configure router isis area-address
  • classic CLI
    configure router isis area-id

The area address identifies a point of connection to the network, such as a router interface, and is called a Network Service Access Point (NSAP). The routers in an area manage routing tables about destinations within the area. The Network Entity Title (NET) value is used to identify the IS-IS area to which the router belongs.

NSAP addresses are divided into three parts. Only the Area ID portion is configurable.

  1. Set the area ID.

    A variable length field between 1 and 13 bytes long. This includes the Authority and Format Identifier (AFI) as the most significant byte and the area ID.

  2. Set the system ID.

    A six-byte system identification. This value is not configurable. The system ID is derived from the system or router ID.

  3. Set the selector ID.

    A one-byte selector identification that must contain zeros when configuring a NET. This value is not configurable. The selector ID is always 00.

    The following example displays ISO addresses in IS-IS address format:

    MAC address 00:a5:c7:6b:c4:9049.0011.00a5.c76b.c490.00 IP address: 218.112.14.5 49.0011.2181.1201.4005.00

Interface level capacity

The level capability value configured on the interface level is compared to the level capability value configured on the global level to determine the type of adjacencies that can be established. The default level capability for routers and interfaces is level 1/2.

Potential adjacency displays configuration combinations and the potential adjacencies that can be formed.

Table 1. Potential adjacency
Global level Interface level Potential adjacency

L 1/2

L 1/2

Level 1 and/or Level 2

L 1/2

L 1

Level 1 only

L 1/2

L 2

Level 2 only

L 2

L 1/2

Level 2 only

L 2

L 2

Level 2 only

L 2

L 1

L 1

L 1/2

Level 1 only

L 1

L 2

L 1

L 1

Level 1 only

Route leaking

Nokia’s implementation of IS-IS route leaking is performed in compliance with RFC 2966, Domain-wide Prefix Distribution with Two-Level IS-IS. As previously stated, IS-IS is a routing domain (an autonomous system running IS-IS) which can be divided into level 1 areas with a level 2-connected subset (backbone) of the topology that interconnects all of the level 1 areas. Within each level 1 area, the routers exchange link state information. Level 2 routers also exchange level 2 link state information to compute routes between areas.

Routers in a level 1 area typically only exchange information within the level 1 area. For IP destinations not found in the prefixes in the level 1 database, the level 1 router forwards PDUs to the nearest router that is in both level 1/level 2 with the attached bit set in its level 1 link-state PDU.

There are many reasons to implement domain-wide prefix distribution. The goal of domain-wide prefix distribution is to increase the granularity of the routing information within the domain. The routing mechanisms specified in RFC 1195 are appropriate in many situations and account for excellent scalability properties. However, in specific circumstances, the amount of scalability can be adjusted which can distribute more specific information than described by RFC 1195.

Distributing more prefix information can improve the quality of the resulting routes. A well-known property of default routing is that loss of information can occur. This loss of information affects the computation of a route based upon less information which can result in sub-optimal routes.

Basic IS-IS configuration

For IS-IS to operate on the routers, IS-IS must be explicitly enabled, and at least one area address and interface must be configured. If IS-IS is enabled but no area address or interface is defined, the protocol is enabled but no routes are exchanged. When at least one area address and interface are configured, then adjacencies can be formed and routes exchanged.

To configure IS-IS, perform the following steps.
  1. Enable IS-IS (specifying the instance ID of multi-instance IS-IS is to be enabled).

  2. Modify the level capability, if necessary, on the global level (default is level-1/2).

  3. Define area addresses.

  4. Configure IS-IS interfaces.

The following example displays IS-IS default values.

MD-CLI

[ex:/configure router "Base" isis 0]
A:admin@node-2# info detail
 ## apply-groups
 ## apply-groups-exclude
    admin-state enable
 ## authentication-keychain
 ## authentication-key
 ## authentication-type
    csnp-authentication true
    psnp-authentication true
    advertise-passive-only false
 ## advertise-router-capability
    advertise-tunnel-link false
    all-l1isis 01:80:c2:00:00:14
    all-l2isis 01:80:c2:00:00:15
    authentication-check true
 ## default-route-tag
    ldp-sync true
    hello-authentication true
    ignore-attached-bit false
    ignore-lsp-errors false
    ignore-narrow-metric false
    iid-tlv false
    ipv4-multicast-routing native
    ipv4-routing true
    ipv6-multicast-routing native
    ipv6-routing false
 ## hello-padding
    ldp-over-rsvp false
    level-capability 1/2
    lsp-lifetime 1200
 ## lsp-minimum-remaining-lifetime
    lsp-mtu-size 1492
    mru-mismatch-detection false
    overload-export-interlevel false
    overload-export-external false
    overload-include-locators false
    poi-tlv false
    prefix-attributes-tlv false
 ## reference-bandwidth
 ## router-id
    standard-multi-instance false
    strict-adjacency-check false
    suppress-attached-bit false
    system-id 0000.0000.0000
    traffic-engineering false
 ## export-policy
 ## import-policy
 ## area-address
 ## export-limit
 ## graceful-restart
    entropy-label {
        override-tunnel-elc false
    }
 ## multi-topology
    multicast-import {
        ipv4 false
        ipv6 false
    }
 ## overload
 ## overload-on-boot
 ## overload-fib-error-notify-only
 ## prefix-limit
    lsp-refresh {
        interval 600
        half-lifetime true
    }
    rib-priority {
        high {
         ## prefix-list
         ## tag
        }
    }
    timers {
        spf-wait {
            spf-max-wait 10000
            spf-initial-wait 1000
            spf-second-wait 1000
        }
        lsp-wait {
            lsp-max-wait 5000
            lsp-initial-wait 10
            lsp-second-wait 1000
        }
    }
    unicast-import {
        ipv4 true
        ipv6 true
    }
 ## loopfree-alternate
 ## database-export
    flexible-algorithms {
        admin-state disable
        advertise-admin-group prefer-ag
     ## flex-algo
    }
    prefix-unreachable {
        maximum-number-upas 32
        process-received-upa false
        upa-lifetime 180
        upa-metric 4261412865
    }
    traffic-engineering-options {
        advertise-delay false
        ipv6 false
     ## application-link-attributes
    }
    segment-routing {
     ## apply-groups
     ## apply-groups-exclude
        admin-state disable
        adj-sid-hold 15
        class-forwarding false
        entropy-label true
     ## export-tunnel-table
     ## srlb
     ## tunnel-mtu
        tunnel-table-pref 11
        adjacency-sid {
            allocate-dual-sids false
        }
     ## micro-loop-avoidance
        multi-topology {
            mt2 false
        }
     ## prefix-sid-range
        maximum-sid-depth {
         ## override-bmi
         ## override-erld
        }
     ## adjacency-set
        egress-statistics {
            adj-set false
            adj-sid false
            node-sid false
        }
        ingress-statistics {
            adj-set false
            adj-sid false
            node-sid false
        }
        mapping-server {
            admin-state disable
         ## node-sid-map
        }
    }
    segment-routing-v6 {
     ## apply-groups
     ## apply-groups-exclude
        admin-state disable
        adj-sid-hold 15
     ## locator
     ## micro-segment-locator
    }
    igp-shortcut {
     ## apply-groups
     ## apply-groups-exclude
        admin-state disable
        allow-sr-over-srte false
        tunnel-next-hop {
            family ipv4 {
             ## apply-groups
             ## apply-groups-exclude
                resolution none
                resolution-filter {
                    rsvp false
                    sr-te false
                }
            }
            family ipv6 {
             ## apply-groups
             ## apply-groups-exclude
                resolution none
                resolution-filter {
                    rsvp false
                    sr-te false
                }
            }
            family srv4 {
             ## apply-groups
             ## apply-groups-exclude
                resolution none
                resolution-filter {
                    rsvp false
                    sr-te false
                }
            }
            family srv6 {
             ## apply-groups
             ## apply-groups-exclude
                resolution none
                resolution-filter {
                    rsvp false
                    sr-te false
                }
            }
        }
    }
 ## interface
    level 1 {
     ## apply-groups
     ## apply-groups-exclude
     ## authentication-keychain
     ## authentication-key
     ## authentication-type
        csnp-authentication true
        psnp-authentication true
        advertise-router-capability true
        database-export-exclude false
        default-ipv4-multicast-metric 10
        default-ipv6-multicast-metric 10
        default-ipv6-unicast-metric 10
        default-metric 10
        external-preference 160
        hello-authentication true
     ## hello-padding
        loopfree-alternate-exclude false
        lsp-mtu-size 1492
        preference 15
        wide-metrics-only false
        bier {
            admin-state disable
         ## template
        }
    }
    level 2 {
     ## apply-groups
     ## apply-groups-exclude
     ## authentication-keychain
     ## authentication-key
     ## authentication-type
        csnp-authentication true
        psnp-authentication true
        advertise-router-capability true
        database-export-exclude false
        default-ipv4-multicast-metric 10
        default-ipv6-multicast-metric 10
        default-ipv6-unicast-metric 10
        default-metric 10
        external-preference 165
        hello-authentication true
     ## hello-padding
        loopfree-alternate-exclude false
        lsp-mtu-size 1492
        preference 18
        wide-metrics-only false
        bier {
            admin-state disable
         ## template
        }
    }
 ## link-group
    summary-address 192.1.1.1/32 {
     ## apply-groups
     ## apply-groups-exclude
        level-capability 1/2
     ## route-tag
     ## algorithm
     ## advertise-unreachable
    }

classic CLI

A:node-2>config>router>isis# info detail
----------------------------------------------
            no system-id
            no router-id
            level-capability level-1/2
            no standard-multi-instance
            no graceful-restart
            no auth-keychain
            no authentication-key
            no authentication-type
            authentication-check
            csnp-authentication
            no ignore-lsp-errors
            no ignore-narrow-metric
            lsp-lifetime 1200
            no lsp-minimum-remaining-lifetime
            lsp-mtu-size 1492
            lsp-refresh-interval 600 half-lifetime enable
            no mru-mismatch-detection
            no database-export
            no export-limit
            no overload
            no overload-on-boot
            no overload-export-external
            no overload-export-interlevel
            no overload-include-locators
            no overload-fib-error-notify-only
            no export
            no import
            hello-authentication
            psnp-authentication
            no traffic-engineering
            traffic-engineering-options
                no advertise-delay
                no ipv6
                no application-link-attributes
            exit
            no reference-bandwidth
            no default-route-tag
            no disable-ldp-sync
            no advertise-passive-only
            no advertise-router-capability
            no hello-padding
            no ldp-over-rsvp
            no advertise-tunnel-link
            no ignore-attached-bit
            no suppress-attached-bit
            no iid-tlv-enable
            no poi-tlv-enable
            no prefix-attributes-tlv
            no prefix-limit
            no loopfree-alternates
            no rib-priority high
            ipv4-routing
            no ipv6-routing
            ipv4-multicast-routing native
            ipv6-multicast-routing native
            no multi-topology
            no unicast-import-disable both
            no multicast-import both
            no strict-adjacency-check
            summary-address 192.1.1.1/32 level-1/2
            entropy-label
                no override-tunnel-elc
            exit
            flexible-algorithms
                shutdown
                advertise-admin-group prefer-ag
            exit
            igp-shortcut
                shutdown
                no allow-sr-over-srte
                tunnel-next-hop
                    family ipv4
                        resolution disabled
                        resolution-filter
                            no rsvp
                            no sr-te
                        exit
                    exit
                    family ipv6
                        resolution disabled
                        resolution-filter
                            no rsvp
                            no sr-te
                        exit
                    exit
                    family srv4
                        resolution disabled
                        resolution-filter
                            no rsvp
                            no sr-te
                        exit
                    exit
                    family srv6
                        resolution disabled
                        resolution-filter
                            no rsvp
                            no sr-te
                        exit
                    exit
                exit
            exit
            prefix-unreachable
                maximum-number-upas 32
                no process-received-upa
                upa-lifetime 180
                upa-metric 4261412865
            exit
            timers
                lsp-wait 5000 lsp-initial-wait 10 lsp-second-wait 1000
                spf-wait 10000 spf-initial-wait 1000 spf-second-wait 1000
            exit
            level 1
                advertise-router-capability
                no hello-padding
                no lsp-mtu-size
                no auth-keychain
                no authentication-key
                no authentication-type
                csnp-authentication
                no database-export-exclude
                external-preference 160
                hello-authentication
                no loopfree-alternate-exclude
                preference 15
                psnp-authentication
                no wide-metrics-only
                default-metric 10
                default-ipv4-multicast-metric 10
                default-ipv6-unicast-metric 10
                default-ipv6-multicast-metric 10
                bier
                    shutdown
                exit
            exit
            level 2
                advertise-router-capability
                no hello-padding
                no lsp-mtu-size
                no auth-keychain
                no authentication-key
                no authentication-type
                csnp-authentication
                no database-export-exclude
                external-preference 165
                hello-authentication
                no loopfree-alternate-exclude
                preference 18
                psnp-authentication
                no wide-metrics-only
                default-metric 10
                default-ipv4-multicast-metric 10
                default-ipv6-unicast-metric 10
                default-ipv6-multicast-metric 10
                bier
                    shutdown
                exit
            exit
            segment-routing
                shutdown
                adj-sid-hold 15
                no class-forwarding
                entropy-label enable
                no export-tunnel-table
                no micro-loop-avoidance
                no multi-topology
                no prefix-sid-range
                no srlb
                tunnel-table-pref 11
                no tunnel-mtu
                adjacency-sid
                    no allocate-dual-sids
                exit
                egress-statistics
                    no adj-set
                    no adj-sid
                    no node-sid
                exit
                ingress-statistics
                    no adj-set
                    no adj-sid
                    no node-sid
                exit
                mapping-server
                    shutdown
                exit
                maximum-sid-depth
                    no override-bmi
                    no override-erld
                exit
            exit
            segment-routing-v6
                shutdown
                adj-sid-hold 15
            exit
            no shutdown
----------------------------------------------

Common configuration tasks

To implement IS-IS in your network, you must enable IS-IS on each participating router.

To assign different level to the routers and organize your network into areas, modify the level capability defaults on end systems from level 1/2 to level 1. Routers communicating to other areas can retain the level 1/2 default.

On each router, at least one area ID also called the area address should be configured as well as at least one IS-IS interface.
  1. Enable IS-IS.

  2. Configure global IS-IS command options (configure area addresses).

  3. Configure IS-IS interface-specific command options.

Configuring IS-IS components

Use the CLI commands displayed in the following subsections to configure IS-IS components.

Enabling IS-IS

IS-IS is disabled by default and must be configured and administratively enabled for the protocol to be active. SR OS also supports multi-instance IS-IS, which allows separate instances of the IS-IS protocol to run independently of the SR OS router.

Use the following command to configure an instance ID for IS-IS instances:

  • MD-CLI
    configure router isis isis-instance
  • classic CLI
    configure router isis
Caution: Careful planning is essential to implement commands that can affect the behavior of global and interface levels.

Modifying router-level command options

When IS-IS is enabled, the router operates with both level‑1 and level‑2 routing. The level-capability value can be configured on the global level and also on the interface level. The level-capability value determines which level values can be assigned on the router level or on an interface-basis. To operate as only a level-1 router or only a level-2 router, you must explicitly specify the level number.

  • Level 1 routes only within an area.

  • Level 2 routes to destinations outside an area, toward other eligible level 2 routers.

Use the following command to configure the router capability level:
  • MD-CLI
    configure router isis level-capability (1|2|1/2)
  • classic CLI
    configure router isis level-capability {level-1|level-2|level-1/2}
Use the following command to change the default global value for the router to operate as a level 1 router or a level 2 router:
  • MD-CLI
    configure router isis level level-number (1|2)
  • classic CLI
    configure router isis level (1|2)
Note: If you modify the level, the protocol shuts down and restarts. This can affect adjacencies and routes.

The following is an example of level-capability and level configuration.

MD-CLI
[ex:/configure router "Base" isis 5]
A:admin@node-2# info
    level-capability 2
    level 2 {
        ...
    }
classic CLI
A:node-2>config>router>isis# info
----------------------------------------------
        shutdown
        level-capability level-2
        level 2
            ... 
        exit
----------------------------------------------

Configuring ISO area addresses

Use the following command to configure the area ID, also called an address. You can configure a maximum of three area IDs per router:
  • MD-CLI
    configure router isis area-address
  • classic CLI
    configure router isis area-id

The following example shows the router area ID configuration.

MD-CLI
[ex:/configure router "Base" isis 5]
A:admin@node-2# info
    ...
    area-address [49.0180.0001 49.0180.0002 49.0180.0003]
    ...
    }
classic CLI
A:node-2>config>router>isis# info
----------------------------------------------
        ...
        area-id 49.0180.0001
        area-id 49.0180.0002
        area-id 49.0180.0003
        ...
----------------------------------------------

Configuring global IS-IS command options

Commands and command options configured on the global level are inherited at the interface levels. Configurations in the interface and interface-level take precedence over global configurations.

The following example shows a modified global-level configuration.

MD-CLI
[ex:/configure router "Base" isis 5]
A:admin@node-2# info
    authentication-key "authkey hash2"
    authentication-type password
    authentication-check true
    level-capability 2
    overload-export-external true
    traffic-engineering true
    area-address [49.0180.0001 49.0180.0002 49.0180.0003]
    }
classic CLI
A:node-2>config>router>isis# info
----------------------------------------------
        level-capability level-2
        area-id 49.0180.0001
        area-id 49.0180.0002
        area-id 49.0180.0003
        authentication-key "auth-key" hash
        authentication-type password
        overload timeout 90 
        traffic-engineering
---------------------------------------------

Migration to IS-IS multitopology

To migrate to IS-IS Multitopology (MT) for IPv6, perform the steps described in this topic.

  1. Use the following command to enable sending and receiving of IPv6 unicast reachability information in IS-IS MT TLVs on all the routers that support MT.
    configure router isis multi-topology ipv6-unicast
    MD-CLI
    [ex:/configure router "Base" isis 0]
    A:admin@node-2# info
        ...
        ipv6-routing native
        multi-topology {
            ipv6-unicast true
            ipv4-multicast true
        }
        ...
    classic CLI
    A:node-2>config>router>isis# info detail
    ----------------------------------------------
    ...
            ipv4-routing
            ipv6-routing native
            multi-topology
                ipv6-unicast
            exit
    ...
    ---------------------------------------------- 
  2. Use the following commands to ensure that all routers to be configured for MT have the IPv6 reachability information required by MT TLVs.
    1. Display the IS-IS IPv6 unicast topology.
      show router isis topology ipv6-unicast
      ===============================================================================
      Rtr Base ISIS Instance 0 Topology Table
      ===============================================================================
      Node                                Interface                  Nexthop
      -------------------------------------------------------------------------------
      -------------------------------------------------------------------------------
      IS-IS IPv6 paths (MT-ID 2), Level 1
      -------------------------------------------------------------------------------
      Dut-E.00                            C1/1/8-E1/1/6              Dut-E
      -------------------------------------------------------------------------------
      IS-IS IPv6 paths (MT-ID 2), Level 2
      -------------------------------------------------------------------------------
      Dut-E.00                            C1/1/8-E1/1/6              Dut-E
      ===============================================================================
    2. Use the following command to display the database details.
      show router isis database detail
      ===============================================================================
      Rtr Base ISIS Instance 0 Database (detail)
      ===============================================================================
      Displaying Level 1 database
      -------------------------------------------------------------------------------
      LSP ID    : ALA-49.00-00                                Level     : L1
      Sequence  : 0x22b                  Checksum  : 0x60e4   Lifetime  : 1082
      Version   : 1                      Pkt Type  : 18       Pkt Ver   : 1
      Attributes: L1L2                   Max Area  : 3
      SysID Len : 6                      Used Len  : 404      Alloc Len : 1492
      
      TLVs :
      Area Addresses  :
        Area Address    : (13) 47.4001.8000.00a7.0000.ffdd.0007
      Supp Protocols  :
        Protocols       : IPv4 IPv6
      IS-Hostname     :
        Hostname        : ALA-49
      TE Router ID    :
        Router ID       : 10.10.10.104
      Internal Reach  :
        IP Prefix       : 10.10.10.104/32    (Dir. :Up)  Metric  : 0 (I)
        IP Prefix       : 10.10.4.0/24       (Dir. :Up)  Metric  : 10 (I)
        IP Prefix       : 10.10.5.0/24       (Dir. :Up)  Metric  : 10 (I)
        IP Prefix       : 10.10.7.0/24       (Dir. :Up)  Metric  : 10 (I)
        IP Prefix       : 10.10.0.0/24       (Dir. :Up)  Metric  : 10 (I)
        IP Prefix       : 10.0.0.0/24        (Dir. :Up)  Metric  : 10 (I)
      MT IPv6 Reach.  :
        MT ID           : 2
        IPv6 Prefix     : 3ffe::101:100/120
                          Flags : Up Internal Metric : 10
        IPv6 Prefix     : 10::/64
                          Flags : Up Internal Metric : 10
      I/f Addresses   :
        IP Address      : 10.10.10.104
        IP Address      : 10.10.4.3
        IP Address      : 10.10.5.3
        IP Address      : 10.10.7.3
        IP Address      : 10.10.0.16
        IP Address      : 10.0.0.104
      I/f Addresses IPv6 :
        IPv6 Address    : 3FFE::101:101
        IPv6 Address    : 10::104
      TE IP Reach.    :
        IP Prefix       : 10.10.10.104/32      (Dir. :Up)  Metric  : 0
        IP Prefix       : 10.10.4.0/24         (Dir. :Up)  Metric  : 10
        IP Prefix       : 10.10.5.0/24         (Dir. :Up)  Metric  : 10
        IP Prefix       : 10.10.7.0/24         (Dir. :Up)  Metric  : 10
        IP Prefix       : 10.10.0.0/24         (Dir. :Up)  Metric  : 10
        IP Prefix       : 10.0.0.0/24          (Dir. :Up)  Metric  : 10
      Authentication  :
        Auth Type       : Password(1) (116 bytes)
      
      Level (1) LSP Count : 1
      
      Displaying Level 2 database
      -------------------------------------------------------------------------------
      LSP ID    : ALA-49.00-00                                Level     : L2
      Sequence  : 0x22c                  Checksum  : 0xb888   Lifetime  : 1082
      Version   : 1                      Pkt Type  : 20       Pkt Ver   : 1
      Attributes: L1L2                   Max Area  : 3
      SysID Len : 6                      Used Len  : 304      Alloc Len : 1492
      
      TLVs :
      Area Addresses  :
        Area Address    : (13) 47.4001.8000.00a7.0000.ffdd.0007
      Supp Protocols  :
        Protocols       : IPv4 IPv6
      IS-Hostname     :
        Hostname        : ALA-49
      TE Router ID    :
        Router ID       : 10.10.10.104
      Internal Reach  :
        IP Prefix       : 10.10.10.104/32    (Dir. :Up)  Metric  : 0 (I)
        IP Prefix       : 10.10.4.0/24       (Dir. :Up)  Metric  : 10 (I)
        IP Prefix       : 10.10.5.0/24       (Dir. :Up)  Metric  : 10 (I)
        IP Prefix       : 10.10.7.0/24       (Dir. :Up)  Metric  : 10 (I)
        IP Prefix       : 10.10.0.0/24       (Dir. :Up)  Metric  : 10 (I)
        IP Prefix       : 10.0.0.0/24        (Dir. :Up)  Metric  : 10 (I)
      MT IPv6 Reach.  :
        MT ID           : 2
        IPv6 Prefix     : 3ffe::101:100/120
                          Flags : Up Internal Metric : 10
        IPv6 Prefix     : 10::/64
                          Flags : Up Internal Metric : 10
      I/f Addresses   :
        IP Address      : 10.10.10.104
        IP Address      : 10.10.4.3
        IP Address      : 10.10.5.3
        IP Address      : 10.10.7.3
        IP Address      : 10.10.0.16
        IP Address      : 10.0.0.104
      I/f Addresses IPv6 :
        IPv6 Address    : 3FFE::101:101
        IPv6 Address    : 10::104
      TE IP Reach.    :
        IP Prefix       : 10.10.10.104/32      (Dir. :Up)  Metric  : 0
        IP Prefix       : 10.10.4.0/24         (Dir. :Up)  Metric  : 10
        IP Prefix       : 10.10.5.0/24         (Dir. :Up)  Metric  : 10
        IP Prefix       : 10.10.7.0/24         (Dir. :Up)  Metric  : 10
        IP Prefix       : 10.10.0.0/24         (Dir. :Up)  Metric  : 10
        IP Prefix       : 10.0.0.0/24          (Dir. :Up)  Metric  : 10
      Authentication  :
        Auth Type       : MD5(54) (16 bytes)
      
      Level (2) LSP Count : 1
      ------------------------------------------------------------------------------
      Flags : D = Prefix Leaked Down
            : N = Node Flag
            : R = Re-advertisement Flag
            : S = Sub-TLVs Present
            : X = External Prefix Flag
      ===============================================================================
  3. Use the following command to configure MT TLVs for IPv6 SPF.
    configure router isis ipv6-routing mt
    MD-CLI
    [ex:/configure router "Base" isis 0]
    A:admin@node-2# info
        ...
        ipv6-routing mt
        multi-topology {
            ipv6-unicast true
            ipv4-multicast true
        }
        ...
    ---------------------------------------------- 
    classic CLI
    A:node-2>config>router>isis# info detail
    ----------------------------------------------
    ...
            ipv4-routing
            ipv6-routing mt
            multi-topology
                ipv6-unicast
            exit
    ...
    ---------------------------------------------- 
  4. Use the following commands to verify the IPv6 routes for IS-IS.
    1. Display the IPv6 unicast routes.
      show router isis routes ipv6-unicast
      
      ===============================================================================
      Rtr Base ISIS Instance 0 Route Table
      ===============================================================================
      Prefix[Flags]                     Metric     Lvl/Typ     Ver.  SysID/Hostname
        NextHop                                                MT     AdminTag/SID[F]
      -------------------------------------------------------------------------------
      2001:db8:1::3/128                 0          1/Int.      8     Dut-C
         ::                                                      2       0
      2001:db8:1::5/128                 123        1/Int.      10    Dut-E
         fe80::e28:1ff:fe01:6-"C1/1/8-E1/1/6"                    2       0
      2001:db8:100::/126                123        1/Int.      9     Dut-C
         ::                                                      2       0
      -------------------------------------------------------------------------------
      No. of Routes: 3 (3 paths)
      -------------------------------------------------------------------------------
      Flags        : L = LFA nexthop available
      SID[F]       : R  = Re-advertisement
                     N  = Node-SID
                     nP = no penultimate hop POP
                     E  = Explicit-Null
                     V  = Prefix-SID carries a value
                     L  = value/index has local significance
      ===============================================================================
    2. Display the IPv6 information in the route table.
      show router route-table ipv6
      ===============================================================================
      IPv6 Route Table (Router: Base)
      ===============================================================================
      Dest Prefix                                   Type    Proto    Age         Pref
             Next Hop[Interface Name]                                     Metric
      -------------------------------------------------------------------------------
      10::/64                                       Local   Local    05h35m28s   0
             to-104                                                       0
      -------------------------------------------------------------------------------
      No. of Routes: 1
      ===============================================================================

Configuring IS-IS interfaces

You must configure at least one IS-IS interface for IS-IS to work. There are no default interfaces applied to the router’s IS-IS instance. An interface belongs to all areas configured on a router. Interfaces cannot belong to separate areas.

Configuring interfaces with level capability

Describes how to configure IS-IS interfaces with level capability.

Use the following procedure to configure and enable IP interfaces for IS-IS. You must configure at least one IS-IS interface for IS-IS to work.

  1. Use the following command to configure IP interfaces to use for IS-IS.
    configure router interface
    MD-CLI
    [ex:/configure router "Base"]
    A:admin@node-2# info
        interface "NOK-1-1" {
        }
        interface "NOK-1-2" {
        }
        interface "NOK-1-3" {
        }
        interface "NOK-1-5" {
        } 
        interface "system" {
        }
        interface "to-103" {
        }
    
    classic CLI
    A:node-2>config>router# info
    #--------------------------------------------------
            interface "NOK-1-1"
                no shutdown
            exit
            interface "NOK-1-2"
                no shutdown
            exit
            interface "NOK-1-3"
                no shutdown
            exit
            interface "NOK-1-5"
                no shutdown
            exit
            interface "system"
                no shutdown
            exit
            interface "to-103"
                no shutdown
            exit
    #--------------------------------------------------
    
  2. Use the following command to reference the interfaces created in step 1 for IS-IS.
    configure router isis interface
    MD-CLI
    [ex:/configure router "Base" isis 0]
    A:admin@Dut-AC# info
        ...
        interface "NOK-1-1" {
        }
        interface "NOK-1-2" {
        }
        interface "ALA-1-3" {
        }
        interface "ALA-1-5" {
        }
        interface "system" {
        }
        interface "to-103" {
        }
    classic CLI
    A:node-2>config>router>isis# interface "NOK-1-2"
    *A:node-2>config>router>isis>if#
    ... 
  3. Use the following commands to configure level 1 and level 2 options and the level-capability for an interface. The level-capability value determines which level values are used.
    configure router isis level
    configure router isis interface
    configure router isis interface level-capability
    configure router isis interface-type
    Note: For point-to-point interfaces, only values configured under level 1 are used, regardless of the operational level of the interface.

    The following example shows global and interface-level configurations.

    MD-CLI
    [ex:/configure router "Base" isis 0]
    A:admin@node-2# info
        authentication-key "auth-key= hash2"
        authentication-type password
        ipv6-routing native
        level-capability 2
        traffic-engineering true
        area-address [49.0180.0001 49.0180.0002 49.0180.0003]
        multi-topology {
            ipv6-unicast true
            ipv4-multicast false
        }
        interface "ALA-1-2" {
            level-capability 2
        }
        interface "ALA-1-3" {
            interface-type point-to-point
            level-capability 1
        }
        interface "ALA-1-5" {
            interface-type point-to-point
            level-capability 1
        }
        interface "system" {
        }
        interface "to-103" {
        }
        level 1 {
            wide-metrics-only true
        }
        level 2 {
            wide-metrics-only true
        }
    classic CLI
    A:node-2>config>router>isis# info
    ----------------------------------------------
            level-capability level-2
            area-id 49.0180.0001
            area-id 49.0180.0002
            area-id 49.0180.0003
            authentication-key "auth-key" hash
            authentication-type password
            traffic-engineering
            level 1
                wide-metrics-only
            exit
            level 2
                wide-metrics-only
            exit
            interface "system"
            exit
            interface "ALA-1-2"
                level-capability level-2
            exit
            interface "ALA-1-3"
                level-capability level-1
                interface-type point-to-point
            exit
            interface "ALA-1-5"
                level-capability level-1
                interface-type point-to-point
            exit
            interface "to-103"
            exit
    ----------------------------------------------
Configuring a level 1 area

Interfaces are configured in the configure router interface context, as shown in Configuring a level 1 area and the procedure Configuring interfaces with level capability.

Figure 4. Configuring a level 1 area

The following example displays the command usage to configure a level 1 area.

MD-CLI
[ex:/configure router "Base" isis 0]
A:admin@node-A# info
    ...
    level-capability 1
    ...
    area-address [49.0180.0001 49.0180.0002 49.0180.0003]
    ...
    }
    interface "A-B" {
        level-capability 1
    }
    interface "A-C" {
        level-capability 1
    }
    interface "B-A" {
        level-capability 1
    }
    interface "B-C" {
        level-capability 1
    }
    interface "C-A" {
        level-capability 1
    }
    interface "C-B" {
        level-capability 1
    }
    ....
classic CLI
A:node-A>config>router>isis# info
----------------------------------------------
        level-capability level-1
        area-id 49.0180.0001
        interface "system"
        exit
        interface "A-B"
        exit
        interface "A-C"
        exit
----------------------------------------------

A:node-B>config>router>isis# info
----------------------------------------------
        level-capability level-1
        area-id 49.0180.0002
        interface "system"
        exit
        interface "B-A"
        exit
        interface "B-C"
        exit
----------------------------------------------

A:node-C>config>router>isis# info
#------------------------------------------
echo "ISIS"
----------------------------------------------
        level-capability level-1
        area-id 49.0180.0003
        interface "system"
        exit
        interface "C-A"
        exit
        interface "C-B"
        exit
----------------------------------------------
Modifying a router’s level capability

In the example shown in Configuring a level 1 area, A, B, and C are configured as level 1 systems. Level 1 systems communicate with other level 1 systems in the same area. In the following example, area A is modified to set the level capability to level 1 and 2, as shown in Configuring a level 1/2 area. Now, the level 1 systems in the area with NET 47.0001 forward PDUs to area A for destinations that are not in the local area.

Figure 5. Configuring a level 1/2 area

The following example shows the command usage to change area A from a level 1 system to a level 1/2 system.

MD-CLI
[ex:/configure router "Base" isis 0]
A:admin@node-A# level-capability 1/2

*[ex:/configure router "Base" isis 0]
A:admin@node-A# info
    ... 
    level-capability 1/2
    ...
    }
classic CLI
Note: The level-1/2 default configuration option is not displayed in the output of the info command.
A:node-A>config>router>isis# info
----------------------------------------------
        shutdown
        level-capability level-1 
        area-id 49.0180.0001
        ...
A:node-A>config>router>isis# level-capability level-1/2
*A:node-A>config>router>isis# info
----------------------------------------------
        shutdown
        area-id 49.0180.0001
        ...
Configure LFA for IS-IS interfaces

Configure LFA policy maps for interfaces using a route next-hop template

Use the following commands to apply a route next-hop policy template that is configured with the required policies, to all IS-IS prefixes whose primary next hop uses a specific interface. See Application of route next hop policy template to an interface for more information.

  • MD-CLI
    configure router isis interface loopfree-alternate policy-map route-nh-template 
    configure service vprn isis interface loopfree-alternate policy-map route-nh-template
  • classic CLI
    configure router isis interface lfa-policy-map route-nh-template
    configure service vprn isis interface lfa-policy-map route-nh-template 
Exclude interfaces from LFA SPF

Use the following commands to exclude an interface in IS-IS or an IS-IS level from an LFA SPF. You can also exclude prefixes from a prefix policy that matches on prefixes or on IS-IS tags, for the router or VPRN service. See Excluding interfaces and prefixes from LFA SPF for more information.

  • MD-CLI
    configure router isis interface loopfree-alternate exclude
    configure service vprn isis interface loopfree-alternate exclude
  • classic CLI
    configure router isis interface loopfree-alternate-exclude
    configure service vprn isis interface loopfree-alternate-exclude

Configuring IS-IS link groups

IS-IS Link-Groups allows the creation of an administrative grouping of multiple IS-IS member interfaces that should be treated as a common group for ECMP purposes. If the number of operational links in the link-group drops below the operational-member value, then all links associated with that IS-IS link group will have their interface metric increased by the configured offset amounts. As a result, IS-IS will then try to reroute traffic over lower cost paths.

After it is triggered, the higher metric will not be reset to the originally configured IS-IS interface metric values until the number of active interfaces in the link bundle reaches the configured revertive threshold (revert-members).

Prerequisite are the following:

  • one or more interface members

  • a configured operational-member (oper-members) value

  • a configured revertive-member (revert-members) value

  • configured offset values for the appropriate address families

IS-IS configuration management tasks

This section discusses IS-IS configuration management tasks.

Disabling IS-IS

When you administratively disable the IS-IS protocol instance on the router, the configuration settings are not changed, reset, or removed. Use the following command to disable IS-IS on a router:

  • MD-CLI
    configure router isis admin-state disable
  • classic CLI
    configure router isis shutdown

Removing IS-IS

When you remove the IS-IS protocol instance, the IS-IS configuration reverts to the default settings.

Use the following command to remove the IS-IS configuration:

  • MD-CLI
    config router delete isis
  • classic CLI
    configure router no isis

Modifying global IS-IS configuration

You can modify, disable, or remove global IS-IS configuration without administratively disabling the entities. Changes take effect immediately. Modifying the level capability on the global level causes the IS-IS protocol to restart.

Modifying IS-IS interface configuration

You can modify, disable, or remove interface-level IS-IS configuration without administratively disabling the entities. Changes take effect immediately. Modifying the level capability on the interface causes the IS-IS protocol on the interface to restart.

Use the following command to remove an interface:

  • MD-CLI
    configure router delete interface
  • classic CLI
    configure router no interface

Use the following command to disable an interface:

  • MD-CLI
    configure router interface admin-state disable
  • classic CLI
    configure router interface shutdown

The following example displays interface IS-IS modification command usage. For specific interface configuration and modification examples also see, Configuring a level 1 area and Modifying a router’s level capability.

Configuring authentication using keychains

The use of authentication mechanism is recommended to protect against malicious attack on the communications between routing protocol neighbors. These attacks could aim to either disrupt communications or to inject incorrect routing information into the systems routing table. The use of authentication keys can help to protect the routing protocols from these types of attacks. In addition, the use of authentication keychains provides the ability to configure authentication keys and make changes to them without affecting the state of the routing protocol adjacencies.

To configure the use of an authentication keychain within IS-IS, use the following steps.

  1. Use the following command to configure an authentication keychain. The configured keychain must include at least one valid key entry, using a valid authentication algorithm for the IS-IS protocol.

    • MD-CLI
      configure system security keychains
    • classic CLI
      configure system security keychain
  2. Associate the configure authentication keychain with IS-IS. Authentication keychains can be used to specify the authentication at the IS-IS global and level contexts, as well as for hello authentication at the interface and interface-level context.

    • MD-CLI
      configure router isis hello-authentication-keychain
    • classic CLI
      configure router isis auth-keychain

Use the following command to establish the hello authentication association:

  • MD-CLI
    configure router isis hello-authentication
  • classic CLI
    configure router isis hello-auth-keychain

For a key entry to be valid, it must include a valid key, the current system clock value must be within the begin and end time of the key entry, and the algorithm specified in the key entry must be supported by the IS-IS protocol.

The IS-IS protocol supports the following algorithms:

  • clear text password (RFC 5304 and RFC 5310 formats)

  • HMAC-MD5 (RFC 5304 and RFC 5310 formats)

  • HMAC-SHA-1 (RFC 5310 format)

  • HMAC-SHA-256 (RFC 5310 format)

The IS-IS key entry may also include the option to determine how the IS-IS protocol encodes the authentication signature. The basic command option results in the use of RFC 5304 format. The default or a value of the isis-enhanced command option results in using the RFC 5310 format.

Use the following command to configure the encoding of the IS-IS protocol authentication signature:

  • MD-CLI
    configure system security keychains keychain bidirectional entry option
  • classic CLI
    configure system security keychain direction bi entry

The error handling is described below.

  • If a keychain exists but there are no active key entries with an authentication type that is valid for the associated protocol then inbound protocol packets are not authenticated and discarded and no outbound protocol packets should be sent.

  • If keychain exists, but the last key entry has expired, a log entry is raised indicating that all keychain entries have expired. The IS-IS protocol requires that the protocol not revert to an unauthenticated state and requires that the old key is not to be used, therefore, after the last key has expired, all traffic is discarded.

Guidelines for configuring route leaking from level 2 to level 1 areas

IS-IS allows a two-level hierarchy to route PDUs. Level 1 areas can be interconnected by a contiguous level 2 backbone. The level 1 link-state database contains information only about that area. The level 2 link-state database contains information about the level 2 system and each of the level 1 systems in the area. A level 1/2 router contains information about both level 1 and level 2 databases. A level 1/2 router advertises information about its level 1 area toward the other level 1/2 or level 2 (only) routers.

Packets with destinations outside the level 1 area are forwarded toward the closest level 1/2 router which, in turn, forwards the packets to the destination area.

Sometimes, the shortest path to an outside destination is not through the closest level 1/2 router, or, the only level 1/2 system to forward packets out of an area is not operational. Route leaking provides a mechanism to leak level 2 information to level 1 systems to provide routing information about inter-area routes. A level 1 router then has more options to forward packets.

See Configuring route leaking from level 2 to level 1 areas for information about how to configure route leaking.

Configuring route leaking from level 2 to level 1 areas

This topic describes how to configure policies to leak routes from level 2 to level 1.

This task describes how to configure policies, including a prefix list and policy statement, to leak routes from level 2 to level 1 areas.

  1. Use the commands in the following contexts to configure a policy to leak routes from level 2 into level 1 areas:
    • MD-CLI
      Note: Use the commit command to save the configuration.
    • classic CLI
      Note: Use the begin command to enter edit mode for the policy-options configuration and the commit command to save the configuration.
    MD-CLI
    [ex:/configure policy-options]
    A:admin@node-2# info
        prefix-list "loops" {
            prefix 10.1.1.0/24 type longer {
            }
        }
        policy-statement "leak" {
            entry 10 {
                from {
                    level 2
                    prefix-list "loops"
                }
                to {
                    level 1
                }
                action {
                    action-type accept
                }
            }
        }
    classic CLI
    A:node-2>config>router>policy-options# info
    ----------------------------------------------
                prefix-list "loops"
                        prefix 10.1.1.0/24 longer
                exit
                policy-statement "leak"
                    entry 10
                        from
                            prefix-list "loops"
                            level 2
                        exit
                        to
                            level 1
                        exit
                        action accept
                        exit
                    exit
                exit
    ---------------------------------------------
  2. Use the following command to apply the policy statement created in step 1 to leak routes from level 2 info level 1 systems on the node.
    • MD-CLI
      configure router isis export-policy 
    • class CLI
      configure router isis export
    MD-CLI
    [ex:/configure router "Base" isis 0]
    A:admin@node-A# info
        authentication-key "auth-key= hash2"
        authentication-type password
        ...
        area-address [49.0180.0001 49.0180.0002 49.0180.0003]
        authentication-check false
        export-policy "leak"
        ... 
    classic CLI
    A:node-A>config>router>isis# info
    ----------------------------------------------
            area-id 49.0180.0001
            area-id 49.0180.0002
            area-id 49.0180.0003
            authentication-key "//auth-key" hash
            authentication-type password
            no authentication-check
            export "leak"
            ...
    ----------------------------------------------
  3. After exporting the policy, use the commands in the following context to create a policy to redistribute external IS-IS routes from level 1 systems into the level 2 backbone (see Redistributing external IS-IS routers).
    • MD-CLI
      configure policy-options prefix-list
      configure policy-options policy-statement entry
    • classic CLI
      configure router policy-options prefix-list
      configure router policy-options policy-statement entry
    MD-CLI
    [ex:/configure policy-options]
    A:node-AC# info
        prefix-list "loops" {
            prefix 10.1.1.0/24 type longer {
            }
        }
        policy-statement "leak" {
            entry 10 {
                from {
                    level 2
                    prefix-list ["loops"]
                }
                to {
                    level 1
                }
                action {
                    action-type accept
                }
            }
        }
        policy-statement "isis-ext" {
            entry 10 {
                from {
                    external true
                }
                to {
                    level 2
                }
                action {
                    action-type accept
                }
            }
        }
    
    classic CLI
    A:node-AC>config>router>policy-options# info
    ----------------------------------------------
                prefix-list "loops"
                        prefix 10.1.1.0/24 longer
                exit
                policy-statement "leak"
                    entry 10
                        from
                            prefix-list "loop"
                            level 2
                        exit
                        to
                            level 1
                        exit
                        action accept
                        exit
                    exit
                exit
                policy-statement "isis-ext"
                    entry 10
                        from
                            external
                        exit
                        to
                            level 2
                        exit
                        action accept
                        exit
                    exit
                exit
    ----------------------------------------------

Redistributing external IS-IS routers

IS-IS does not redistribute level 1 external routes into level 2 by default. You must explicitly apply the policy to redistribute external IS-IS routes. Use the commands in the following context to create and apply a policy to redistribute external IS-IS routes:

  • MD-CLI
    Note: Use the commit command to save the configuration.
    configure policy-options prefix-list
    configure policy-options policy-statement entry
  • class CLI
    Note: Use the begin command to enter edit mode for the policy-options configuration and the commit command to save the configuration.
    configure router policy-options prefix-list
    configure router policy-options policy-statement entry

See Route policies for more information about creating and using route policies.

The following example shows a policy-statement configuration.

MD-CLI

[ex:/configure policy-options]
A:node-AC# info
    prefix-list "loops" {
        prefix 10.1.1.0/24 type longer {
        }
    }
    policy-statement "isis-ext" {
        entry 10 {
            from {
                external true
            }
            to {
                level 2
            }
            action {
                action-type accept
            }
        }
    }
    policy-statement "leak" {
        entry 10 {
            from {
                level 2
                prefix-list ["loops"]
            }
            to {
                level 1
            }
            action {
                action-type accept
            }
        }
    }

classic CLI

A:node-AC>config>router>policy-options# info
----------------------------------------------
            prefix-list "loops"
                    prefix 10.1.1.0/24 longer
            exit
            policy-statement "leak"
                entry 10
                    from
                        prefix-list "loops"
                        level 2
                    exit
                    to
                        level 1
                    exit
                    action accept
                    exit
                exit
            exit
            policy-statement "isis-ext"
                entry 10
                    from
                        external
                    exit
                    to
                        level 2
                    exit
                    action accept
                    exit
                exit
            exit
---------------------------------------------

Specifying MAC addresses for all IS-IS routers

Use the following commands to specify a MAC address for all L1 IS-IS routers.

configure router isis all-l1isis
configure service vprn isis all-l1isis

Use the following commands to specify the MAC address for all L2 IS-IS routers.

configure router isis all-l2isis
configure service vprn isis all-l2isis