IS-IS Operation over Different Network Types
IS-IS natively supports only broadcast and point-to-point network types. IS-IS has no special provisions to correctly operate over partially meshed data link layer technologies such as hub-and-spoke Frame Relay. Recommended practice dictates that you configure such networks using point-to-point subinterfaces and run IS-IS over these point-to-point links. It is noteworthy to mention that what IS-IS calls broadcast links should much better becalled multiaccess links.
In IS-IS, there are only three possible adjacency states:
-Down: The initial state. No IIHs have been received from the neighbor.
-Initializing: IIHs have been received from the neighbor, but it is not certain that the neighbor is properly receiving this router’s IIHs.
-Up: IIHs have been received from the neighbor, and it is certain that the neighbor is properly receiving this router’s IIHs.
IS-IS Operation over Point-to-Point Links
The three-way-handshake method is based on each router on a point-to-point link advertising an adjacency state TLV in its IIH packets that contains the following fields:
-Adjacency Three Way State: This is the state of adjacency as seen by the sending router.
-Extended Local Circuit ID: This is the ID of the sending router’s interface.
-Neighbor System ID: This value is set to the ID of the neighboring router whose IIHs have been successfully received.
-Neighbor Extended Local Circuit ID: This value is set to the Extended Local Circuit ID field value from the neighbor’s IIH packets.
The logic of the three-way handshake (Early Cisco Implementation)
1. If Router A receives an IIH from Router B with the Adjacency Three Way State set to Down, it is clear that Router A can hear Router B. It is not certain, though, whether Router B can hear Router A. Router A will start sending its IIH with the Adjacency Three Way State set to Initializing to tell Router B it can hear it.
2. When Router B receives an IIH from Router A with the Adjacency Three Way State set to Initializing, it knows that these IIHs are effectively sent in response to its own IIH, and that Router A is in fact telling Router B it can hear it. Router B is now certain that bidirectional communication is possible. Therefore, it starts sending its IIH with the Adjacency Three Way State set to Up.
3. When Router A receives an IIH from Router B with the Adjacency Three Way State set to Up, it knows Router B can hear it. Router A is now also certain that bidirectional communication is possible and starts sending its IIH with the Adjacency Three Way State set to Up, concluding the three-way handshake.
(IETF Implementation) The adjacency state TLV was augmented with the Extended Local Circuit ID, neighbor System ID, and Neighbor Extended Local Circuit ID fields to carry additional information about the neighbor’s identity and interface.
With these fields in place, an IIH that carries a three-way adjacency state TLV is accepted only if one of the following conditions is met:
-The Neighbor System ID and Neighbor Extended Local Circuit ID are not present (typical at the beginning of the adjacency buildup, or the neighbor implements only the early version of the three-way handshake).
-The Neighbor System ID matches the receiving router’s System ID and the Neighbor Extended Local Circuit ID matches the receiving interface’s ID.
If these conditions are not met, the incoming IIH is silently dropped. Hence, these rules form an IIH acceptance check.
Therefore, the three-way handshake logic as described in the three previous steps changes simply by replacing all occurrences of “ receives IIH ” with “ receives and accepts IIH .”
After the adjacency is declared as Up, routers will attempt to synchronize their link-state databases. Both routers will mark all their LSPs for flooding over the point-to-point link; plus they send CSNP(Complete Sequence Number Packet) packets to each other. If a router learns from the received CSNP that its neighbor already has an LSP that is scheduled to be sent, the router will unmark the LSP, removing it from the set of LSPs to be flooded. This way, only the LSPs missing from the neighbor’s database will be sent to it. In addition, if a router learns from the received CSNP that the neighbor has LSPs that are newer or unknown, it will request them using a PSNP packet. Note that neither of these is necessary, as both routers nonetheless initially set up all their LSPs to be flooded across the link, without the aid of CSNP or PSNP packets. The initial sending of CSNPs to compare the link-state databases and PSNPs to request missing or updated entries increases the resiliency of the synchronization process but is not strictly necessary. Importantly, though, every LSP sent over a point-to-point link, whether during the initial database synchronization or anytime later when it is updated or purged, must be acknowledged, and this is done using PSNP or CSNP packets.
IS-IS Operation over Broadcast Links
Detecting neighbors is again performed by IIH packets. In a fashion similar to OSPF, an IS-IS router lists the MAC addresses (or better said, SNPAs) of all neighboring routers it hears on a broadcast interface in its IIH packet sent through that interface. If a router receives an IIH from a neighbor and finds its own SNPA indicated in the IIH, it knows that the routers can see each other, and can move the adjacency to the Up state. If not, the adjacency is kept in the Initializing state. OSPF performs a similar operation, but it lists Router IDs of heard routers in its Hello packets.
IS-IS also elects one Designated IS for each broadcast network but it has no concept of a backup DIS. A DIS is elected based on these criteria:
-The router with the highest interface priority.
-In case of a tie, the router with the highest SNPA.
-In case the SNPAs are not comparable, the router with the highest System ID. This rule is used on Frame Relay and ATM physical interfaces and multipoint subinterfaces, which are treated as broadcast interfaces by IS-IS.
The interface priority is configurable using a perinterface isis priority priority [level] command. DIS elections in IS-IS are preemptive: Whenever a router is connected that has a higher priority than the current DIS, the same priority and higher SNPA, it will take over the DIS role.
In IS-IS, all routers on a common broadcast segment become fully adjacent, regardless of which is the DIS. This is different from OSPF. In IS-IS,
every router can send an LSP on the broadcast link and all others are allowed to accept it.A DIS is responsible for two important operations: 1) Helping routers on a broadcast segment to synchronize; 2) Representing the broadcast segment in the link-state database as a standalone object—the Pseudonode.
Synchronization of IS-IS routers on a broadcast network is surprisingly simple. The DIS creates and sends a CSNP packet in regular intervals (10 seconds by default) on the segment. This CSNP packet lists all LSPs present in the DIS’s link-state database. Other routers on the segment receive this CSNP and compare it to the index of their own link-state database.
The DIS is not a relay of LSPs; rather, it is a reference point of comparison. If a router misses an LSP known by the DIS, or if the LSP is older than the one known by the DIS, the router will request the newer LSP through PSNP and the DIS will flood it. If the PSNP or the LSP gets lost during transmission, the process will simply repeat itself. Conversely, if a router knows about a newer LSP than the one known by the DIS, or if the DIS seems to miss it completely, the router will simply flood the LSP onto the network. No explicit acknowledgment by the DIS is sent. If the LSP has arrived, the DIS will advertise it in its next periodic CSNP, and this CSNP serves as an implicit acknowledgment.. PSNPs are used on broadcast networks only to request LSPs, not to acknowledge them. Another responsibility of the DIS is to represent the broadcast network in the link-state database so that the topological model of the network is simpler.
With a pseudonode, the broadcast network itself is represented as a node—more specifically, a pseudo node—in the topology. To exist as a pseudonode in a link-state database, a broadcast network must have its own LSP. It is the responsibility of the DIS to originate and flood the Pseudonode LSP on behalf of the broadcast network. Recall that each LSP is identified by a triplet of System
ID, Pseudonode ID, and LSP Fragment Number. ID. In case of router LSPs, the System ID carries the ID of the router and the Pseudonode ID is set to 0. In case of network LSPs (that is, Pseudonode LSPs), the System ID is the ID of the DIS, and the Pseudonode ID is set to the Local Circuit ID of the DIS’s interface in the network.
The show isis hostname is used to check the mapping of hostnames to System IDs. To verify IS-IS neighbor adjacencies, show isis neighbors is useful. show isis neighbors detail would also show information about each router's SNPA and configured priority. The show isis database lists Pseudonode LSP that is recognizable by its Pseudonode ID being non-zero. To see the contents of LSPs, show isis database detail can be used.
The router acting as a DIS shortens its own Hello and Hold time to just one-third of the configured values. This is done to allow other routers to detect its failure more rapidly. If a DIS fails, another router will be elected in its place, but because there is no additional adjacency buildup necessary (all routers on the segment are already fully adjacent), a DIS switchover is merely related to replacing the old Pseudonode LSP originated by the previous DIS with a new LSP from the newly elected DIS and remaining routers updating their LSPs to point toward the new Pseudonode LSP.
Areas in IS-IS
Multiple NSAP addresses on an IS-IS instance are nonetheless used only during network changes, and in stable operation, there should be only a single NSAP address configured per IS-IS process. IS-IS uses the entire high-order part of the NSAP address up to the start of System ID as the area identifier. Nodes in a single area must obviously be addressed using the same NSAP format, the same initial domain identifier, and the same internal area number(high-order domain specific part). Any difference in these octets would signify that the addressing format is different (and hence incomparable to any other), or the domain(that is, the autonomous system) is different, or the internal area numbering differs.
L1 routing is a process of intra-area routing. If OSI protocols such as CLNP were in use, routers would collect NSAP addresses of their directly attached end hosts and advertise them in their routing updates simply as other adjacencies. With IP protocols, each L1 router advertises its directly connected IP networks in its L1 LSP. A very important fact is that two interconnected neighboring L1 routers configured with different areas will never establish an adjacency.
L2 routing is a process of inter-area routing, that is, delivering packets between stations located in different areas. If OSI protocols were in use, routers would not collect nor advertise end host NSAP addresses. Instead, routers would only advertise their area IDs in their L2 LSPs. L2 routers therefore form a backbone of a multiarea domain, and for this backbone to operate correctly, it must be contiguous and pervade all areas within the domain. Sometimes, the backbone as the set of L2 routers is also called an L2 subdomain. With IP protocols, IP addresses do not carry embedded area information like NSAP addresses. Each L2 router advertises its directly connected IP networks to achieve contiguous IP connectivity in the backbone, plus all other L1 routes from its own area with appropriate metrics , to advertise IP networks present in particular areas. Thus, while LSPs are never leaked between L1 and L2 link-state databases, on L2 routers, IP routing information computed from the router’s L1 link-state database is injected into its L2 LSP. No IP networks are injected from L2 into L1 unless specifically configured.
L1 routers in an area have no L2 link-state database and therefore have no information about other areas that is carried by L2 routers. From this viewpoint, L1 routers in an area have a visibility identical to routers in an OSPF Totally Stubby Area—they see their own area but nothing more. Yet, a L1 router can still perform redistribution from external sources, and these redistributed networks will be visible both in that area and uptaken by L2 routers into the backbone. Therefore, L1 routers in an area behave more as if they were in an OSPF Not So Stubby-Totally Stubby (NSSA-TS) area.
L2 routers disrespect area boundaries when it comes to creating adjacencies and flooding link-state database contents. They create adjacencies with other L2 routers regardless of the area ID, and share all information present in their L2 link-state databases. Therefore, the entire L2 subdomain across all areas in the entire domain can be likened to a single OSPF backbone area.
IS-IS on Cisco routers defaults to L1L2 operation. Note the default administrative distance of 115 for all IS-IS-learned routes.
In show isis database output, where three flags, ATT, P, and OL, are called ATTached, Partition repair, and Overload flags. The ATT flag is especially relevant to inter-area routing. When an L1L2 router performs its L2 SPF calculation and determines that it can reach other areas besides its own (note that LSPs also carry the area ID of their originating routers), it sets the ATT flag in its L1 LSP. L1-only routers in the area can use any router whose ATT bit is set in its L1 LSP to reach other areas. Because no IP addressing information flows down from L2 into L1, L1-only routers have no knowledge about prefixes in other areas. They automatically install a default route toward their nearest L1L2 router whose ATT bit is set into their routing table. The Partition repair bit indicates whether the router is capable of an optional feature that allows healing a partitioned area over the L2 subdomain—functionality similar to an OSPF virtual link. The Partition repair function was never widely implemented, and Cisco routers do not support it; hence they always set the P bit to 0.
Finally, the Overload bit was originally intended to signal that the router is, for whatever reason, unable to store all LSPs in its memory, and that its link-state database is overloaded. Therefore, if a router’s LSP has the O bit set, the SPF computation on other routers will ignore this router when computing shortest paths to other routers and their networks. However, the SPF will still take the directly attached networks of this router into account because these continue to be reachable.
The O bit can also be used when a router needs to be taken out of service for maintenance without causing major disruption to the network. Instead of simply shutting the router down, setting the O bit first will make other routers immediately recalculate their routing tables, computing alternate paths (if such paths exist) that do not traverse this router. The network converges on alternate paths much sooner than it would take if the router was simply taken offline and other routers needed to wait for its Hold timer to expire. Also, the O bit is very useful if a new router is to be attached to a network. Yet another important application of the O bit is to allow the router to settle its adjacencies after reboot and wait for some time to stabilize while already running IS-IS and populating its routing table, before becoming a transit router. This feature is especially important with BGP that can converge significantly slower than IS-IS.
To see the contents of L2 database, the show isis database l2 detail command is used. Each the L2 LSP of each router contains both its directly connected networks along with all L1 networks in that router's area.
Identical L2 link-state database contents would be displayed on any L2-enabled router in this network. Looking at any L2 LSP in isolation, you do not even know which prefix is directly connected to the router and which one is an L1 prefix “uptaken” into L2—they are both advertised in the same manner.
Regarding redistribution, external networks are by default injected into L2 but can be configured to be injected into L1 or both L1 and L2 on a router. If an external route is redistributed to L1, all other routers in the same area will see the route as an L1 IS-IS route. When “uptaking” L1 routes into L2 on backbone routers, they do not discriminate between internal L1 networks and external networks in the area that have been redistributed as L1 routes. Multiple areas in a domain are nowadays created primarily for the purpose of address summarization. In IS-IS, area summarization should be configured on each L1L2 router in the area using summary-address command inside the router isis section,
Authentication in IS-IS
Authentication in IS-IS can be activated independently for IIH and independently for non-IIH (LSP, CSNP, PSNP) packets. IIH authentication is configured on interfaces and applies only to IIH packets exchanged with directly connected neighbors. Therefore, different interfaces of a router can use different IIH passwords. The same type of authentication and the same password must be configured on all routers in an area if L1 non-IIH authentication is used, or on all L2 routers in the domain if L2 non-IIH authentication is used.
If IIH packets fail authentication, the routers will be completely prevented from communicating in IS-IS even if the non-IIH packets themselves passed the authentication or did not require the authentication. If IIH packets pass the authentication but the non-IIH packets fail it, the routers will be in the Up adjacency state but they will not be able to synchronize their link-state databases.
IPv6 Support in IS-IS
IS-IS is a true multiprotocol routing protocol in the sense that it does not require any particular Layer 3 protocol to carry its packets, and in a single instance, it can carry information about destinations described by different address families. It is not necessary to start an additional IS-IS process to carry IPv6 routes along with IPv4. Instead, the existing IS-IS process is simply instructed to advertise IPv6 routes along with other information it is already advertising.
Configuring IS-IS
Interfaces are added to IS-IS directly by configuring them with the ip router isis command. IS-IS has no network command. There is no network command in IS-IS.If the network from the interface shall be advertised but the interface should remain passive, simply referring to it by the passive-interface command is signal enough to IS-IS to know that the interface’s network should be advertised even though the interface itself should disallow creating any adjacencies over it. And finally, if the interface is intended to operate as an active interface, it shall be configured with the ip router isis command.
If a router is configured for L1L2 operation, it will by default try to establish both L1 and L2 adjacencies over all active IS-IS interfaces. If it is known that an interface should be used to establish only L1 or only L2 adjacencies, it is possible to limit its operation only to the selected level. That will prevent the router from sending and processing packets of a different routing level over that interface.
The per-interface isis authentication and per-process authentication commands support optional level-1 and level-2 keywords to specify the desired level for which the authentication should be activated. If not specified, both levels are authenticated.
Note that unlike other IGP protocols, IS-IS does not use a separate process configuration section for its IPv6 operation. The router isis section is universal for all address families supported by IS-IS.
The show clns command shows a brief but useful information about this router's NET and mode of Integrated IS-IS operation
