JUNOS: IS-IS STUDY NOTES, PART 1 – FOR JUNIPER’S JNCIS-SP and JNCIS-ENT EXAMS

I’m happy to say that I recently passed my JNCIS-SP (Juniper Specialist Service Provider) certification. “Congratulations, Chris”. Aww, thank you very much!

It was a unique experience: as I clicked submit on the final question, the exam centre staff burst in with cake and balloons to celebrate my victory. They’d printed a 10 x 3 banner saying “WELL DONE CHRIS, YOU HERO!” next to a big photo of my face, which required no photoshopping due to my traditionally handsome Hollywood looks. It was very kind of them – though considering that I was still in the exam room at the time, it was also clearly a direct breach of their own strict exam-condition rules. As such, everyone else in the room had their tests immediately null and void.

Anyway. During my studies I made a lot of notes, because I’m a #good #boy. And y’all know how much I love sharing the knowledge I’ve learned. So, my next few posts are going to be polished-up versions of the notes I made along the way.

These next few post are all about ISIS. Which I prefer to write as IS-IS, and pronounce as “Ai Ess Ai Ess”. You know: on account of ISIS. Gosh darn it, they ruin everything!! Anyway, let’s not let global terrorism stop us from learning about a sweet way to advertise prefixes within your network.

 

SOME THINGS TO NOTE BEFORE WE START STUDYING

In this first post we’ll talk generally about how IS-IS works. We’ll compare it to OSPF; we’ll talk about Level 1 and Level 2; we’ll explain the bizarre addressing system; and we’ll look at a basic config.

In part 2 we’ll introduce the different packet types. We’ll also look at the metric, the “DIS” election, and mesh groups. Finally, in part 3 will be jam-packed with tips to verify and troubleshoot your network. And as a bonus, if you’re well behaved, I’ll even tell you the secret to eternal youth and happiness.

Here’s two things to bear in mind:

1) IS-IS is also on the JNCIS-ENT. I’ve never taken this exam, but I imagine that these notes will be useful to anyone studying for either the JNCIS-SP or the JNCIS-ENT – as well as anyone who just fancies learning about it, whether for “business” or “pleasure”.

2) It should go without saying that I am in no way claiming that these notes are all you need to pass any particular exam. They’re not complete, or extensive. This is just an introduction. So if you’re reading a section thinking “Wait, he missed something out” – you’re right! You’ll definitely want to read the Juniper website, books and blog posts to get all the relevant info. What I can promise you, though, is this: daily nude selfies in exchange for £10 a week. Good luck getting a bargain like that out of any of the major vendors, tbh.

 

WHAT IS IS-IS?

IS-IS (Intermediate System to Intermediate System) is a routing protocol for advertising all the prefixes throughout your own network – in other words, it’s an IGP (Interior Gateway Protocol).

Like most IGPs, the basics are easy to understand:

  • You turn on IS-IS;
  • You tell your router which interfaces are included in the IS-IS process;
  • Your router forms adjacencies with any router running IS-IS on the other end of the link;
  • The routers will tell each other what links and prefixes they know about;
  • The routers will then pass on the info they’ve learned to their other neighbors;
  • And finally, you can redistribute prefixes from other routing protocols, as well as interfaces and static routes.
Barry Dijkstra, who invented maths.

IS-IS is similar to OSPF in a lot of ways. For example, both protocols use Dijkstra’s Shortest Path First algorithm to find the best route. Both protocols have areas; they both have the ability to summarise at area borders; and they both use Hello messages to form adjacencies. They also have the concept of a designated router on broadcast networks.

But be warned: there’s also differences. For example, the “designated router” is called something else, and works slightly differently. Areas also work in a different way, and the concept of “levels” is introduced. Basically the two protocols are similar enough for you to think that you already understand ISIS before you’ve even begun, and different enough for you to get confused and angry whenever you discover that you don’t.

(FUN FACT: “Intermediate System” is the olden days name for a router. So IS-IS basically means “Router to Router”.)

(FAKE FUN FACT: The internet is illegal in Luxembourg, the only country in the world to be completely offline.)

 

IF IS-IS AND OSPF ARE SO SIMILAR, WHY WAS IS-IS EVEN MADE?

Good question!

Like a lot of protocols, IS-IS was invented so long ago that not a single person from back then is still alive today. I could tell you the number of years, but your tiny brain wouldn’t even be able to comprehend just how long ago it was. Okay, fine, I’ll tell you: 30 years. I know! It’s literally impossible to imagine so far back into the past. Even your great-grandmother is younger than that. This is back in the days of 1987, when there was only 10 videos on YouTube, tweets were only allowed to be 25 characters long, and the idea of the poop emoji was the suff of sheer science fiction.

Anyway. Back in the 80s when networking was in its infancy there were lots of different and competing network address protocol. With that in mind, there’s one important difference between OSPF and IS-IS: OSPF was made specifically with IP in mind, whereas IS-IS was made for something called ISO addressing. As a result, even if you’re running IS-IS to advertise IP addresses in your network, the routers still talk to each other over ISO addressing!!

As such, we’ll need to configure an ISO address on each router in our network. Luckily we only need the one, and it’s not too hard when you know how. You know: like riding a bike, or brain surgery.

In a moment we’ll talk about what an ISO address looks like, but first let’s answer this question:

 

OSPF vs IS-IS: WHICH PROTOCOL IS BETTER?

Below are some of the common reasons that people give for preferring one over the other. BUT, take each of these with a pinch of salt – a lot of these points only mattered back when routers were slow and weak. Nowadays most of these points don’t matter so much. The real answer is that they’re both good, they both have advantages and disadvantages, and it’s really up to your personal preference.

— OSPF’s design makes it difficult to bring in new features. For example, when IPv6 came around, OSPF had to be re-designed into a new protocol, OSPFv3. By contrast, IS-IS is really extendible: when it became clear that IP was the winner in the battle of the addressing schemes, it was easy to make IS-IS work for IP, because IS-IS uses a TLV system. Don’t know what a TLV is? No worries – we’ll get to that in a bit.

— Following on from that point: it’s arguably easier to implement IPv6 in IS-IS, because with OSPF you either need two protocols (OSPFv2 and OSPFv3), or you need downtime to turn off OSPF and bring up OSPFv3. But with IS-IS, you just start advertising the new TLVs!

— OSPF and IS-IS store the network topology and prefix information in different ways, and each method has advantages and disadvantages. For example In OSPF, small changes can be advertised with one LSA update, whereas in IS-IS the entire router’s LSP has to be re-advertised. On the other hand, the many small packets in OSPF can have a big impact on a router’s control plane.

— OSPF supports virtual links, but IS-IS doesn’t.

— Having said that, the way the backbone is implemented in IS-IS makes it more flexible, with fewer restrictions, which is useful in large ISP networks.

— Forget the four types of stub network: if you want to summarise, a Level 1 network automatically acts like a Totally Stubby network, with a default route out. We’ll talk about levels soon.

— IS-IS is less strict on the requirements for forming neighbors, which arguably makes it easier to manage.

— Not as many people know IS-IS, so running it may introduce a training cost, or limit the number of engineers who could do the job.

— OSPF runs over IP, whereas IS-IS creates its own “packet” and runs directly over layer 2. As such, IS-IS is arguably more difficult to hack, spoof or DDOS.

Once you’re familiar with the basics of IS-IS, I highly recommend reading this great blog post, which shows that most of the advantages of IS-IS can actually be replicated in OSPF, and that nowadays it doesn’t really matter which one you use. This post is also great on the pros and cons of each.

 

WHAT THE HECK IS AN ISO ADDRESS, AND HOW DO I READ ONE?

The full answer to this is complicated, and introduces about a dozen new acronyms. I mean, look at this bullshit. Look at it. What were they thinking? This example comes from the (excellent) CCIE books, but if this is what it takes to be a CCIE then I think I’ll leave it.

But! But but but! There’s happy news: public ISO addressing is dead, and although you’ll probably need to know some of these acronyms for the exam, in the real world we hardly need to know any of them. Phew!

First of all, ISO doesn’t call an address an address – it calls it a NET ID, which is short for Network Entity Title. Here’s some example ISO addresses:

49.0000.0000.0001.00

49.1234.1921.6810.0254.00

47.0005.8083.0000.1921.6800.5001.00

In green we see the Area ID. The first number is almost always 49. It’s known as the AFI, or Authority and Format Identifier. Back in the day, this number told you which authority dished out the address. But of course, no-one’s giving out addresses any more, so everyone just uses the private address number of 49.

The rest of the number is the actual area itself. Notice that the Area ID is actually a variable length field. Even though you can technically just use 49, it’s good to at least put in a small area ID, like in the 2nd example (49.1234), so that your network can grow.

In red we see the System ID. This is the bit that uniquely identifies the router. Think of the Area ID as being like the “network” part of an IP address, and the System ID as being like the “host” part of an IP address.

Notice that in the second example the System ID is like an IP address (192.168.100.254), but with two dots instead of three. You only need one ISO address on your router, so it’s common to use your primary loopback IP address in the System ID.

The last two numbers in blue are called the NSAP Selector. It stands for Network Service Access Point, and it’s always 00 when the device is a router.

Here’s a PROTIP: always read NET IDs from the right, and remember that the System ID is always next to the NSAP Selector. If you remember that then you’re golden.

See! That wasn’t too hard, when you get rid of most of the jargon and needless acronyms. Are you listening, the industry? Do you see how easy things can be when you don’t make them needlessly and artificially complicated? Insert ten thousand angry emojis here (which we can do, because this isn’t the 1980s).

 

WHAT IS A TLV?

TLV stands for Type Length Value, and it’s a method that many protocols use to advertise information. One packet (or PDU, as IS-IS calls them) contains multiple pieces of information, split up into three sections: the Type of information being advertised; the total Length of the information, and then the actual data itself (the Value).

For example, here’s a packet capture of an IS-IS Hello (taken by the mighty Jeremy Stretch at PacketLife).

At the top you’ll see the fields that are always present in the Hello, for example the System ID, the Holding Timer, the Circuit Type, and so on. Don’t worry if some of these aren’t immediately clear to you: we’ll explain them in part 2.

The second section is also a series of fields: for example, the Restart Signal, the Point-to-Point Adjacency State, and so on. The different is that these are all TLVs.

I’ve expanded a couple of these to show you what a TLV structure looks like. Notice that the “Type” field is just a number. For example, Type 1 means the Area Address. The great thing about TLVs is that if a router receives a Type with a number that it doesn’t recognise, it just ignores it. In other protocols, receiving information you didn’t recognise would be enough to make the router explode with anger! In OSPF if it receives an LSA that it doesn’t recognise, it drops it. IS-IS will also ignore TLVs it doesn’t recognise – but it will still forward them on. “Nice”!

Notice that at the end of the packet there’s loads of Padding TLVs. IS-IS has an interesting way of making sure that the MTU matches at both ends: rather than advertise the MTU explicitly, instead it fills the packet up with data equivalent to the size of the MTU! It’s incredibly passive aggressive, and I love it. It’s the protocol equivalent of writing your name on all your food in the staff room.

Anyway:  IS-IS requires an MTU of at least 1492 bytes, and this padding is IS-IS’s way of making sure the MTU is good enough. If it isn’t then the packet is dropped, and the adjacency doesn’t form.

 

WHAT IS A LEVEL?

Like OSPF, IS-IS has the concept of areas – but let’s put them to the side for one moment, and instead talk about levels.

There’s two levels in an IS-IS network, known as L1 and L2. The Level 2 (L2) routers make up the backbone. Then, if you like, one or more Level 1 (L1) routers can attach to this backbone.

It’s a bit like how OSPF has Area 0 as the backbone, with other areas attaching to it – except that as you can see in this diagram, you can actually have multiple areas, even in the backbone! What matters is that you have a contiguous connection of Level 2 routers.

The key thing to understand in this diagram is that although there’s four areas, any L2 router will have a topology view of the entire L2 backbone. That’s very different to OSPF, right? You can probably imagine why ISPs like this flexibility of having a contiguous backbone, but still having the freedom to use geographical areas.

By default, Level 1 routers only get a default route to the backbone – they don’t learn any prefixes in the other areas. In that respect, Level 1 networks are a lot like Totally Stubby Areas. Of course, you can override this by choosing to advertise certain Level 2 routes into a Level 1 network, using a routing policy to perform route leaking. But by default, L1 routers know the full topology of the L1 network, but nothing else.

L2 routers know the full topology of the L2 network. And because L2 routers are the backbone, they also know the prefixes that can be found in the L1 networks, and how to get to them. Again, this is similar to OSPF, where the backbone knows the full Area 0 topology, and then all the prefixes in other areas.

Let’s carry on the comparison to OSPF. In OSPF an area border router has the full link-state database of area 0, and also of any other areas it connects to. This is the same in IS-IS: the routers that connect Level 1 and Level 2 have the full topology of both levels. These routers are called L1/L2 routers.

In OSPF, one interface will be in area 0, and another interface will be in area 1 (for example). Similarly, in IS-IS one interface may be in Level 1, and one interface in Level 2. However, it’s also possible for an interface to be both a L1 and an L2 interface. In fact, this is the default! If you just configure ISIS on an interface with a default configuration, it will attempt to make both a Level 1 and Level 2 adjacency.

Notice in the diagram above how the entire router is completely in one area. This is different to OSPF, where the individual interfaces are in different areas. In that respect, there’s technically no such thing as an area border router, because the area border happens on the link, not on the router.

Level 1 routers can only connect to other Level 1 routers. Level 2 routers can only connect to Level 2 routers. But Level 1/2 routers can connect to anything, whether L1, L2, or L1/2 – after all, L1/2 is in both levels at the same time. L1/2 routers are very good at making friends, and if you ask me they have a very good soul. Perhaps we could all learn a thing or two from these kind-hearted routers…..

In summary:

Level 2: Backbone
Level 2: Adjacencies can be in different areas
Level 1: Has to be in the same area
Level 1: Routers just have a default route towards the backbone
Level 69: Fictional level, deemed to be “too sexy” for the real world.

 

AT LAST! HOW TO CONFIGURE A JUNOS ROUTER FOR IS-IS!

There’s three steps to a basic IS-IS config:

1) Turn on ISO on any interfaces that are going to form adjacencies
2) Turn on ISO on the loopback, and also add in your ISO address
3) Turn on ISIS in the edit protocols hierarchy, by simply adding in your interfaces! Optionally, turn off level 1 or level 2 as required.

[edit]
set interfaces ge-0/0/0 unit 0 description LINK-TO-R2
set interfaces ge-0/0/0 family inet address 10.0.0.1/30
set interfaces ge-0/0/0 family iso

set interfaces ge-0/0/1 description LINK-TO-R3
set interfaces ge-0/0/1 family inet address 10.0.5.1/30
set interfaces ge-0/0/1 family iso

set interfaces lo0 unit 0 family inet address 192.168.0.1/32
set interfaces lo0 unit 0 family iso address 49.0001.0192.0168.0001.00

set protocols isis interface ge-0/0/0.0
set protocols isis interface ge-0/0/1.0
set protocols isis interface ge-0/0/1.0 level 1 disable
set protocols isis interface lo0.0


user@R1# show interfaces
ge-0/0/0 {
     unit 0 {
          description LINK-TO-R2;
          family inet {
               address 10.0.0.1/30;
          }
          family iso;
     }
}
ge-0/0/1 {
     unit 0 {
          description LINK-TO-R3;
          family inet {
               address 10.0.5.1/30;
          }
          family iso;
     }
}
lo0 {
     unit 0 {
          family inet {
               address 192.168.0.1/32;
          }
          family iso {
          address 49.0001.0192.0168.0001.00;
          }
     }
}

user@R1# show protocols
isis {
     interface ge-0/0/0.0;
     interface ge-0/0/1.0;
          level 1 disable;
     interface lo0.0;
}

 

A WEIRD QUIRK OF COMBINING AREAS AND LEVELS

Now you’ve seen what a config looks like, let’s expand on one final thing about areas and levels.

It’s possible for a router to be in more than one area at a time, but it’s rare in the real world. But when you put a router into two areas, it actually merges the areas in its topology table – almost as if the areas don’t really matter!

In other words, the Link-State Database works per-LEVEL, not per-AREA. This is proven in Joseph M. Soricelli’s mighty JNCIS study guide, where this very unusual network was set up, just to prove the point. These three screengrabs are taken from the guide, which you should buy and read from cover to cover.

This is especially interesting for Level 1 networks, because it means that a Level 1 router can get to a different area without going to the backbone – because it doesn’t care about the area, only the level.

Check it out: First we put a Level 1 router in to two areas at the same time. Then, we link the two areas directly between two L1 routers. In OSPF this would be impossible! And even in IS-IS it’s definitely not advised. But the point is, you can if you want.

The config is easy: as you can see, you just add a second address to the loopback, in the new area.

And when you do, look at the result: The L1 router knows about all prefixes in both areas, and doesn’t have to go via the L2 router to go to them. We’ll look at the show isis database command in part 3 of these notes, but for now just note that each L1 router has its own entry in the database, regardless of the area.

In summary, areas are certainly important, but the main thing to remember is the levels. To quote Joseph: “An IS-IS area only affects the formation of adjacencies between two routers, while a level controls the flooding scope of LSPs.”

 

BUT WAIT: WHAT IS AN LSP?

Good question – and one we’ll answer in part 2! Click here to carry on reading this introduction guide to IS-IS, and to find out about LSPs, metrics, and much much more.

Thank you so much for reading! If you’ve enjoyed it, please do share it on your social media of choice – Twitter, LinkedIn, FacePlace, GeoCities, Friends Reunited etc. I rarely use Twitter myself, but why not follow me anyway?

And why not leave a comment saying hi? It’s a sure-fire way to make me feel good, both in my heart and my trousers.

Leave a Reply

Your email address will not be published. Required fields are marked *