JUNOS: IS-IS STUDY NOTES, PART 1 – FOR JUNIPER’S JNCIS-SP and JNCIS-ENT EXAMS

I’m happy to say that I recently passed my JNCIS-SP (Juniper Specialist Service Provider) certification. “Congratulations, Chris”. Aww, thank you very much!

It was a unique experience: as I clicked submit on the final question, the exam centre staff burst in with cake and balloons to celebrate my victory. They’d printed a 10 x 3 banner saying “WELL DONE CHRIS, YOU HERO!” next to a big photo of my face, which required no photoshopping due to my traditionally handsome Hollywood looks. It was very kind of them – though considering that I was still in the exam room at the time, it was also clearly a direct breach of their own strict exam-condition rules. As such, everyone else in the room had their tests immediately null and void.

Anyway. I love sharing knowledge with you all, so these next few post are all about, an important protocol for the exam, ISIS. Which I prefer to write as IS-IS, and pronounce as “Ai Ess Ai Ess”. You know: on account of ISIS. Gosh darn it, they ruin everything!! Anyway, let’s not let global terrorism stop us from learning about a sweet way to advertise prefixes within your network.

 

SOME THINGS TO NOTE BEFORE WE START STUDYING

These posts assume you know the basics of OSPF. You don’t need to be an expert, but you do need to know what an OSPF area is, and how OSPF uses LSAs to advertise information. If you’ve got a JNCIS/CCNA level knowledge of OSPF, you’re good to go.

  • In this first post we’ll talk generally about how IS-IS works. We’ll compare it to OSPF; we’ll talk about Level 1 and Level 2; we’ll explain the addressing system; and we’ll look at a basic config. It’s the start of your new love affair with a cool protocol!
  • In Part 2 we’ll introduce the different packet types, and take a deep look into what an LSP is – the building blocks of the topology. We’ll also look at the metric, the IS-IS equivalent of the designated router election, and mesh groups.
  • In Part 3 I’m going to explain the idea of IS-IS areas. This doesn’t mean the same thing as an OSPF area, and it’s a little bit tricky to understand at first, but don’t worry: I’m very good at explaining things. You’re welcome!
  • And finally, in Part 4 I’ll be showing you how to verify that IS-IS is up, how to troubleshoot it, and how to read the IS-IS database. And as a bonus, if you’re well behaved, I’ll even tell you the secret to eternal youth and happiness. Wow!

In total, these four posts will take you about 45 minutes to read. In the grand scheme of things, that’s not very much of your time to give up in exchange for becoming a master of a brand new protocol, right? So let’s do it!

 

HOW DOES IS-IS WORK?

IS-IS stands for Intermediate System to Intermediate System. It’s a routing protocol you’ll use for advertising your own IP addresses throughout your own network – in other words, it’s an Interior Gateway Protocol, or IGP.

The protocol was invented by the folks in the ISO (the International Organization for Standardization). “Intermediate System” is their name for a router. In other words, the protocol is “Router to Router”. Or “Friend to Friend”, as I like to call it.

The basics are easy to understand without even learning a single bit of theory:

  • You configure IS-IS on the relevant interfaces
  • The router sends out Hello messages, and forms adjacencies with any routers running IS-IS on the other end of the link
  • The routers tell each other what links and prefixes they know about
  • The routers pass that knowledge on to their own neighbors
  • The end result is that every router in the network knows everything about every other router in the network
  • This information helps each router to build a complete topology of the network
  • Both OSPF and IS-IS use Dijkstra’s Shortest Path First algorithm to find the best route, using this topology information
  • And finally, you can redistribute prefixes from other routing protocols, as well as non-IS-IS interfaces and static routes.
Barry Dijkstra, who invented maths.

Everything you read there is exactly the same as what you’ve learned about OSPF. However, IS-IS often uses different terminology for similar concepts. It also does some things in slightly different ways – and almost always, that different way is, in my opinion, better than the OSPF equivalent.

When it comes to the blocks of data containing all the topology information, OSPF calls them LSAs, or Link-State Advertisements. By contrast, IS-IS uses the term LSP, or Link-State PDU. You may remember PDU from your spanning tree (urgh) studies – it stands for Protocol Data Unit, which basically means a packet. (Older network engineers will twitch at me saying that, but it’s close enough.)

Both OSPF LSAs and IS-IS LSPs contain information like the Router ID, the links connected to the router, the IPs on the router, the costs involved, stuff like that. Each router generates an LSP for itself. The LSP is then flooded throughout the network, so that each router has every LSP of every router in the network. This LSP contains the building blocks needed for every router to put all the LSPs together to create the full topology of the network, like a nerdy jigsaw puzzle.

Hey, here’s a cool thing: IS-IS LSPs even contain the hostname of the router. That means that when you’re looking at adjacencies, or looking inside the IS-IS database, you can actually see the name of the adjacent device! I cannot tell you just how helpful this is. It makes troubleshooting like ten times easier than OSPF. I’ll show you what that looks like later in this series, and I can’t wait for you to see it.

You may remember in OSPF that there are a lot of different kinds of LSA. You also had to spend precious hours of your short life memorising stub areas, not so stubby areas, totally stubby areas, along with which LSAs are allowed in which areas, and why. It’s pretty confusing and tedious, and many people find it difficult.

Well, if you had trouble with OSPF, you’ll find IS-IS a breeze.

There’s just one kind of LSP, which itself can contain any information you like. There’s also basically just four kinds of message: hello messages, LSPs, and then two kinds of message that routers use to check that they’ve each got all the latest LSP info. I’m oversimplifying a little bit there, but not by much. Honestly, you’re going to look at IS-IS messages and then wonder why on earth OSPF had to be so complicated. In Part 2 I’ll show you these messages, and we’ll take a deep look at an LSP too.

Two final things. First, both OSPF and IS-IS elect a Designated Router for broadcast networks. The election works a bit differently in IS-IS because there’s no backup DR. In fact, you don’t need one, because IS-IS simplifies all that business too. IS-IS calls it a DIS, or Designated Intermediate System. We’ll check that out in Part 2.

Second, IS-IS was created by the International Organization for Standardization specifically to advertise ISO addresses. IS-IS was then extended for IPv4 and IPv6, but a weird quirk of it is that the routers still “talk” ISO to each other. This isn’t a big deal: you just need to turn on the ISO address family on each interface, and then additionally you assign a special ISO address to your router’s loopback. You don’t need an ISO address on the physical interfaces; just your loopback interface. I’ll show you how to do this in a moment.

These addresses look very different to IP addresses, but honestly they’re easy once you know how to read them. For now, just know that it’s a thing you do once, and then forget about it.

 

IF IS-IS AND OSPF ARE SO SIMILAR, WHY WAS IS-IS EVEN MADE?

Good question!

Like a lot of protocols, IS-IS was invented so long ago that not even a single person from back in those days is still alive today. I could tell you the number of years ago that it was invented, but your tiny brain wouldn’t even be able to comprehend such a large number. Okay, fine, I’ll tell you: 30 years. I know! It’s literally impossible to imagine so far back into the past. Even your great-grandmother is younger than that. This is back in the days of 1987, when there was only 10 videos on YouTube, tweets were only allowed to be 25 characters long, and the idea of the poop emoji was the stuff of sheer science fiction.

Anyway. Back in the 80s, when networking was in its infancy, there were lots of different and competing network address protocol. With that in mind, there’s one important difference between OSPF and IS-IS: OSPF was made specifically with IP in mind, and it was made by the IETF, the Internet Engineering Task Force, whereas IS-IS was made by the ISO, for ISO addressing. The two protocols have lot in common, but they were made by different organisations, for different addressing schemes.

It turns out though that IS-IS is extremely easy to extend to other address families. As such, IS-IS was tweaked to advertise IPv4, IPv6, or any other families we might invent in the future, such as IPv69 and IPv420.

So, we’ll need to configure an ISO address on each router in our network. Luckily we only need the one, and it’s not too hard when you know how. You know: like riding a bike, or brain surgery.

 

WHAT THE HECK IS AN ISO ADDRESS, AND HOW DO I READ ONE?

ISO addressing was the system developed by the ISO folks, back in the days when networking was still brand new. If history had turned out differently, we’d be using their addressing scheme nowadays instead of IP!

If we were still using ISO addresses on the public internet today then you’d need to know a lot of detail about them. Check out this diagram from the CCIE study guide. It gives an example address, and gives names for every element of it. Crikey! Luckily though, you hardly need to know any of those acronyms, because public ISO addressing is fully dead, and has been for decades.

In fact, when you get rid of those acronyms, ISO addressing for our needs is very easy indeed.

Here’s some example ISO addresses:

49.0000.0000.0001.00

49.1234.1921.6810.0254.00

47.0005.8083.0000.1B2F.6C0A.5001.00

Notice that you can use hex digits, like in the third example, and like in the CCIE study guide screenshot above.

So what are we looking at here? Let’s work backwards, because that’s the easiest way to read ISO addresses.

The last two numbers in blue are called the NSAP Selector. It stands for Network Service Access Point, and it’s always 00 when the device is a router. In the olden days the idea was that this would be a bit like a TCP port, and 00 would mean that the traffic was destined to the router itself.

In red we see the System ID. This is the bit that uniquely identifies the router itself. Notice that in all three examples it’s 12 hex digits long, with two dots in between. The System ID is always the same length, which is why it’s easiest to read ISO addresses from right to left. Think of this as the equivalent of the “host” section in an IP address.

In fact, notice that in the second example the System ID is like an IP address (192.168.100.254), but with two dots instead of three (1921.6810.0254). You only need one ISO address on your router, so it’s common to use your primary loopback IP address in the System ID, and just rejig it to fit the two-dot writing system.

In green we see the Area ID. It’s worth saying now that the term “area” in IS-IS means something VERY different in IS-IS. It’s actually a bit tricky to explain, and I don’t want to bog you down in that stuff yet, so I’m going to leave that for Part 3 so we can focus on cool fun stuff. Do me a favour: put areas to the side just for now, and just be aware that they’re a thing that exist. I promise that it will make sense when we come back to them.

For now, let’s talk about what an Area ID looks like. The first number of the Area ID is always 49 nowadays. This number is the AFI, or Authority and Format Identifier. Back in the day, this number told you which authority dished out the address. But of course, no-one’s giving out addresses any more, so everyone just uses the number 49, which is reserved for private use.

The rest of the number is the area itself, and is actually a variable length field. All three examples have areas of different length. You can technically just use 49, but some people say that it’s good practice to at least put in a small area ID, like in the 2nd example (49.1234), to make things neater if you ever want to add more areas in the future. As I say, in Part 3 we’ll explain why you might want to do this.

Lots of new students look at IS-IS addresses and get a bit scared. But as you can see, when you break it down it’s dead easy. You choose an area ID (and we’ll explain why and how you’d do that in Part 3!), you choose a unique system for setting the System ID (for example, base it on the loopback IP, or base it on the router’s MAC address) – and that’s it! You set it once, and then forget about it.

In fact, thanks to the fact that IS-IS routers advertise the hostname in their LSP, you don’t even have to worry about the ISO address ever again, because you’ll only see it in “show” commands if you look at the details. Once the adjacency is up, you only need to look at the neighbor’s hostname.

So, you know what an LSP is, and you know that you need special ISO addresses. Now let’s talk about one of the most important concepts, which is the IS-IS equivalent of an OSPF area: the Level system.

 

A REMINDER OF OSPF AREAS

Although OSPF is required knowledge for this series of posts, let’s have a quick recap.

In OSPF you have Area 0, which is your backbone. You can leave it at that, or you can optionally have a number of other areas which attach to the backbone.

If you had a topology like [Area 420]—-[Area 0]—-[Area 69], like in this diagram above, then devices in Area 420 will use Area 0 to get to Area 69. This would be true even if somehow you could run a cable from a device in Area 420 directly to a device in Area 69. This system avoids loops, because inter-area traffic has to go via the backbone.

You’ll remember that in OSPF, routers only know the topology of their area. For example, routers in Area 420 above only know the topology of Area 420. Routers in Area 0 only know the topology of Area 0. You then have an Area Border Router (ABR) which has one link in Area 420 and one link in Area 0. The ABR knows the topology of both areas. For example, vMX2 in the diagram above has interface ge-0/0/0 in Area 420, and its other two interfaces in Area 0.

If devices in Area 420 don’t know the topology of Area 0, how do Area 420 routers learn about Area 0 IPs?

When everything is left to the defaults, you may remember that the answer to this involves a Type 3 LSA, otherwise known as the Network Summary LSA. The Area Border Router generates individual Type 3 LSAs for every IP address in the other area, with the end result being that the IPs from one area can be advertised into another area, while abstracting away (or “summarising”) the topology information. The routers in Area 420 don’t care precisely where the inter-area IP addresses are. All they care about is that they can get to them via the Area Border Router.

One final thing that I want to highlight: Area 420 doesn’t even know that Area 69 exists. Again, Area 420 routers only know that there is an Area Border Router which it can use to get to “everything else in the wider network”.

Even the Area Border Router between Area 420 and Area 0 doesn’t know that Area 69 exists. All it knows is that there’s some remote Area Border Router, which is itself summarising “some stuff”.

With that in mind, there’s actually nothing stopping you from doing this:

[Area 1]—-[Area 0]—-[Area 1]

Although it may seem useful to give the two non-backbone areas different numbers, my point is that you don’t have to. The two Area 1 networks are still different areas, with different topologies. The two Area Border Routers have no idea that the other ABR is also connected to an Area that has been give Area number 1, because all that stuff is abstracted away. When an Area Border Router summarises things, it doesn’t say the area number it comes from – it just says “if you want to get to these IPs, come to me”.

 

AND NOW: IS-IS LEVELS

I highlight that because IS-IS works exactly like this, except that instead of calling it an area, IS-IS uses the term “level” to describe this hierarchy.

In IS-IS, it’s like this:

[Level 1]—-[Level 2]—-[Level 1]

You have a Level 2 backbone, and then optionally you have any number of Level 1 routing domains that connect to it. The Level 2 backbone network only knows the Level 2 topology, and each Level 1 network only knows its own topology. You then have “Level 1/Level 2” routers, or “L1/2″ for short”, which act exactly like OSPF Area Border Routers: they take addresses from Level 1, and re-advertise them into Level 2. They also know the topology of both levels.

In IS-IS an L1/L2 router doesn’t re-advertise the topology from one level to another. It just re-advertises routes from a non-backbone level up to Level 2, such that the L1/L2 router says to the rest of the Level 2 network “If you want to get to any of this list of prefixes, come to me”.

Having said that, IS-IS gives you a bit more flexibility than OSPF when it comes to the border between the backbone and a non-backbone network.

You see, in OSPF, a link can (by default) only be in one area. You might have a router which has one link in Area 1 and another link in Area 0, and this makes it an Area Border Router. Interestingly though, there are extensions to OSPF which allow a link to be in more than one area at once. There’s good reason to do that: in some situations it can lead to more precise routing. For example, perhaps a series of links could be in both Area 1 and Area 2 at the same time. so that devices in Area 1 wouldn’t have to go via Area 0 to get to something in Area 2, because that “something” will also be in Area 1. When this is done correctly it means you still avoid loops, but get more optimal routing.

In OSPF, this was an add-on. In IS-IS this is there from day one: a link a can be part of both a Level 1 topology, and the Level 2 backbone, at the same time! Service providers love this, because it means that the design of the backbone can be more flexible than in OSPF. This also means that there isn’t always a clear divide between a backbone and non-backbone network: if you were to draw it out, there may be a little bit of overlap, and that’s totally fine.

Here’s an example. Notice that vMX1 is totally in a Level 1 domain, whereas vMX2 has two links in Level 1, and one link in Level 2. Compare that to vMX3, which is totally in a Level 2 domain. Finally, notice that vMX4’s link to vMX9 is in both Level 1 and Level 2 at the same time, which is totally fine. The two levels are separate topologies, and the link exists in both.

Interestingly, most vendors actually default all links to being L1/L2 by default. You then choose which level you want to turn off. For example, if you turn off Level 2 on either end of the link, then that link will only be part of Level 1. Both links have to agree on what level they are in order for that level to come up.

To summarise, then: IS-IS Level 2 is the same as OSPF Area 0. IS-IS Level 1 is the same as an OSPF non-backbone area.

It’s worth saying that nowadays, a lot of nationwide ISPs just put their entire autonomous system in Level 2. Modern hardware can generally handle large routing table and large topologies, even the more “affordable” devices. I’ve done work for ISPs who had 500 routers all in their Level 2 network, and everything worked fine. Of course, this isn’t a hard and fast rule – but now we’re living in the future, even cheap hardware often offers impressive performance, at least compared to devices at the equivalent price point 15 years ago!

 

A REMINDER OF OSPF TOTALLY STUBBY AREAS

By default, an IS-IS L1/L2 router or an OSPF Area Border Router will take all the prefixes in the non-backbone area, and redistribute them into the backbone.

To focus in on IS-IS, an L1/L2 router will readvertise all the Level 1 prefixes in to Level 2 backbone, so that the backbone knows about all the IPs throughout the entire network. To be a bit more precise, when the L1/L2 router creates its Link-State PDU, its LSP, for its presence in the Level 2 backbone, the Level 2 LSP will basically say “If you want to get to any of this big list of IP addresses, come to me”. All other devices in the Level 2 backbone will see this, and therefore know how to get to everything.

What about advertising things from the backbone into a non-backbone area?

In OSPF, by default the backbone advertises all OSPF IPs into all non-backbone areas. However, you usually use non-backbone areas because you have some devices in a part of the network which are less powerful, or topologically less complicated, and as such you probably don’t want to do this. As such, you have some choices here to stop this from happening.

For example, you can choose to configure a non-backbone area as a stub area, which means that the area won’t accept external LSAs – the ones which advertise IPs that have been redistributed into OSPF.

If you want to summarise even more, you can use a totally stubby area, which won’t even accept summary LSAs – the one which advertise the OSPF IPs of other areas. If you use a totally stubby area, chances are that you’ll want to advertise a default route into the area so that devices can get out to the rest of the network. Some vendors turn this on by default. In Junos it just takes one extra command to get an Area Border Router to generate and advertise a default route into a totally stubby area.

Using these different kinds of OSPF area, you can restrict what gets advertises into your non-backbone area. Having said that: URGH, what a hassle it is to memorise all that! Were you as bored reading all that as I was typing it? Well, luckily, in IS-IS you don’t need to learn anything like that. There’s no special LSAs, no special area types, nothing. It’s way easier. Let me show you how.

 

IS-IS LEVEL 1 ACTS LIKE AN OSPF TOTALLY STUBBY AREA

Let’s put external IPs to the side for a moment, because there’s something interesting about them which I’ll tell you about later.

In IS-IS, a Level 1 network is very much like an OSPF Totally Stubby Area.

By default, L1/L2 “border” routers will NOT advertise any IPs from Level 2 down to other Level 1 networks. That includes both IP addresses that originally came from the L2 backbone, and IP addresses that originally came from other L1 networks. The end result is that a Level 1 network will, by default, only know about the IPs in its own network.

This inspires two question. First, how does a Level 1 network get to IS-IS addresses outside of its network? And second, how do you we make a default route?

The first question is really easy to answer. If you actually do want to leak IPs into a Level 1 network, you just make a routing policy. No need to memorise loads of different kinds of special area that perform special functions – just make a policy, and job done. This is so much easier than OSPF! First of all, you don’t have to memorise loads of different LSA types and area types. Secondly, the fact that you use a policy makes everything explicit, because you can see in the config exactly what’s happening. Even if you’re not confident in IS-IS, you can read the policy and see exactly what the expected behaviour is.

The default route question is a bit trickier to explain, so much so that lots of training material out there often gets it wrong. To understand it, I need to tell you about IS-IS areas. However, in my opinion it’s perhaps the trickiest thing for new students to get their head around. That’s why we’re going to park that topic just for now, and come back to it in Part 3, where we’ll talk about areas and IS-IS default routes in detail. I’ll also show you how to make a routing policy to redistribute stuff from Level 2 into Level 1.

For now, let’s get onto the good stuff: how to configure this mighty protocol.

 

HOW TO CONFIGURE A JUNOS ROUTER FOR IS-IS

As always in networking, the theory takes ages to explain – but configuring it is very simple.

There’s three steps to creating a very basic IS-IS config. First, you turn on the ISO address family on any interfaces that are going to form adjacencies, like so:

set interfaces ge-0/0/0 unit 0 family iso
set interfaces ge-0/0/1 unit 0 family iso

It’s as simple as that!

Next, turn on ISO on the loopback, and also add in your ISO address:

set interfaces lo0 unit 0 family iso address 49.0001.1921.6800.0001.00

Is the address understandable to you now? You know that you can ignore the .00 at the end, and as such you can hopefully identify 1921.6800.0001 as the “host” address – the equivalent of writing 192.168.0.1 as an IP address. Finally, you can spot that this router is in area 49.0001.

Finally, you turn on IS-IS in the edit protocols hierarchy, by simply adding in your interfaces! Optionally, turn off level 1 or level 2 as required. You can turn off a level on a specific interface, or you could even turn off a level globally using the command “set protocols isis level 1 disable”, for example.

set protocols isis interface ge-0/0/0.0
set protocols isis interface ge-0/0/1.0 level 1 disable
set protocols isis interface lo0.0

That’s it! A basic IS-IS config is as simple as that. However, there’s some enhancements that you’re definitely going to want to know for your studies, and that you’ll almost certainly want to use in production. We’ll cover those in Part 2, where I’ll show you how to make adjacencies and the metrics more efficient – after I’ve shown you how metrics work in the first place!

You can verify your configuration with the command “show isis adjacency”. But put a pin in that for now – let’s learn a bit more config first in Part 2.

 

THAT’S IT FOR NOW!

Wow, you covered a LOT in this post! You now know how how IS-IS works, what Level 1/2 means, how the addresses work, what an LSP looks like, and how to configure it. That’s pretty good going!

Ready for more? Click here to read part 2, where you’ll learn how IS-IS metrics work and how Designated “Routers” work, along with other IS-IS messages, and some other extra fun bits.

Hey there: thank you so much for reading! If you’ve enjoyed this post, please do share it on your social media of choice – Twitter, LinkedIn, FacePlace, GeoCities, Friends Reunited etc. The more readers I get, the more I’m inspired to make even more posts. And if you’re on Twitter, follow me to find out when I make new posts for you, and only for you.

6 thoughts on “JUNOS: IS-IS STUDY NOTES, PART 1 – FOR JUNIPER’S JNCIS-SP and JNCIS-ENT EXAMS

  • December 30, 2018 at 10:25 pm
    Permalink

    So happy to announce that… YOU ARE AWESOME CHRIS! (and so its this blog). I took my JNCIS-SP exam last Friday, hoping that I would enter 2019 with a brand new certification and so that happened! I mostly studied theorical ISIS using your wisdom. It was fun.

    I’ll definitely become your most loyal follower, so behold a Brazilian-future JNCIP-SP guy.

    Have a insane good 2019. “fun your network”.

    JS.

    Reply
    • December 31, 2018 at 12:27 pm
      Permalink

      João, that’s wonderful news!! I’m full of happiness at this news, not only that you were able to pass it, but that my blog helped you. The news has absolutely made my day. Congratulations on your victory, and all the best of luck with the JNCIP! 🙂

      Reply
  • March 28, 2019 at 4:54 am
    Permalink

    This is probably the most helpful summary of IS-IS I’ve ever seen. Thanks for taking the time to write it. You’ve got a new Twitter follower!

    Reply
    • May 12, 2019 at 5:31 pm
      Permalink

      Hooray! Thank you, and apologies for the slow reply!

      Reply
  • June 14, 2019 at 3:57 am
    Permalink

    Dude you got talent! [mic drop]

    Reply
    • July 10, 2019 at 4:37 pm
      Permalink

      Haha thank you very much! It’s true, I can’t deny it 😉

      Reply

Leave a Reply

Your email address will not be published. Required fields are marked *