It appears that IPExpert has something to say about all this hoopla with IEs big announcement. I did get the impression that the event yesterday was pretty big, based on how popular bloggers out there are talking about it. After watching the recorded webcast last night, I was pretty excited. And one of the first things I thought about was, what IPExpert will do to top this announcement… or at least quell some of the excitement that IE created for itself and bring the wave back to IPExpert’s side.

I gotta admit, I’m loving this whole thing. Last week, I actually downloaded the Tolly Group report that was referenced in the blog post. Guess what? That got me to lean towards IPExpert a little bit. But with IE’s announcement of incorporating a professional level certification training in their arsenal, I started leaning towards them because I have aspirations of going for my CCIE once I complete my CNCP studies. And it just seemed natural to continue with the same vendor with proven track record.

With all these competition between the camps involved and the heavy names/trainers in the industry that are involve as well, I have to think that no one can go wrong with what vendor they go with. The heightened competition is turning better products and quality trainings at good prices. This adds confusion to my decision-making when it comes time for me to select who to go with. But it’s a good confusion. Kinda like good-cholesterol/bad-cholesterol thing. Ok not a good analogy.

I just got back from… umm.. working, and checked my blog feeds for some news about the IE announcements. I had thought about registering for the webcast but thought better to wait until someone feeds me the info instead.

So thanks to CCIE Pursuit and CCIE Journey for being the first few to alert me of the details of the announcements.

I’m happy to see that even though I missed the webcast, IE has the recording of the juicy details available for your viewing pleasure. I’m excited because I hear they will venture out to younglins like us who are just starting out in the world of Cisco by encompassing a CCNx training program as well. I would think it would make a good transition from CCNP to CCIE track in terms of training – that is if you prefer InternetworkExpert as a training vendor of choice. I’m feeling that IE is recognizing that there are people out there that are just as serious in their pursuit to gain their CCNP certs as much as there are serious candidates vying for their CCIE. Hopefully this would be a good thing for us CCNP candidates as it is for IE in terms of capturing more interested audience for using their products. In the end more customers for them, and better, more high-quality level of training for us.

Integrated IS-IS in a CLNS Environment

• A fundamenatl difference between NET address and IP address:
  • NET address identifies a device (an IS or ES)
  • IP address identifies the interface
• Each IS-IS router must have a NET address configured even if Integrate IS-IS is only used for IP routing only.
  • Integrated IS-IS relies on the support of CLNS routing.
  • The OSI protocols (such us hello PDUs) are used to form neighbor relationship between routers and,
  • SPF calculations rely on a configured NET address to identify the routers.
• Default routes are injected into an area by L1/L2 routers. This allows packets to be forwarded to destination areas different from the area where the packets originated.
• When routing IP traffic using IS-IS, IP subnets are treated like leaf objects associated with IS-IS areas.
  • The router looks up the destination network in its routing table.
  • If traffic belongs to a different area, it is forwarded to the nearest L1/L2 router.
• Route summarization allows scalability by minimizing the size of teh LSDB and routing tables, the amount of processing, and the number of network updates.

OSI Routing Table

• IS-IS uses an OSI forwarding database (routing table) to select the best path to a destination.
• To determine best path, IS-IS routers use SPF to calculate the SPF tree to OSI destinations (NETs) based on the information in the LSDB.
• Routers may run the SPF algorithm twice (one for each level) and create separate SPF trees for each level.
• Routers insert the best paths in the CLNS routing table (aka OSI forwarding database).
• Routers calculate ES reachability with a partial route calculation (PRC), based on the L1 and L2 SPF trees.

IP Routing Table

• IP Routes only require PRC.
• Integrate IS-IS includes IP reachability infromation in the LSPs, treating it as if it were ES information.
  • In other words IP prefix information is treated as leaf connections to the SPF tree.
  • Therefore, updating IP reachability requires only a PRC, similar to ES reachability in an OSI network.
• The PRC generates best-path choices for IP routes and offers the routes to the IP routing table.
• When IP routes are entered into the routing table, they are shown as via L1 or L2 appropriately.

Integrated IS-IS Configuration

The following four steps outline the process to setup Integrated IS-IS:

1. Define the Area and Addressing
   • CLNS addresess must be planned for a two-level hierarchy. This is to allow for interarea traffic to traverse the L2 backbone area.
   • IP addressing must allow for address summarization to benefit from scalability and a hierarchical design.
2. Enable IS-IS on the Router
   • Use the global command:

     router isis [area-tag]

     • The optional area tag identifies multiple IS-IS process.
     • If ommitted, it assumes a tag of 0.
   • IP routing is enabled by default.
   • CLNS routing is disabled by default.
   • You can enable CLNS routing using the clns routing global configuration command.
     • You must enable CLNS routing at each interface if using it at all.
3. Configure the NET
   • To assign the NET to the router, use the following router configuration command:
     • net network-entity-title
   • Even when using IS-IS for IP only, a NET must still be configured.
   • The NET consists of:
     • Area address – between 1 and 13 bytes in length.
     • System ID – fixed length of 6 bytes in Cisco routers.
     • NSEL of value 00.
4. Enable IS-IS on Interfaces
   • Determine which interfaces will participate in IS-IS.
   • Once the interfaces that will use IS-IS to route IP has been determined, use the following interface configuration command to enable IS-IS on that interface:

     ip router isis [area-tag]

     • The area-tag field identifies the IS-IS process to be enabled.
     • If there is no area-tag configured, IOS will assume a value of 0.
   • Make sure to also configure interfaces to stub IP network, such as loopback interfaces.
   • Use the clns router isis [area-tag] interface configuration command to enable the IS-IS routing process on an interface to support CLNS routing.

Optimizing IS-IS

• IS-IS default configuration leaves the router with an IS type of L1/L2, by default.
• Each router should be configured to support the minimum level of routing required.
  • If a router only requires to operate as an internal router, there is no use to leave it as an L1/L2 router. It makes more sense to configure it as an L1 router.

Changing IS-IS Router Level

• If a router is to operate as an internal area router only, use the following router configuration command

is-type level-1

• If a router will act only as a backbone router, use the following router configuration command:

is-type level-2-only

• If the level type has been changed from the default, you can return to the default with the following router configuration command:

is-type level-1-2

Changing the IS-IS Interface Level

• A router that functions as an L1/L2 router does not always have to establish both types of adjacencies over all interfaces. Sometimes an L1/L2 router may be connected to another router that is configured as an L1 router only, or vice versa, another router configured as L2 only.
• To make IS-IS more efficient, it is good practice to configure the interface to only send the needed type of hellos that the other router on the other end is expecting.
• To configure the interface to send only a specific type of hello, use the following interface configuration command:

isis circuit-type {level-1 | level-1-2 | level-2-only}

• Depending on what level you configure, the router will send only hellos appropriate for that level.
• The default is level-1-2
  • Meaning the router will attempt to establish both types of adjacencies over the interface.

Changing the IS-IS Metric

• All interfaces in an IS-IS have a metric value of 10 by default.
• Unlike most other IP protocols, IS-IS on a Cisco router does not take into account line speed or bandwidth when it sets its link metrics.
• Leaving the metric to its default value can result in suboptimal routing in networks with links of varying speed.
• To change the metric value, use the following interface configuration command:

isis metric metric [delay-metric [expense-metric [error-metric]]] {level-1 | level-2]

• The metric can have different values for L1 and L2 over the same interface.
• The metric value is anywhere from 1 to 63.
• IS-IS defines four different types of metrics:
  • Cost (default)
  • Delay (optional) – measures transit delay.
  • Expense (optional) – measures monetary cost of link utilization.
  • Error (optional) – measures the residual error probability associated with the link.
• The metric value for all IS-IS interfaces can be changed all at once using the following router configuration command:

metric default-value {level-1 | level-2}

• If the keyword level-1 or level-2 is not used, the metric will be applied to both L1 and L2 interfaces.
  • This command is only availablee in Cisco IOS 12.3(4)T and later.
  • It only supports cost metric.

Figure 1: IS-IS Configuration Example

• There are two router in area 49.0001: R1 and R2.
• R1 is strictly an L1 router.
  • It makes sense to configure is with is-type level-1 router since it will only function as an L1.
  • Configuring the interface with isis circuit-type level-1 ensures that it only passes L1 hellos.
• R2 has two functions therefore it is left with the default setting of an L1/L2 router type.
  • Fa0/0 is configured with circuit type L1 because it connects to only an L1 router. It will only exchange L1 hellos.
  • Similarly, S0/0/1 interface connects only to an L2 router, so the circuit type is configured as an L2.
• R3 in area 49.0002 has only one router and only does L2 routing.
  • It should then be configured as L2-only IS type and the interface with L2 circuit type.

IP Route Summarization in IS-IS

Benefits of summarization are:

• Reduced routing table size
• Reduced LSP traffic and protection from flapping routes
• Reduced memory requirements
• Reduced CPU usage
• A more stable network because topology changes can be isolated

To configure route summarization is IS-IS, use the following router configuration command:

summary-address address-mask [level-1 | level-2 | level-1-2] [tag tag-number] [metric metric-value]

• This command can be used on any router in an IS-IS network.
• The router summarizes IP routes int L1, L2, or both.
  • The default is into L2 (level-2).
• The optional tag-number is used to tag the summary route.
• The optional metric-value is applied to the summary route.

On our way to work this morning, the sun had barely touched the horizon and it brought with it an awesome collage of purple, orange, yellow, and pink.

After my wife dropped me off to work, she and our two-year old drove further west so she can drop him off to his grandma’s, and she to get her first-grade classroom ready for the day. As they were driving towards their destination, the sky started to paint an even brighter and colorful picture – complete with puffy, feathery clouds embossed in purple and gray lining, and swirlying colors of orange and yellow.  It is the same scence I’m looking at while standing by the huge glass window in the office. I then get a call from my wife and she describes as verbatim as she could how my two-year old son described what he saw:

“Wow, dats byuuutifulll!”

“The sun painted the sky.”

“The sun is the illoostrater*”

A simple observation from a two-year old, but yet the novelty of a beautiful morning skyline still amazes them. Nowadays, grownups like myself rarely look up and just let ourselves be amazed by such simple (and at the same time complex) things.

————-

*Illustrator: it’s our nightly routine to read to our son before he goes to sleep. He usually goes through about 5 or so children’s book before he is satisfied. He has learned that the author is “the one who writes the book” and the illustrator is the “one who draws the cool pictures”.

Addresses

CLNS

• CLNS is the service provided by CLNP
• CLNS addresses are required even if routing only IP.
  • Because IS-IS was originally designed for CLNS, IS-IS requires CLNS node addresses even if router is used for routing only IP
• CLNS addresses apply to entire nodes and not to interfaces.
• NSAP – CLNS addresses that are used by routers are called network service access points (NSAP).
  • NSEL – a part of the NSAP address is called NSAP Selector (NSEL).
  • NET – When an NSAP is specified with an NSEL 0, the NSAP is called the network entity title (NET).
  • NSAP Addresses is equivalent to the IP address and upper-layer protocol (IP protocol number) in the IP header.
  • NSAP addresses have a maximum size of 20 bytes.

NSAP Address

Figure 1: NSAP Address Structure

• In the figure above, the high-order bits identify the inter-area (Level 2) structure, and the low order bits identify unique systems within an area (intra-area -  Level 1)
• The Cisco implementation of Integrated IS-IS divides the NSAP address into three fields:
  1. Area Address
  2. System ID
  3. NSEL
• Example address: 49.0001.aaaa.bbbb.cccc.00
  • Area = 49.0001
  • System ID = aaaa.bbbb.cccc
  • NSEL = 00

IS-IS Area Address

• The area address is used in L2 routing.
• The first part of the NSAP associated with the routing process.
• An IS-IS router can be a member of only one area
• All routers in an area must use the same area address.
• ESs recognize only ISs and other ESs on the same subnetwork that share the same area address.

IS-IS System ID

• The system ID is used for intra-area (L1) routing.
• Cisco enforces that the System Id is fixed to a length of 6 bytes.
• The system ID must be unique in each area.
• By custom, the routers MAC address, which is conveniently 6-bytes in length, is used as the System ID.

NSAP Selector

• A one octet (1 byte) field at the end of an NSAP address is called the NSAP Selector, or NSEL.
• When the NSEL’s value is set to 00, the NSAP is called a NET address -  the address of the node’s network layer itself.
• The NSEL field identifies a process on the device, which corresponds roughly to a port number in IP.

Addressing and Routing

• The area address portion of the NSAP address can range from 1 to 13 bytes in length.
• The area address is the same for devices within the same area and unique for different areas.
• Routing within an area (intra-area) involves knowing all the system IDs and adjacencies for all devices (ISs and ESs) in the same area and choosing the best paths between these devices by using the Dijkstra algorithm.
  • The system ID is used to route within an area; the area address is not considered.
• When routing between areas (inter-area), L2 (or L1/L2 routers in different areas exchange area address information and compute the best paths between areas using the DIjkstra algorithm.
  • The area address is used to route between area; the system ID is not considered.
• Sending packets from an ES to another ES requires the packets to be sent to an IS that the destination ES is attached to.
  • If the destination ES is in the same area, the IS knows where that ES is based on the ESH it receives from it. The IS proceeds to forward the packet to that ES using the best path.
  • If destination ES is in another area, the L1 IS sends the packet to the nearest L1/L2 router.

Route Leaking

• Because L1 and L2 routing are separate, there is a chance that packets sent to one direction might take a different direction coming back. This is called asymetric routing.
• Asymetric routing does not bring down the network. However, it can prove difficult to troubleshoot a network with asymetric routing.
• Route Leaking is a feature introduced in Cisco IOS 12.0 which allows L2 routes to be redistributed, or leaked, into L1 routers.
  • By having more detail about interarea routes, an L1 router is able to make a better choice with regard to which L1/L2 router to forward the packet.
• Route leaking is defined in RFC 2966, Domain-wide Prefix Distribution with  Two-Level IS-IS, for use with the narrow metric TLV types 128 and 130.
• For use with wide metric, the IETF defined route leaking using TLV type 135.
• To implement, an up/down bit in the TLV is used to indicate whether or not the route indentified n the TLV has been leaked.
  • If the up/down bit is set to 1, the route has been redistributed into the area from L2
  • If the up/down bit is set to 0, the route was originated within that L1 area.
  • The up/down bit is used to prevent routing loops: An L1/L2 router does not re-advertise into L2 and L1 routes that have the up/down bit set.

IS-IS PDU

1. Hello PDUs – Used to establish and maintain adjacencies.
   • ESH – End System Hellos
   • ISH – Intermediate System Hellos
   • IIH – IS-IS Hellos
2. LSP – Link State PDUs. Used to distribute link-state information
3. Partial Sequence Number PDU (PSNP) – Acknowledges and requests missing link-state information.
4. Complete Sequence Number PDU (CSNP) – Describes the complete list of LSPs in a router’s link-state database.

LSP Link-State PDUs

Figure 2: An LSP PDU

Some of the notable features of an LSP header are:

• PDU type and length
• LSP ID
• The LSP sequence number
  • Used to identify duplicate  LSPs and to ensure that the latest LSP information is stored in the topology table.
  • Allows receiving routers to do the following:
    • Ensure that they use the latest LSPs in their route calculations
    • Avoid entering duplicate LSPs in the topology tables
• Remaining Lifetime
  • Used to age out LSPs.
  • 1200 seconds = 20min is the default start value.

TLVs

• TLV stands for Time, Length and Value
  • It is also sometimes called Code, Length, and Value (CLV)
  • Type (or Code) is a number specifying the information content of the value field.
  • Length is the maximum size of the Value field (255 octets)
  • Value is the information itself.
• The TLV structure is a flexible way to add data to teh LSP and an easy mechanism for adding new data fields that might be required in the future.

Example of LSP TLV

IS-IS Network Types

Two general types of IS-IS network topologies are:

1. Point-to-point Networks
   • Links that are permanently estblished (leased line, PVCs)
   • or dynamically established (ISDN, switched virtual circuit [SVCs])
2. Broadcast Networks
   • Multipoint WAN links or LAN links such as Ethernet, Token Ring, or FDDI

Implementing IS-IS in NBMA Networks

• IS-IS has no concept of NBMA Networks. It is recommended to use point-to-point links, such as point-to-point subinterfaces, over NBMA networks, such as ATM or Frame Relay.
• Cisco IOS automatically uses broadcast mode for LAN links and multipoint WAN links.
  • It uses point-to-point mode for point-to-point links, such as point-tp-point subinterfaes and dialer interfaces.
• In NBMA networks, Cisco IOS assumes that the NBMA environment features a full mesh of PVCs, when implemented in broadcast mode.
• When creating static maps to map the remote IP address to the local DLCI on a Frame Relay interface, it is recommended that you use the broadcast keyword.
  • This is because broadcast mode uses multicast updates, which will not be sent without this keyword.
• When using multipoint WAN links such as multipoint Frame Relay interfaces, you must also allow CLNS broadcast and multicasts.
• This can be done by using the following comands (in addition to creating the IP mappping):

frame-relay map clns dlci-number broadcast

Implementing IS-IS in Broadcast Networks

• In IS-IS, broadcast networks are LAN interfaces or multipoint WAN interfaces.
• Use broadcast mode only for LANs.
  • Although it is default for multipoint WANs, broadcast mode is recommended for use only on LAN interfaces.
• Separate IS-IS adjacencies are established for L1 and L2 processes. If neighboring routers are L1/L2 routers, they establish two separate adjacencies for each level, using specific Layer 1 and Layer 2 IIH PDUs.
• Routers on a LAN establish adjacencies with all the other routers on the LAN, unlike OSPF with the DR/BDR concept.
• IIH PDUs announce the area address.
  • Adjacencies form based on the area address communicated in the incoming IIH and the type of router (L1 or L2).

Pseudonode and DIS

• Designated Intermediate System (DIS)
  • The DIS is the router that creates the pseudonode and acts on behalf of the pseudonode.
  • On broadcast multiaccess networks, a single router is elected as the DIS.
  • There is no backup DIS elected.
  • Selection of the DIS follows the criteria:
    1. Highest priority
    2. Highest SNPA (on LANs the SNPA is the MAC Address)
  • Cisco routers have a default L1 and L2 priority of 64
    • You can configure the priority from 0 to 127 usng the following interface configuration command: isis priority number-value [level-1 | level-2].
    • Because an interface can have different L1 and L2 priorities, the L1 DIS and L2 DIS on a LAN may or may not be the same router.
  • Does not guarantee to keep the DIS role. If there is an IS with a higher priority on the LAN, that IS automatically takes over as DIS. This is called preemptive behavior.
• Pseudonode
  • Is a logical representation of the LAN which is generated by a DIS.
  • In order to reduce the number of full mesh adjacencies between nodes on multiaccess links, the multiaccess link itself is modeled as a pseudonode that connects all attached routers to a star-shaped topology.
  • All routers on a broadcast link, including the DIS, form adjacencies with the pseudonode.

Figure 3: Physical and Logical Representation of the Pseudonode

• Rather than having each router connected to the LAN advertise an adjacency with every router on the LAN, each router, including the DIS, advertise a single adjacency to the pseudo-node.
• The DIS generates the pseudo-node LSPs.
• A Pseudo-node LSP details only the adjacent ISs.
• The pseudo-node LSP is used to build the map of the network and to calculate the SPF tree.
• The pseudo-node LSP is equivalent to a network LSA in OSPF.

L1 and L2 LSPs

• Each IS orginates its owl LSPs: One for L1 and one for L2
• On a LAN, the DIS (representing the pseudo-node) sends out LSP information on behalf of the LAN.
  • The DIS sends out separate L1 and L2 LSPs for the pseudo-node.
• LSPs are sent differently in different media types:
  • Broadcast type – send out as multicast
  • Point-to-point links – sent out as unicast

L1 and L2 IIHs

• IIHs establish and maintain adjacency between ISs.
  • Defualt Hello = 10 seconds; 3.3 sec for DIS
  • Hold Time = default multiplier (3) x hello time = 3 x 10 = 30 sec.
• On a LAN separate L1 and L2 IIHs are sent periodically as multicasts to a multicast MAC address:
  • L1 – sent to AllL1IS multicast MAC address 0180.C200.0014.
  • L2 – sent to AllL2IS multicast MAC address 0180.C200.0014.
• Point-to-point links have a common point-to-point IIH format that specifies whether hello relates to L1 or L2 or both.
  • Point-to-point hellos are sent to the unicast address of the connected router.

Link State Database Synchronization

LSP Flooding

• LSPs are flooded throughout the IS-IS domain. LSPs are typically flooded to all adjacent routers except the neighbor from which the LSP was received.
  • L1 LSPs are flooded within their local areas.
  • L2 LSPs are flooded throughout the backbone.
• LSPs originated by each ISs are identified by the originator’s system ID and an LSP fragment number starting at 0.
  • If an LSP is bigger than the maximum transmission unit (MTU), it is fragmented into several LSPs, numbered 1, 2, 3, and so on.
• When an IS receives an LSP, it examines the checksum and discards any invalid LSPs, by expiring the lifetime age.
  • If the LSP is valid and newer than what is currently in the LSDB, it is retained, acknowledged with a PSNP, and given a lifetime of 1200 seconds (20 min).
  • When the LSP expires after 1200 seconds, it is kept for an additional 60 seconds before it is flooded as an expired LSP.

LSDB Synchronization

• In order to acknowledge the receipt of LSPs and to maintain LSDB synchronization, sequence number PDUs (SNPs) are used. The use of SNPs differ between point-to-point and broadcast media.
• There are two types of SNPs:
  1. Complete Sequence Number PDUs (CSNPs)
     • Used to inform other routers of LSPs that may be outdated or missing from their own databases. This ensures all the routers have the same information and are synchronized.
     • Similar to an OSPF database description packet.
  2. Partial Sequence Number PDUs (PSNPs)
     • PSNPs are used to request an LSP (or LSPs),
     • and acknowledge receipt of an LSP (or LSPs).
• Separate CSNPs and PSNPs are used for L1 and L2 adjacencies.
• In broadcast networks, only the DIS transmits CSNPs.
  • CSNP multicasts are sent every 10 sec by the DIS on a LAN to ensure LSDB accuracy.
• In point-to-point networks, CSNPs are sent when the link comes up to synchronize the LSDB.
  • This is sent only once.
  • After the first transmission, LSPs are only sent if there topology changes.
  • CSNP receipt is acknowledged with PSNP.

LAN Adjacencies

• IIH PDUs announce the area address.
• Routers from one area accept L1 IIH PDUs only from their own area and therefore establish adjacencies only with their own area routers
• Similarly, L2 routers accept only L2 IIH PDUs and establish L2 adjacencies.

WAN Adjacecies

• On point-to-point WAN links, the IIH PDUs have common formats to both levels. The level type and area address are announced in the IIH.
• L1 routers receive IIH that speficify the L1 level and form L1 adjacency.
• L2 routers exchange IIH PDUs that specify L2 levels and form level 2 adjacency.
• L1/L2 establish a separate level 1 and level 2 adjacencies
• Two L1 routers that are physically connected but are not in the same area can exchange IIHs, but they do not establish an adjacency, because their area ID do not match.

Resources:

1. Intermediate System-to-Intermediate System Protocol – Cisco Technical White Paper
2. IS-IS Route Leaking Overview
3. Intermediate System-to-Intermediate System (IS-IS) TLVs
4. IS-IS Network Types and Frame Relay Interfaces
5. Understanding IS-IS Pseudonode LSP

This entry is not an authoritative guide. These are merely notes and rehash of the primary text materials and resources that I use. For a thorough guide of the BSCI course, consider purchasing Building Scalable Cisco Internetworks (BSCI) (Authorized Self-Study Guide) (3rd Edition) by Diane Teare and Catherine Paquet, as well as following the links on the resources section of this entry.

Didn’t do much studying this weekend as I had planned. I had this grand plan to drill down IS-IS even deeper this weekend by spending at least 12 hours of solid studying. In the end I wound up spending probably 2 hours in all two days.

I did get to spend a lot of time with family though. And on Saturday, I couldn’t pry myself away from all the good college football matchups. On Sunday, my wife, son and I slept a little too long and missed our usual 7am Mass so we ended up going to Church later that day. By the time we had free time in the afternoon, my wife and I just watched all our recorded shows on DVR from the previous week, while the 2 year old took his afternoon nap.

All in all it was fun and relaxing. But I would’ve liked to have put in a few more hours of productive study time.

My work schedule has changed so my study routine will also change a little bit. I’m not sure if I like it too much but so far I found that it gives me and my family more time to hang out together on a daily basis. I now work from 7 to 4. Previously I worked from 9-6. The old schedule worked out pretty well for me then because I was able to study 1.5 to 2  hours before work and 2-3 more hours at night. Now I’m only able to do it about 3 hours at night. The posiitive is, my wife and I no longer drive two cars to get to work. Since she is able to drop me off at work and pick me back up we will save considerable money from less gas usage. At the same time we get to catch up on life talks while driving. Since we started doing that, my son also seem to be more excited. He loves family trips in the car… I think . The only down side to that is that, because we leave home earlier, I don’t get to study in the morning anymore – my favorite and preferred time to study. When I get home I’m usually tired and am unable to digest more information by then.

I’ll just see how this new schedule works out. Things always seem to fall into place anyhow. They always do.

Integrated Intermediate Systems-to-Intermediate System

• The IS-IS protocol is part of the Open System Interconnection (OSI) suite of protocols.
• The OSI suite uses the Connectionless Network Service (CLNS) for data delivery.
  • Connectionless Network Protocol (CLNP) is the actual Layer 3 protocol, similar to the Internet Protocol (IP) of the TCP/IP suite.
  • IS-IS uses CLNS address to identify the routers and built the link-state database.
• IS-IS operates strictly in CLNS.
• Integrate IS-IS support CLNS as well as IP routing.
• The ISO calls routers Intermediate Systems (IS)
  • IS-IS is a protocol that allows routers to communicate with other routers.
• In OSI terminology, hosts area called End Systems (ES)

IS-IS Routing Levels

There are two routing levels in IS-IS:

1. Level 1 (L1)
   • L1 routing occurs within an IS-IS area and is responsible for  routing inside an area.
   • All devices (ISs and ESs) in the same area have the same area address.
   • Two route within the same area, the system ID of the devices is considered.
2. Level 2 (L2)
   • L2 routing occurs between different IS-IS areas.
   • Two route from one area to the next, the area address is considered. The System ID is ignored.

Three types of IS-IS Routers:

1. Level 1 (L1) Routers
   • L1 routers learn about paths within the areas they connect to (intra-area) by use of Link State PDUs (LSP) – the equivalent of LSAs in the OSPF world.
   • These routers are equivalent to OSPF internal non-backbone routers.
   • Intra-area (L1) routing enables ESs to communicate. An L1 area is a collection of L1and L1/L2 routers.
2. Level 2 (L2) Routers
   • L2 routers learn about paths between areas (inter-area) with the use of LSPs.
   • These routers are similar to OSPF backbone routers.
3. Level 1-2 (L1-L2) Routers
   • Learn about paths both within and between areas.
   • They are the equivalent of ABRs in OSPF.

• The path of L2 and L1/L2 routers is called the backbone
• All areas and the backbone must be contiguous.

OSI Routing Levels

1. Level 0 (L0) Routing
   • When an ES needs to send a packet to another ES, it finds the nearest IS on the same subnet and sends the packet there.
   • This is conducted by the ES-IS protocol.
     • ES-IS forms adjacencies between ESs (hosts) and ISs (routers)
       • IP end-systems do not use ES-IS
     • ESs transmit End System Hellos (ESHs) to announce their presence to ISs.
     • ISs transmit Intermediate System Hellos (ISH) to announce their presence to ESs.
     • ISs transmit IS-IS Hellos (IIHs) to other ISs.
2. IS-IS Level 1 (L1) Routing
   • Traffic exchanges between ISs in the same area
   • Also called intra-area routing.
3. IS-IS Level 2 (L2) Routing
   • If a destination address is in another area, the L1 finds the nearest L1/L2 IS and sends packet there.
   • Using the area address, packets are sent through other L2 and L1/L2 ISs until the packet reaches an L1/L2 IS in the destination area.
   • Within the destination area, ISs forward the packet using the best route, based on the sytem ID.
   • Also called inter-area routing.
4. Level 3 (L3) Routing
   • Passed traffic between different autonomous system.
   • Comparable to BGP
   • Not supported in Cisco routers.
   • Uses Interdomain Routing Protocol (IDRP) to conduct L3 routing.

IS-IS and OSPF Comparison

• Both are open standard link-state routing protocols. They maintain a link-state database from which Dijkstra-based SPF algorithm computes a shortest path tree.
• They both use similar mechanisms (such as LSA/LSP, link-state aging timers, and links-state database synchronization) to maintain the health of the LSDB.
• They both use Hello packets for establishing and maintaining adjacencies.
• Both use areas to form a two-level hierarchical topology.
• They are both classless protocols, and therefore support VLSM.
• Both have the capability of providing address summarization between areas.
• Both elect designated router to represent broadcast networks.
• Both have authentication capabilities
• Both converge quickly after network changes.

Area Design

• In OSPF, the border between OSPF areas is inside the ABRs. Some interfaces are in one area, and other interfaces are in another area.
• With this design, all areas have to connect to an area backbone. A consistent IP addressing is a must in order to properly summarize address into the backbone.

Figure 1: OSPF Area Topology

• IS-IS areas, in comparison, have all their routers completely within an area.
• The area borders are on links, not in the routers.
• IS-IS has a hierarchy of L1, L1/L2, and L2 routers.
• Extending the backbone is much more flexible. To extend, simply add another L1/L2 or L2 routers.

Figure 2: IS-IS Area Topology

OSPF and IS-IS Side-by-Side Comparison

Integrated IS-IS Advantages

• IS-IS updates for a certain group of routers are sent with very few LSPs, whereas, OSPF sends many small LSA updates.
• The relative small number of LSPs that IS-IS routers send adds to the effiecient and faster use of CPU resources for IS-IS.
• NET addresses that are used by IS-IS routers are already summarized, therefore, installing and removing prefixes are also less resource intensive.
• Based on default timers, IS-IS detects failures faster than OSPF. This helps with faster convergence.
• Extending the capability of IS-IS require only the addition of new TLVs, which is much simpler than creating new LSAs with OSPF.

OSPF Advantages

• OSPF is designed and optimized for use with IP.
• Finding support personnel and equipment is relatively much easier with OSPF.
• Documentation for OSPF is also abundant and readily available.

Resources:

1. Intermediate System-to-Intermediate System Protocol

This entry is not an authoritative guide. These are merely notes and rehash of the primary text materials and resources that I use. For a thorough guide of the BSCI course, consider purchasing Building Scalable Cisco Internetworks (BSCI) (Authorized Self-Study Guide) (3rd Edition) by Diane Teare and Catherine Paquet, as well as following the links on the resources section of this entry.

Last week was my first full week in a long time that I really buckled down and get some good quality studying. It felt like I was tackling just OSPF alone for a whole month. That’s not how I planned or envisioned it in the beginning, but I think the prolonged and scattered exposure to it helped me get a better handle on the subject. Ideally, I really should be spending that much time with all the technologies. But I’m a little torn between going all out studying for CCNP or reserve that energy for when I prepare for CCIE. If I spend a month for each it would take me… hmm… let’s see… about 7 months just for BSCI alone. My comfort level with the subjects should improve, though, because I haven’t even factored in the lab guide yet. But with the goal I have set forth to take the exam before the new year, I’m not sure where to fit the lab in. I will somehow.

I mentioned earlier that I had thought that I would be taking my BSCI exam by mid-October. At this time I’m nowhere near ready, nor feel prepared enough to take it. So based on where I’m at and my comfort level on the materials, I have pushed it back to December. I know, quite a huge difference in time interval from my original projection. But then you may also recall that I spent almost a month and a half working on a single-man VPN project for work for which I have gained very valuable experience. So the trade is more than fair.

Anyhow, I sat down last night and plotted down how I’m going to spend the next few months of preparation. Following is the general overview:

Oct 20 – 26: IS-IS
Oct 27 – Nov 2: Manipulating Routing Updates, Redistribution
Nov 3 – 9: BGP part 1
Nov 10 – 16: BGP part 2
Nov 17 – 23: Multicast
Nov 24 – 30: IPv6
Dec 1 – 7: IPv6 (if needed)
Dec 8 – 14: ODR, RIP
Dec 15 – 21: Review
Dec 22 – 26: Review
Dec 27: Exam

If you notice, my preparation runs right smack in the middle of the holidays so getting through this unscathed is a tall order. But I will, as I always have, try to maximize the time I get studying; keeping in mind that the coming holidays will have to sway a little bit towards quality family time over configuration manuals and cold steel (when they’re turned off ). With the exception of the ODR, RIP, and IPv6, all the rest on that schedule is review. Therefore I expect to be more than ready by the time I take the exam. If I’m succesful with this schedule, pushing into the new year should fetch me a stronger momentum.  Wish me luck friends!

Anybody use Yahoo Bookmarks? I swear I’m about to pull out my hair again? All my bookmarks have been deleted somehow.

Yeah, yeah, I’ve been told Yahoo bookmarks suck. But it worked for my needs and did what I needed it to do. But now.. all my precious collection is gone. Literally hundreds upon hundreds of Cisco links organized in a nice hierarchical fashion. I’m just hoping someone at yahoo figures out how to restore it back.

K, time to send out an irrational, angry tirade to yahoo.

Update:

Looks like yahoo got the ish together and got my bookmarks back. Now where the hec is that export button?

OSPF Virtual Links

• Virtual Links:
  • Allows discontiguous area 0s to be connected.
  • Allows a disconnected area to connect to a backbone area via a transit area.
    • The transit area (the area through which the virtual link is configured) must have full routing information.
    • The transit area also cannot be a stub area.
  • The Hello protocol works over virtual links just like it does with standard links – in 10 second intervals.
  • LSAs, however, do not refresh every 30 minutes like a standard link.
    • LSAs learned through a virtual link have the DoNotAge (DNA) option set. This prevents the LSA from aging out. This is required to prevent excessive flooding over the virtual link.
• Congfiguration – use the following router configuration command:

area area-id virtual-link router-id [authentication [message-digest | null]] [hello-interval seconds] [retransmit-interval seconds] [transmit-delay seconds] [dead-interval seconds] [[authentication-key key] | [message-digest-key key-id md5 key]]

• The parameters are:

• The area area-id virtual-link command requires ther router ID of the far-end router. Several commands can be used to find the router ID
  • sh ip ospf
  • sh ip ospf interface
  • sh ip protocol

Example

Figure 1: Virtual Link Example Topology

R1 Configuration

R1(config)#int loopback 1
R1(config-if)#ip address 1.1.1.1 255.0.0.0
!
R1(config-if)#int fa0/0
R1(config-if)#ip address 4.0.0.1 255.0.0.0
R1(config-if)#no shut
R1(config-if)#no keepalive*
!
R1(config-if)#int s1/0
R1(config-if)#ip address 10.10.10.1 255.255.255.0
R1(config-if)#no shut
!
R1(config-if)#router ospf 100
R1(config-router)#network 4.0.0.0 0.255.255.255 area 0
R1(config-router)#network 10.10.10.0 0.0.0.255 area 1
R1(config-router)#area 1 virtual-link 3.3.3.3

!

*The no keepalive command seems to fool dynamips into thinking that there is a device on the other end of this router’s fa0/0 interface. The result is an up/up interface instead of up/down that I kept getting before inserting that command.

R2 Configuration

R2(config)#int loopback 1
R2(config-if)#ip address 2.2.2.2 255.0.0.0
!
R2(config-if)#int s1/0
R2(config-if)#ip address 10.10.10.2 255.255.255.0
R2(config-if)#no shut
!
R2(config-if)#int s1/1
R2(config-if)#ip address 192.168.1.2 255.255.255.0
R2(config-if)#no shut
!
R2(config-if)#router ospf 100
R2(config-router)#network 192.168.1.0 0.0.0.255 area 1
R2(config-router)#network 10.10.10.0 0.0.0.255 area 1

R3 Configuration

R3(config)#int loopback 1
R3(config-if)#ip address 3.3.3.3 255.0.0.0
!
R3(config-if)#int fa0/0
R3(config-if)#ip address 5.0.0.1 255.0.0.0
R3(config-if)#no shut
R3(config-if)#no keepalive*
!
R3(config-if)#int s1/0
R3(config-if)#ip address 192.168.1.1 255.255.255.0
R3(config-if)#no shut
!
R3(config-if)#router ospf 100
R3(config-router)#network 5.0.0.0 0.255.255.255 area 2
R3(config-router)#network 192.168.1.0 0.0.0.255 area 1
R3(config-router)#area 1 virtual-link 1.1.1.1

• The OSPF router ID is the highest IP address on the router, and if present, the highest loopback address. Notice that I configured loopback addresses for each of the routers. To make it easy to identify, I chose to use the loopback address based on the router name (ie R1 = 1.1.1.1 and so forth)
• Router IDs are calculated at boot time or when OSPF process is started. Therefore don’t be alarmed if you configure an interface IP address and configure a loopback address later and find that the router ID is doesn’t reflect the loopback address. Usually, a reload of the router will fix this. In this exercise, I tried clear ip ospf process but that didn’t fix it. A reload did.

• For anyone interested, here’s the basic dynamips .net configuration for the lab exercises discussed here:

[localhost]

[[7200]]
image = \Program Files\Dynamips\images\C7200-JK.BIN
# On Linux / Unix use forward slashes:
# image = /opt/7200-images/c7200-jk9o3s-mz.124-7a.image
npe = npe-400
ram = 96

#

#

[[Router R1]]
model = 7200
console = 2001
S1/0 = R2 s1/0

#

#

[[ROUTER R2]]
model = 7200
console = 2002
s1/1 = R3 s1/0

#

#

[[ROUTER R3]]
model = 7200
console = 2003

Verifying OSPF Virtual-Link Operation

Figure 2: sh ip ospf virtual-links Command

• The parameters show:
  • Virtual Link OSPF_VL0 to router 3.3.3.3 is up specifying that the link to neighbor 3.3.3.3 is up.
  • Transit area 1 – specifies that the virtual link is formed through transit area 1.
  • via interface serial1/0 – the virtual link is formed through this interface.
  • Cost of using 128 – this is the cost associated with reaching the neighbor through the virtual link.
  • Transmit Delay is 1 sec – which shows that the estimated time it takes to transmit a link state update (LSU) packet on the virtual link.
  • State POINT_TO-POINT – OSPF classifies a virtual link as a network type. Within each ABR, the virtual link will transition to the fully functional point-to-point interface state when a route to the neighboring ABR is found in the routing table.
  • Adjacency State FULL (Hello suppressed) – tells us that the state between the two neighbors is full.
    
    • The output shows that OSPF hellos are suppressed. This means that, once the virtual link is up, no hellos are exchanged. OSPF suppresses the hellos because it considers virtual links to be demand circuits. Normally, OSPF sends hellos every 10 seconds and refreshes its LSAs every 30 minutes. However, even this amount of traffic is undesirable on demand circuits. The use of OSPF demand circuit options suppresses hello and LSA-refresh functions. As a result, any changes that you make to the OSPF authentication do not take effect until you clear the OSPF process with the clear ip ospf process command.

Figure 3: sh ip ospf neighbor Command

• Be aware that the sh ip ospf neighbor command does not display adjacencies over virtual links. The one clue about the existence of the virtual link is the presence of the OSPF_VL0 interface.
  • To display adjacency over virtual links, use the sh ip ospf virtual-links command.

Figure 4: sh ip ospf database Command

• Note int the output that any of the LSAs learned from a virtual link have the DoNotAge (DNA) option.
  • *I haven’t quite yet understood why DNA is set. But my theory is, because OSPF considers virtual circuits as demand circuits and Hellos are suppressed, the LSA is told not to age, in other words, the LSA will not reach MaxAge. I’m guessing here.

Figure 5: sh ip ospf database router Command

• Breaking down the ouput under the “Router Link States (Area 0)” heading:
  • In the Options field:
    • No TOS-capability
    • DC means it is capable of supporting OSPF over demand circuits.
  • LS Type: Router Links - it is a Type 1 LSA.
  • Link State ID: 1.1.1.1 - for router links, Link State ID is always the same as the Advertising Router
  • Advertising Router: 1.1.1.1 – this is the router ID of the router that created the LSA
  • Area Border Router – in the router LSA, this is indicated as Bit B.
  • Link connected to: a Stub Network – refers to the network on the LAN interface.
  • Link connected to: a Virtual Link - refers to the connection to the Virtual link.
    • It is followed by the router ID of the neighbor on the other end of the virtual link [(Link ID) Neighboring Router ID: 3.3.3.3]

OSPF Authentication

• When authentication is configured on a router, the router authenticates the source of each routing update packet that it receives.
• There are three different types of OSPF authentication (shown in the following with their type codes):
  • Null (Type 0)
    
    • This is the default setting, which means the routing updates are not authenticated.
  • Simple (Type 1)
    • A password is used but it is sent in clear text over the network.
  • MD5 (Type 2)
    • With MD5 authentication, the password does not pass over the network. MD5 is a message-digest algorithm specified in RFC 1321. MD5 is considered the most secure OSPF authentication mode.
    • OSPF MD5 authentication includes a nondecreasing sequence number in each OSPF packet to protect against replay attacks.
      
• When configuring authentication, the whole area must use the same type of authentication.

Configure Simple Password Authentication

• To configure simple authentication follow a two step process:
  1. Use the following interface configuration command to assign a password:

     ip ospf authentication key password.

     • The password parameter is any string of characters up to 8 bytes in length (= 8 charatcters).
     • This password is used as the “key” which is inserted into an OSPF header when the Cisco IOS software originates the routing protocol packets.
     • A separate password can be assigned to each network on a per-interface basis.Plain text authentication passwords do not have to be the same throughout an area, but they must be the same between neighbors.
  2. Specify authentication type using the following interface configuration command.

     ip ospf authentication [message-digest | null]

  • • For simple password authentication, use the ip ospf authentication command with no parameters.
    • message-digest – Optional parameter that specifies MD5 authentication will be used
    • null – Optional parameter that specifies no authentication is to be used. This is useful for overriding simple password or MD5 authentication if configured for an area.

• For backward compatibility, an authentication type for an area is supported – as opposed to authentication type for an interface, which is described above.
  • In other words, as an alternative to using ip ospf authentication command on a interface, you may use a router command to configure authentication on an OSPF area.
  • The following router configuration command is used for configuring authentication on an area:

area area-id authentication [message-digest]

• The parameters used are:
  • area-id - identifies the area on which authentication is applied. Can be either a decimal or dotted decimal value.
  • message-digest – An optional parameter that enables the MD5 authentication.

Example Simple Password Authentication

Figure 6: Example Simple Password Authentication

R1 Configuration:

Router R1:
!
interface Loopback0
ip address 1.1.1.1 255.255.255.255
!
!
interface Serial1/0
ip address 192.168.1.1 255.255.255.0
ip ospf authentication
ip ospf authentication-key pa$$word
!
!
router ospf 100
log-adjacency-changes
network 1.1.1.1 0.0.0.0 area 0
network 192.168.1.0 0.0.0.255 area 0

R2 Configuration

Router R2:
!
interface Loopback0
ip address 2.2.2.2 255.255.255.255
!
!
!
interface Serial1/1
ip address 192.168.1.2 255.255.255.0
ip ospf authentication
ip ospf authentication-key pa$$word
!
!
router ospf 100
log-adjacency-changes
network 2.2.2.2 0.0.0.0 area 0
network 192.168.1.0 0.0.0.255 area 0

• Here’s a simple .net configuration of the above topology for anyone who wants to lab it up on dynamips:

[localhost]

#
[[7200]]
image = \Program Files\Dynamips\images\C7200-JK.BIN
# On Linux / Unix use forward slashes:
# image = /opt/7200-images/c7200-jk9o3s-mz.124-7a.image
npe = npe-400
ram = 96

#
[[ROUTER R1]]
s1/0 = R2 s1/1
model = 7200
console = 2001
#

[[ROUTER R2]]
model = 7200
console = 2002

Figure 7: Verifying Simple Password Authentication

• sh ip ospf neighbor command output displays FULL ospf adjacency relationship.
• The routing table shows that the 2.2.2.2 network route has been learned.
• The ping of the 2.2.2.2 network was successful.

Figure 8A & 8B: Troubleshooting Simple Password Authentication

• Use debug ip opsf adj
• This error shows that one router is using type 1 authentication while the other does not have authentication configured

• Use debug ip ospf adj
• This output is a result of Type 1 (simple password) authentication configured on both routers but the passwords do not match.

Configure MD5 Authentication

• Use the following two step configuration to enable Md5 authentication:
  1. Use the following interface configuration command to assign a key and key id:

     ip ospf message-digest-key key-id md5 key.

     • key-id is an identifier in the range of 1 to 255.
     • key is an alphanumeric password of up to 16 bytes (16 characters).
  2. Specify authentication type using the following interface configuration command:

     ip ospf authentication message-digest

     • Just like the simple password authentication, the MD5 authentication for an area is also supported using the area area-id authentication message-digest router configuration command, for backward compatibility.

• The key and key-id parameters used in the MD5 authentication configuration are used to generate a message digest (called a hash) for each OSPF packet. The message digest is appended to the packet – not the password.
• All neighboring routers on the same network must have the same password.
  • In other words: the same key-id on the neighbor router must have the same key value.
• A practical use for having multiply key-id setup is when changing keys (or passwords).
  • For example, consider a router with the following interface configuration:
    • ip ospf message-digest-key 100 md5 OLD
  • You can add the following on the same interface:
    • ip ospf message-digest-key 200 md5 NEW
  • By doing this the router sends multiple copies of the same packet, each one authenticated by the different keys.
    • One packet is sent and authenticated by key 100
    • A second, identical packet is sent and authenticated by key 200
  • This type of rollover process allows neighboring routers to continue communicating while the network administrator updates the routers with a new key.
  • When the new key has been configured for both routers and all neighbors are updated, the old key shold be removed:
    • no ip ospf message-digest-key 100.

Example MD5 Authentication

• The following configuration is based on the topology Figure 6 above:

R1 Configuration

!
interface Loopback0
ip address 1.1.1.1 255.255.255.255
!
!
interface Serial1/0
ip address 192.168.1.1 255.255.255.0
ip ospf authentication message-digest
ip ospf message-digest-key 100 md5 pa$$word
!
!
router ospf 100
log-adjacency-changes
network 1.1.1.1 0.0.0.0 area 0
network 192.168.1.0 0.0.0.255 area 0

R2 Configuration

!
interface Loopback0
ip address 2.2.2.2 255.255.255.255
!
!
interface Serial1/1
ip address 192.168.1.2 255.255.255.0
ip ospf authentication message-digest
ip ospf message-digest-key 100 md5 pa$$word
!
!
router ospf 100
log-adjacency-changes
network 2.2.2.2 0.0.0.0 area 0
network 192.168.1.0 0.0.0.255 area 0

Figure 9: Verifying MD5 Authentication

• The sh ip ospf neighbor command shows R1 has full adjacency with its neighbor, R2.
• The routing table has learned the network 2.2.2.2.
• Ping of 2.2.2.2, learned via OSPF, is successful.

Figure 10A & 10B: Troubleshooting MD5 Authentication

• On the output above, R1 and R2 are configured with the following configurations, respectively:
  • ip ospf message-digest-key 100 md5 pa$$word
  • ip ospf message-digest-key 200 md5 pa$$word
• Analyzing the output of R1, it is sending out hash calculated with key-id 100, but it is receiving hash from R2 which is calculated using key-id 200. The same happens vice versa, with R2 expecting key-id 200 while R1 is expecting key-id 100.
• Even though the key (ie password) is the same on both neighbors, the authentication fails because the key-ids don’t match.
• The messages will keep appearing every 10 seconds (every hello interval) until the misconfiguration is fixed.

Figure 11: MD5 Authentication – Mismatched Password

• The message above is consistent with mismatch key values (password) on either end of the link.

Resources:

1. Cisco Systems [IP Routing] Configuration Examples & Technotes – OSPF Virtual Link
2. Cisco Systems [IP Routing] – What Are Virtual Links?
3. Sample Configuration for Authentication in OSPF
4. Configuring OSPF Authentication on a Virtual Link

This entry is not an authoritative guide. These are merely notes and rehash of the primary text materials and resources that I use. For a thorough guide of the BSCI course, consider purchasing Building Scalable Cisco Internetworks (BSCI) (Authorized Self-Study Guide) (3rd Edition) by Diane Teare and Catherine Paquet, as well as following the links on the resources section of this entry.