IS-IS

Jan 10 2009

ISIS Security part 2 – Video

A while ago I wrote a post on ISIS security. Here is a video to accompany the post.

Consider the topology below.

isis-security

There are five ways to configure ISIS authentication.  The methods differ in which packets they authenticate.  Some authentication methods will tear down ISIS adjacencies if there is an authentication mismatch, others will remove any ISIS routes.

In summary we said the following 5 authentication configuration options were available in IOS.

1-area-password command

2-domain-password command

3-isis authentication key command

4-authentication key command

5-isis password command.

We can group the 5 methods into 2 categories, those which authenticate ISIS hello packets and those which authenticate ISIS LSP, CSNP and PSNP packets.

The isis-authentication key and isis password commands are used to authenticate ISIS hello packets.

The area-password, domain-password and authentication key commands are used to authenticate ISIS LSP, CSNP and PSNP packets.

The video below shows how to configure the above options.  Click here to download and watch the video on your iPod.

The Flash plugin is required to view this object.

By Zarar • CCIE SP, iPod, IS-IS, Security 0 • Tags: , ,

Jan 8 2009

Redistributing ISIS into OSPF

Someone asked me recently for an example of ISIS redistribution into OSPF. So here goes.

Consider the toplogy below.

isis-into-ospf

We redistribute ISIS into OSPF and vice versa on R2. We should then be able to ping R1 loopback from R3 loopback and vice versa.

Watch the video below or alternativly click here to download and watch it on your iPod.

The Flash plugin is required to view this object.

The commands used in the above video can be found below.

R1
!
interface Loopback0
ip address 1.1.1.1 255.255.255.255
!
interface FastEthernet1/0
description :connected to R2 fa1/0:
ip address 10.0.0.1 255.255.255.252
ip ospf network point-to-point
!
router ospf 1
log-adjacency-changes
network 1.1.1.1 0.0.0.0 area 0
network 10.0.0.0 0.0.0.3 area 0
!

R2
!
interface Loopback0
ip address 2.2.2.2 255.255.255.255
!
interface FastEthernet1/0
description :connected to R1 fa1/0:
ip address 10.0.0.2 255.255.255.252
ip ospf network point-to-point
!
interface FastEthernet1/1
description :connected to R3 fa1/0:
ip address 10.0.0.5 255.255.255.252
ip router isis
!
router ospf 1
log-adjacency-changes
redistribute isis level-2 subnets
network 2.2.2.2 0.0.0.0 area 0
network 10.0.0.0 0.0.0.3 area 0
!
router isis
net 49.0001.0000.0000.0002.00
is-type level-2-only
redistribute ospf 1
!

R3
!
interface Loopback0
ip address 3.3.3.3 255.255.255.255
!
interface FastEthernet1/0
description :connected to R2 fa1/1:
ip address 10.0.0.6 255.255.255.252
ip router isis
!
router isis
net 49.0001.0000.0000.0003.00
is-type level-2-only
passive-interface Loopback0
!

By Zarar • CCIE SP, iPod, IS-IS, OSPF 2 • Tags: , ,

Jan 3 2009

ISIS level-1, level-2 areas, ISIS redistribution and ISIS default route origination.

I’m going to cover following three things in this post.

  1. Level-1, Level-1-2 and Level-2-only routers.  How to configure and what is the att bit
  2. Investigate the default behavior of the various levels with respect to routing updates.  ie are level-2 prefixes by default advertised to level-1 routers.
  3. Finally we will cover how to originate a default route within a level-2 area.

Consider the topology below.

isis-att-redist-area

Some important points worth noting:

  1. level-1-2 router HAVE to be in the same area as level-1 routers otherwise level-1 routers will not be able to form an adjacency with them.
  2. the level-1-2 router must have a level-2 adjacency with a router in another area for the att bit to be set in outgoing level-1 updates.
  3. By default level-1 routes are advertised to level-2 routers.
  4. By default level-2 routes are NOT advertised to level-1 routers.

Watch the video below or alternatively download the video and watch it on your iPod .

The Flash plugin is required to view this object.

The command used for the above configuration are:

R1

frame-relay switching
!
interface Loopback0
ip address 1.1.1.1 255.255.255.255
!
interface Serial1/0
ip address 10.0.0.1 255.255.255.252
ip router isis
encapsulation frame-relay
clockrate 128000
no arp frame-relay
frame-relay map clns 200 broadcast
frame-relay map ip 10.0.0.2 200
no frame-relay inverse-arp
frame-relay intf-type dce
!
router isis
net 49.0001.0000.0000.0001.00
is-type level-1
passive-interface Loopback0
!

R2
!
frame-relay switching
!
interface Serial1/0
ip address 10.0.0.5 255.255.255.252
ip router isis
encapsulation frame-relay
no fair-queue
serial restart-delay 0
clockrate 128000
no arp frame-relay
frame-relay map ip 10.0.0.6 200
frame-relay map clns 200 broadcast
no frame-relay inverse-arp
frame-relay intf-type dce
isis circuit-type level-2-only
!
interface Serial1/1
ip address 10.0.0.2 255.255.255.252
ip router isis
encapsulation frame-relay
no arp frame-relay
frame-relay map clns 200 broadcast
frame-relay map ip 10.0.0.1 200
no frame-relay inverse-arp
isis circuit-type level-1
!
router isis
net 49.0001.0000.0000.0002.00
redistribute isis ip level-2 into level-1 distribute-list 100
!
access-list 100 permit ip any any

R3

interface Loopback0
ip address 3.3.3.3 255.255.255.255
!
interface Serial1/0
ip address 10.0.0.6 255.255.255.252
ip router isis
encapsulation frame-relay
serial restart-delay 0
no arp frame-relay
frame-relay map clns 200 broadcast
frame-relay map ip 10.0.0.5 200
no frame-relay inverse-arp
!
router isis
net 49.0002.0000.0000.0003.00
is-type level-2-only
passive-interface Loopback0
default-information originate

By zismail • CCIE SP, Inter-AS, iPod, IS-IS 1 • Tags: ,

Jan 3 2009

ISIS over Frame-Relay

Configuring ISIS over frame-relay requires an additional command due to the fact that ISIS packets do not use IP at layer 3 but rather use CLNS.

Consider the topology below.

frame-isis

Watch the video below or alternatively download it and watch it on your iPod .

The Flash plugin is required to view this object.

The commands used in the configuration can be found below.

R1
!
frame-relay switching
!
interface Serial1/0
ip address 10.0.0.1 255.255.255.252
ip router isis
encapsulation frame-relay
clockrate 128000
no arp frame-relay
frame-relay map clns 200 broadcast
frame-relay map ip 10.0.0.2 200
no frame-relay inverse-arp
frame-relay intf-type dce
!
router isis
net 49.0001.0000.0000.0001.00
is-type level-1

R2

!
interface Serial1/1
ip address 10.0.0.2 255.255.255.252
ip router isis
encapsulation frame-relay
no arp frame-relay
frame-relay map clns 200 broadcast
frame-relay map ip 10.0.0.1 200
no frame-relay inverse-arp
isis circuit-type level-1
!
router isis
net 49.0001.0000.0000.0002.00

By zismail • CCIE SP, iPod, IS-IS 4 • Tags: ,

Jan 2 2009

ISIS wide metrics

Be default ISIS caps ISIS metrics greater than 63.

To address this limitation a new IS-IS TLV was defined to overcome the limited 6-bit metric of 63.  This TLV known as TLV Type 135 increased the per-link metric range from <0-63> to <1-16777214> ie the new TLV has 24-bits for the ISIS metric.

This new range can be seen under the interface config mode as shown below.

R2(config)#interface loopback 0
R2(config-if)#isis metric ?
<1-16777214>  Default metric

Consider the topology below.

metric-style

We will attempt to increase the metric of the R2 loopback to greater than 63 with and without wide-metrics enabled.

The video below shows how to configure and verify the use of wide metrics in ISIS.  Click here to download the video and watch it on your iPod.

The Flash plugin is required to view this object.

The commands used in the video are as below:-

R1

interface FastEthernet1/0
ip router isis
!
router isis
net 49.0001.0000.0000.0001.00
is-type level-2-only
metric-style wide
passive-interface Loopback0de>

R2

interface Loopback0
isis metric 10000
!
interface FastEthernet1/0
ip router isis
!
router isis
net 49.0001.0000.0000.0002.00
is-type level-2-only
metric-style wide
passive-interface Loopback0

R3

interface FastEthernet1/0
ip router isis
!
interface FastEthernet1/1
ip router isis
!
router isis
net 49.0001.0000.0000.0003.00
is-type level-2-only
metric-style wide
passive-interface Loopback0
!

To verify the wide metric on R1 use the command below.

R1#show isis database R2.00-00 detail

IS-IS Level-2 LSP R2.00-00
LSPID                 LSP Seq Num  LSP Checksum  LSP Holdtime      ATT/P/OL
R2.00-00              0x0000000E   0x1A31        428               0/0/0
Area Address: 49.0001
NLPID:        0xCC
Hostname: R2
IP Address:        2.2.2.2
Metric: 10         IS-Extended R3.02
Metric: 10000      IP 2.2.2.2/32
Metric: 10         IP 10.0.0.4/30

By zismail • CCIE SP, iPod, IS-IS, Traffic Engineering 0 • Tags: , , ,

Dec 13 2008

ISIS Security

ISIS uses four types of packets they are, hello, LSPs, CSNPs and PSNPs. The different authentication methods insert passwords into different packets. Some of the security methods allow MD5 as well as clear text authentication. The 5 password configuration options for ISIS are as follows:-

1-area-password
2-domain-password
3-authentication key-chain
4-isis authentication key-chain
5-isis password

Both the area-password and domain-password options will insert a clear text password into LSPs, CSNPs and PSNPs. However the area-password will only insert a password in level-1 LSPs, CSNPs and PSNPs and the domain-password will only insert a password into level-2 LSPs, CSNPs and PSNPs. Both commands are applied at the router configuration mode. Both commands do NOT insert a password into the ISIS hello packet.

Click here to see a Level-1 capture using the area-password
Click here to see a Level-2 capture using the domain-password

Options 3 and 4 above ie authentication key-chain and isis authentication key-chain give the user the option of using either clear text or MD5 authentication. The fundamental difference between authentication key-chain and isis authentication key-chain is that the former is applied at router configuration mode and inserts a password into all LSPs, CSNPs and PSNPs whereas the latter is applied at the interface level and only applies a password into hello packets.

Click here to see a capture using a clear text authenication key (router configuration mode)
Click here to see a capture using a MD5 authenication key (router configuration mode)

Click here to see a capture using a clear text isis authenication key (interface configuration mode)

Option 5 ie the isis password only provides for clear text authentication and is applied at the interface configuration level.

Click here to see a capture using the clear text isis password (interface configuration mode)

Now lets see what happens if we configure an MD5 authentication key under the router configuration mode and a clear text password under the interface configuration mode using the isis authentication key.

We will use the syntax below.

authentication key under router configuration mode

key chain ZARAR
key 1
key-string ZARAR

router isis
authentication mode md5
authentication key-chain ZARAR

isis authentication key under interface configuration mode

key chain ZARAR-OVERRIDE
key 1
key-string ZARAR-OVERRIDE

interface FastEthernet1/0
isis authentication mode text
isis authentication key-chain ZARAR-OVERRIDE

As you can see from the capture using wireshark, all the level-1 LSPs, CSNPs are using MD5 authentication and all Level-1 hellos are using a clear text password ZARAR-OVERRIDE

Click here to see wireshark capture of the above configuration.

To summarize

Method

Clear Text

MD5

Password inserted into
LSP

Password inserted into
CSNP

Password inserted into
PSNP

Password inserted into
Hello

area-password

yes

no

yes

yes

yes

no

domain-password

yes

no

yes

yes

yes

no

authentication-key

yes

yes

yes

yes

yes

no

isis authentication-key

yes

yes

no

no

no

yes

isis password

yes

no

no

no

no

yes
 

For further information please click the link below.

http://www.cisco.com/en/US/partner/docs/ios/iproute/command/reference/irp_is1.html#wp1012820

By zismail • CCIE SP, IS-IS 1 • Tags: ,

Nov 29 2008

Traffic Engineering – IGP extensions (IS-IS)

Some extensions were added to ISIS to provide resource information to the TE process.

IS-IS Extenstions added to support TE

TLVs have been defined to extend IS-IS functionality to include it amongst the protocols of choice for TE.

Informational RFC 3784 details the TLVs which have been added To IS-IS to support TE.  RFC 3874 also introduces the concept of sub-TLVs.

Sub-TLVs have been added to IS-IS. Sub-TLVs are identical to regular TLVs in their structure and layout.  They differ however with respect to their location.  Sub-TLVs are found within regular TLVs which in turn are found in IS-IS packets.

Sub-TLVs are used to add additional information to the parent TLV.

RFC 3784 extends IS-IS with the following TLVs

1-The Extended IS reachability TLV (TLV type 22). (see section 3 RFC 3784)
2-The Extended IP Reachability TLV (TLV type 135). (see section 4 RFC 3784)
3-The Traffic Engineering Router ID TLV (TLV type 134). (see section 5 RFC 3784)

The Extended IS reachability TLV (TLV type 22)

TLV22 contains many sub-TLVs, the key sub-TLVs required for TE are

Sub-TLV 9: Maximum link bandwidth (section 3.4)
Sub-TLV 10: Maximum reservable link bandwidth (section 3.5)
sub-TLV 11: Unreserved bandwidth (section 3.6)

The Extended IP Reachability TLV (TLV type 135)

TLV135 removes the previous restriction which only allowed a metric range of 0-63.  TLV135 provides a 32 bit.

TLV 135 also added one bit(up/down but) to indicate a prefix has been redistributed from level-2 to level-1.  This bit is required to prevent routing loops.  When a prefix is avertised from level-2 to level-1 the up/down bit is set to 1.  Prefixes with the up/down bit set to 1 cannot be advertised to level-2.  This is used for loop prevention.

The Traffic Engineering Router ID TLV (TLV type 134)

The router ID TLV contains the 4 octet router ID of the router.

An Important note:- If the loopback address is used as the TE router ID and it is advertised in the IGP as well as BGP then the BGP router ID should be identical to the TE router ID.

By zismail • CCIE SP, IS-IS, Traffic Engineering 0 • Tags: , , ,

Nov 17 2008

MPLS infrastructure configuration.

Here is a short video showing how to configure an MPLS core infrastructure.  The video covers basic serial and ethernet configurations, IP addressing, ISIS, MPLS and BGP VPNv4 configurations.  The network topology can be seen in the diagram below.

 

MPLS Core Infrastructure

MPLS Core Infrastructure

 

The Flash plugin is required to view this object.

By zismail • BGP, CCIE SP, IS-IS 0 • Tags: ,

Nov 14 2008

ISIS – creating unique system IDs

*here are several techniques for creating unique system IDs:

1. Start numbering 1, 2, 3, 4, and so on.
2. Use Media Access Control (MAC) addresses.
3. Convert and use the loopback IP address as below.

*taken from Cisco web site

By zismail • CCIE SP, IS-IS 0 • Tags: ,

Oct 28 2008

Simplified NSAP format

The actual NSAP format is quite complicated. Luckily there is a simplifed format which is used in most implementations.

Click here to view a power point show on the simplified NSAP format.

By zismail • CCIE SP, IS-IS 0 • Tags: ,

1 2