中间系统到中间系统详解
1.基础名词和基础配置
R2:
isis 1 //启动路由进程
network-entity 49.0124.2222.2222.2222.00 //NET地址,包含了区域ID(49.0124~可变长)、系统ID(2222.2222.2222~固定长度为6字节)、固定为00的NSEL(类比TCP端口号)
[R2-isis-1]network-entity 47.0124.1111.1111.1111.00
Error: NET Set - System is running. SystemId conflicts. //系统ID必须是唯一的!
[R2-isis-1]network-entity 42.0124.2222.2222.2222.00
Warning: The maximum allowed area address already configured. //理论上最多254个区域,但是默认为3
#
interface Serial2/0/0
link-protocol ppp
ip address 10.1.12.2 255.255.255.0
isis enable 1 //开启is-is协议,同时把这个接口通告到ISIS数据中去
<R2>dis isis brief
ISIS Protocol Information for ISIS(1)
-------------------------------------
SystemId: 2222.2222.2222 System Level: L12
Area-Authentication-mode: NULL
Domain-Authentication-mode: NULL
Ipv6 is not enabled
ISIS is in invalid restart status
ISIS is in protocol hot standby state: Real-Time Backup
Interface: 22.1.1.1(Loop0)
Cost: L1 0 L2 0 Ipv6 Cost: L1 0 L2 0
State: IPV4 Up IPV6 Down
Type: P2P MTU: 1500
Priority: L1 64 L2 64
Timers: Csnp: L12 10 , Retransmit: L12 5 , Hello: 10 ,
Hello Multiplier: 3 , LSP-Throttle Timer: L12 50
Interface: 10.1.12.2(S2/0/0)
Cost: L1 10 L2 10//ISIS的开销为10 Ipv6 Cost: L1 10 L2 10
State: IPV4 Up IPV6 Down
Type: P2P //点到点的网络类型 MTU: 1500
Priority: L1 64 L2 64 //用于选举DIS(≈DR)
Timers: Csnp: L12 10(CSNP报文发送间隔为10s) , Retransmit: L12 5 , Hello: 10 ,
Hello Multiplier: 3 (≈OSPF的4倍Hello的死亡时间), LSP-Throttle Timer: L12 50
卷一的中间系统/OSPF和中间系统到中间系统详解
相依(一)为命,指Level严格要求区域ID一致!
1.2路由器角色-L1设备
L1路由器可以和L1设备或者是L1/L2设备形成邻居关系,L1区域类比OSPF的末节区域,如果转发报文到区域之外,需要通过最近的L1/L2(ABR)去转发;同一条路由L1形式优于L2形式的
isis 1
is-level level-1 //定义本设备是一个L1的路由器,就只能和其他设备形成L1的邻居
network-entity 49.0124.1111.1111.1111.00
is-name R1
[R1-isis-1]dis isis peer
Peer information for ISIS(1)
System Id Interface Circuit Id State HoldTime Type PRI
R2 S2/0/0 0000000002 Up 26s L1 --
QYT-R4 GE0/0/0 R1.01 Up 30s L1 64
1.3 L1/L2设备
默认就是这个角色~ABR,维护L1和L2的两个数据库
认识一个重要的比特(ATT)
dis isis lsdb
Database information for ISIS(1)
--------------------------------
Level-1 Link State Database
LSPID Seq Num Checksum Holdtime Length ATT/P/OL
R1.00-00 0x00000047 0xf8d5 960 117 0/0/0
R1.01-00 0x00000005 0xd254 960 55 0/0/0
R2.00-00 0x00000032 0x94b 1076 114 1/0/0
QYT-R4.00-00 0x00000031 0xf360 958 110 1/0/0
Total LSP(s): 4
(In TLV)-Leaking Route, (By LSPID)-Self LSP(本设备产生的LSP), +-Self LSP(Extended),
ATT-Attached(ABR用于产生默认路由的), P-Partition(代表虚链路,但是没有任何厂商支持), OL-Overload(过载位,如果置1,将不通过SPF计算)
1.4 L2设备
维护L2 LSDB,骨干区域
isis 1
is-level level-2 //该设备为L2设备
network-entity 49.2020.0000.0000.2020.00
is-name SW2
#
2.邻居拍错
2.1 同一子网
如果不满足条件
Unusable IP Addr : 25
点到点链路:
interface Serial2/0/0
link-protocol ppp
ip address 10.1.13.1 255.255.255.0
isis enable 1
isis peer-ip-ignore
interface Serial2/0/0
link-protocol ppp
ip address 10.1.12.2 255.255.255.0
isis enable 1
isis peer-ip-ignore //邻居两侧在点到点链路配置忽略子网的检查
Dec 24 2017 10:58:57-08:00 R2 %%01ISIS/4/ADJ_CHANGE_LEVEL(l)[0]:The neighbor of ISIS was changed. (IsisProcessId=256, Neighbor=1111.1111.1111, InterfaceName=S2/0/0, CurrentState=init, ChangeType=NEW_ADJ_CREATE, Level=Unknown)
[R2-Serial2/0/0]
Dec 24 2017 10:58:57-08:00 R2 %%01ISIS/4/ADJ_CHANGE_LEVEL(l)[1]:The neighbor of ISIS was changed. (IsisProcessId=256, Neighbor=1111.1111.1111, InterfaceName=S2/0/0, CurrentState=up, ChangeType=3_WAY_UP, Level=Level-1-2)
interface Serial2/0/0
link-protocol ppp
ip address unnumbered interface LoopBack0 //点到点网络借用其他接口的地址,用于广域网情况下IP地址紧张时
isis enable 1
isis peer-ip-ignore
2.2 重复的系统ID
<R2>dis isis error
Repeated System ID : 8
2.3 L1严格要求区域ID相同
<R2>dis isis error
Mismatched Area Addr(L1): 39
2.4 不要在建立邻居的接口上配置静默命令
interface GigabitEthernet0/0/2
ip address 10.1.20.2 255.255.255.0
isis enable 1
isis silent//不在发送或者接收ISIS报文
在华为设备上同一个链路也不要求isis进程相同!
isis 1
is-name R1//修改中间设备名称,方便识别
2.5 ISIS的认证可能影响邻居关系
可以针对IIH(Hello)也可以针对LSP认证
2.6 网络类型一致
P2P和广播,不能随意修改网络类型
[R1-GigabitEthernet0/0/0]isis circuit-type ?
p2p Change the network type of the circuit to P2P //只能把广播网络改成点到点网络,反之不可以。点到点的Hello(IIH)和LAN的Hello是两种报文
Bad Circuit Type : 4
2.7 以太网的MTU问题
interface GigabitEthernet0/0/0
mtu 1496 //ISIS报文使用的MTU应该是物理接口的MTU减去3字节(直接封装在802.3的字层。LLC字层占了3字节)。华为设备上如果MTU不一致,该接口不发送、不接收IIH
ip address 10.1.14.1 255.255.255.0
isis enable 1
[R1-GigabitEthernet0/0/0]dis isis int
Interface information for ISIS(1)
---------------------------------
Interface Id IPV4.State IPV6.State MTU Type DIS
S2/0/0 001 Up Down 1500 L1/L2 --
GE0/0/0 001 Up Down 1497 L1/L2 Yes/Yes
Loop0 002 Up Down 1500 L1/L2 --
3.报文交互
3大类(IIH、LSP、SNP),9种报文
3.1Hello的HOLDTIME(9s)小于了HELLO间隔时间(10s)
ISIS的多拓扑指把IPv4的拓扑(即数据库)和IPv6的拓扑分离开
LAN的L1的IIH发送到01800c2000014(15是L2的)
3.2LSP,路由信息和拓扑信息(distribution:UP!)
<R1>dis isis lsdb ver
Database information for ISIS(1)
--------------------------------
Level-1 Link State Database
LSPID Seq Num Checksum Holdtime Length ATT/P/OL
1111.1111.1111.00-00* 0x00000049 0xf4d7 1053 117 0/0/0
SOURCE R1.00
HOST NAME R1
NLPID IPV4
AREA ADDR 49.0124
INTF ADDR 10.1.12.1
INTF ADDR 10.1.14.1
INTF ADDR 11.1.1.1
NBR ID R2.00 COST: 10
NBR ID R1.01 COST: 10
IP-Internal 10.1.12.0 255.255.255.0 COST: 10
IP-Internal 10.1.14.0 255.255.255.0 COST: 10
IP-Internal 11.1.0.0 255.255.254.0 COST: 0
1111.1111.1111.01-00* 0x00000007 0xce56 1053 55 0/0/0
SOURCE R1.01
NLPID IPV4
NBR ID R1.00 COST: 0
NBR ID QYT-R4.00 COST: 0
2222.2222.2222.00-00 0x00000035 0x34e 448 114 1/0/0
SOURCE R2.00
HOST NAME R2
NLPID IPV4
AREA ADDR 49.0124
AREA ADDR 01.ab34
AREA ADDR 47.0124
INTF ADDR 22.1.1.1
INTF ADDR 10.1.12.2
INTF ADDR 10.1.20.2
NBR ID R1.00 COST: 10
IP-Internal 22.1.1.1 255.255.255.255 COST: 0
IP-Internal 10.1.12.0 255.255.255.0 COST: 10
IP-Internal 10.1.20.0 255.255.255.0 COST: 10
4444.4444.4444.00-00 0x00000035 0xeb64 1102 110 1/0/0
SOURCE QYT-R4.00
HOST NAME QYT-R4
NLPID IPV4
AREA ADDR 49.0124
INTF ADDR 10.1.40.4
INTF ADDR 44.1.1.1
INTF ADDR 10.1.14.4
NBR ID R1.01 COST: 10
IP-Internal 10.1.40.0 255.255.255.0 COST: 10
IP-Internal 44.1.1.1 255.255.255.255 COST: 0
IP-Internal 10.1.14.0 255.255.255.0 COST: 10
Total LSP(s): 4
(In TLV)-Leaking Route, (By LSPID)-Self LSP, +-Self LSP(Extended),
ATT-Attached, P-Partition, OL-Overload
3.3 SNP
CSNP
PSNP
需求:
1.按照NET地址设置建立邻居
2.R1修改为L1设备,SW2修改为L2设备
isis 1
is-level level-1
network-entity 49.0124.1111.1111.1111.00
is-name R1
interface GigabitEthernet0/0/0
ip address 10.1.14.1 255.255.255.0
isis enable 1
<R1>dis ip rou pro isis
Route Flags: R - relay, D - download to fib
Public routing table : ISIS
Destinations : 5 Routes : 6
ISIS routing table status : <Active>
Destinations : 5 Routes : 6
Destination/Mask Proto Pre Cost Flags NextHop Interface
0.0.0.0/0 ISIS-L1 15 10 D 10.1.14.4 GigabitEthernet0/0/0
ISIS-L1 15 10 D 10.1.12.2 Serial2/0/0
10.1.20.0/24 ISIS-L1 15 20 D 10.1.12.2 Serial2/0/0
10.1.40.0/24 ISIS-L1 15 20 D 10.1.14.4 GigabitEthernet0/0/0
22.1.1.1/32 ISIS-L1 15 10 D 10.1.12.2 Serial2/0/0
44.1.1.1/32 ISIS-L1 15 10 D 10.1.14.4 GigabitEthernet0/0/0
4.网络类型和LSP交互
4.1 网络类型
P2P(HDLC、PPP、帧中继子接口)的网络类型
Broadcast(以太网)的网络类型
ISIS的DIS,产生一个伪节点的概念
1)没有BDIS
2)可以抢占
3)优先级默认64,0也可以参与选举。
选举规则:优先级较大优先;其次,使用MAC地址来选举DIS
4)Hello时间是普通路由器的1/3
[R2-GigabitEthernet0/0/2]isis dis-priority 65 //修改R2的DIS优先级优先于对端
[R2-GigabitEthernet0/0/2]dis isis int
Interface information for ISIS(1)
---------------------------------
Interface Id IPV4.State IPV6.State MTU Type DIS
Loop0 001 Up Down 1500 L1/L2 --
S2/0/0 002 Up Down 1500 L1/L2 --
GE0/0/2 001 Up Down 1497 L1/L2 No/Yes //R2在L2上本接口成为了DIS
IIH
4.2 广播网络上的邻居
通过3次握手(3个报文)建立邻居关系
要选举DIS(2个Hello时间)
4.3 点到点网络上的邻居关系
2次握手就可以完成
[R1-Serial2/0/0]isis ppp-negotiation 3-way //默认3次握手
[R1-Serial2/0/0]isis ppp-negotiation 2-way
LSP和SNP
局域网(DIS)中的LSP同步:1)发送本设备的LSP 2)DIS收集新的LSP,定期(10s)发送CSNP(类比DBD) 3)通过PSNP请求缺少的LSP(类比RSrequest) 4)更新详细的LSP
!
点到点的LSP同步:1)发送本端的CSNP(索引) 2)对端对比,然后发送PSNP来请求具体内容
3)发送本端具体的LSP信息 4)对端收到LSP之后,返回PSNP(类比ACK)来确认
LSP中序列号、生存时间(倒计时)和校验和的作用
5.路由渗透(leaking)
骨干区域默认得到L1的明细路由(中央了解地方财政)
L1并不了解骨干区域的明细路由(可以通过L1/L2)通过ATT比特置位的默认路由来访问外部区域
修改ISIS的开销
[R1-GigabitEthernet0/0/0]isis cost 20
[R1]tracert 20.20.20.20
traceroute to 20.20.20.20(20.20.20.20), max hops: 30 ,packet length: 40,press CTRL_C to break
1 10.1.12.2 30 ms 10 ms 20 ms
2 10.1.20.20 40 ms 20 ms 10 ms
ISIS的路由渗透:把L2的路由“泄露”下发到L1,得到优化的明细路由;同时也是一种路由控制(也可以控制L1的进入L2的路由)和汇总的手段
L1区域内的路由,优于L2(区域外的或者骨干的)
[R2-GigabitEthernet0/0/2]isis circuit-level level-2
[R2-GigabitEthernet0/0/2]int lo0
[R2-LoopBack0]isis circuit-level level-2 //修改L1/L2设备上接口的电路类型后,路由更简洁:
[R1]dis ip ro pro isis
Route Flags: R - relay, D - download to fib
Public routing table : ISIS
Destinations : 1 Routes : 2
ISIS routing table status : <Active>
Destinations : 1 Routes : 2
Destination/Mask Proto Pre Cost Flags NextHop Interface
0.0.0.0/0 ISIS-L1 15 10 D 10.1.12.2 Serial2/0/0
ISIS-L1 15 10 D 10.1.14.4 GigabitEthernet0/0/0
ISIS routing table status : <Inactive>
Destinations : 0 Routes : 0
配置路由泄露:
[R4-acl-basic-2000]dis th
[V200R003C00]
#
acl number 2000
rule 5 permit source 20.20.20.20 0 //ACL匹配的路由条目
isis 1
network-entity 49.0124.4444.4444.4444.00
is-name QYT-R4
import-route isis level-2 into level-1 filter-policy 2000 //把吻合acl2000的L2的路由泄露到L1
dis acl all
Total quantity of nonempty ACL number is 1
Basic ACL 2000, 2 rules
Acl's step is 5
rule 5 permit source 20.20.20.20 0 (2 matches)
验证结果:
[R1]dis ip routing-table protocol isis
Route Flags: R - relay, D - download to fib
Public routing table : ISIS
Destinations : 4 Routes : 5
ISIS routing table status : <Active>
Destinations : 4 Routes : 5
Destination/Mask Proto Pre Cost Flags NextHop Interface
0.0.0.0/0 ISIS-L1 15 10 D 10.1.12.2 Serial2/0/0
ISIS-L1 15 10 D 10.1.14.4 GigabitEthernet0/0/0
10.1.40.0/24 ISIS-L1 15 20 D 10.1.14.4 GigabitEthernet0/0/0
20.20.20.20/32 ISIS-L1 15 20 D 10.1.14.4 GigabitEthernet0/0/0
44.1.1.1/32 ISIS-L1 15 10 D 10.1.14.4 GigabitEthernet0/0/0
ISIS routing table status : <Inactive>
Destinations : 0 Routes : 0
作业:
需求:
1.按照NET地址设置建立邻居
2.R1修改为L1设备,SW2修改为L2设备
3.R1上得到20.20.20.20的区域间路由
本文转自EnderJoe 51CTO博客,原文链接:http://blog.51cto.com/enderjoe/2054031