Welcome back to our Service Provider Workbook series! This is Workbook 2, and today we’re diving into IS-IS troubleshooting , building on the foundation laid in Workbook 1 where we configured IS-IS and verified our adjacencies.
In this session, we’ll focus on a routing issue observed in the lab. Specifically, our IOS-XE routers (CE2 and CE4) are not receiving any IS-IS routes. They cannot ping each other because their routing tables lack the necessary routes. Let’s walk through identifying and fixing the problem.
Topology Overview
– PE routers: IOS XR
– CE routers: IOS XE
– Routing Protocol: IS-IS
– Design:
– CE routers are Level 1 (L1)
– PE routers are Level 2 (L2)
– No L1/L2 routers configured.
Problem Statement
Despite having proper IS-IS adjacencies:
– CE2 and CE4 are missing routes from the other side of the topology.
– PE routers are receiving and propagating routes within Level 2.
– Level 2 routes are not propagating back into Level 1, leaving CE routers disconnected.
Key IS-IS Concept
By default, IS-IS:
– Propagates L1 routes into L2.
– Does not propagate L2 routes into L1.
This design ensures area separation, but in our case, it prevents full CE-to-CE reachability.
IS-IS Troubleshooting Verification Commands
On CE Routers (IOS XE):
show clns neighbors
show ip route isis
show isis database level-1
On PE Routers (IOS XR):
show isis neighbors
show route isis
show isis database level-1
show isis database level-2
Troubleshooting Step-by-Step
Why Aren’t Routes Propagated?
– IS-IS does not redistribute Level 2 routes into Level 1 by default.
– CE routers (L1) only see local area routes, while PE routers (L2) have broader reachability.
Solution 1: Inject a Default Route (Not Recommended Here)
Injecting a default route from PE to CE could allow CE routers to reach unknown destinations:
router isis CORE
address-family ipv4 unicast
default-information originate always
– Problem: This would propagate a default route to all neighbors, including external peers, which isn’t desired in this scenario.
Solution 2: Propagate Level 2 Routes into Level 1 (Preferred)
On IOS XR PE Routers:
1. Create a Route Policy:
route-policy ISIS
pass
end-policy
2. Apply the Propagation Policy:
router isis CORE
address-family ipv4 unicast
propagate level-2 into level-1 route-policy ISIS
3. Commit the Changes:
commit
Verification After Propagation
On CE Routers:
show ip route isis
You should now see IA (Inter-Area) routes:
IA 4.4.4.4/32
IA 1.1.1.1/32
Full CE-to-CE reachability restored!
ping 4.4.4.4 source loopback0
Task 2: Enabling IS-IS Authentication Between CE Routers
IS-IS Authentication Types:
1. Hello Authentication (interface-level)
2. LSP Update Authentication (router-level)
Enabling Hello Authentication (Interface-Level)
1. Create Key-Chain (on both CE routers):
key chain ISIS
key 1
key-string abc123
2. Apply on Interface (GigabitEthernet2):
interface GigabitEthernet2
isis authentication mode md5
isis authentication key-chain ISIS
Why Avoid LSP Update Authentication Here?
– Applying LSP update authentication at the router-level affects all adjacencies.
– It requires synchronised configurations across PEs and CEs.
– Risk of breaking adjacencies with other routers not configured for update authentication.
IS-IS troubleshooting Key Takeaways
– IS-IS L2 routes are not automatically propagated into L1.
– Use propagate level-2 into level-1 on IOS XR PEs to share routes downward.
– Default route injection can solve reachability but may cause broader impact.
– Hello authentication secures adjacencies without disrupting routing updates.
Check out the next post in the series, isis IPv6 in Workbook 3
Pingback: ISIS IPv6 Configuration Workbook 3 - RichardKilleen