Академический Документы
Профессиональный Документы
Культура Документы
0
(http://labs.ine.com/workbook/toc/serviceproviderv4)
CCIESPv4AdvancedTechnologyLabsIGP
ISISRouteLeaking
CONTENTS
MultiLevelISIS(/workbook/view/serviceproviderv4/task/multilevelisisMjg0Mg%3D%3D)|SingleTopologyISIS
(/workbook/view/serviceproviderv4/task/singletopologyisisMjg0NA%3D%3D)
Lastupdated:April23,2016
Note:
ThistaskassumesthatyouhavealreadycompletedtheMultiLevelISIS
(http://labs.ine.com/workbook/view/serviceproviderv4/task/multilevelisis
Mjg0Mg%3D%3D)task.RefertotheBaseIPv4Diagraminordertocompletethistask.
Task
ConfigureISISRouteLeakingfromLevel2toLevel1ontheL1/L2routersasfollows:
R3shouldadvertisetheL2prefix5.5.5.5/32toitsL1routers.
R4shouldadvertisetheL2prefix6.6.6.6/32toitsL1routers.
XR1shouldadvertisethe3.3.3.3/32and4.4.4.4/32prefixestoitsL1routers.
ConfigureISISRouteLeakingfromLevel1toLevel2ontheL1/L2routersasfollows:
R3shouldnotadvertisetheL1prefix2.2.2.2/32toitsL2routers.
R4shouldnotadvertisetheL1prefix1.1.1.1/32toitsL2routers
Configuration Clicktocollapse
R3:
routerisis
redistributeisisiplevel1intolevel2routemapL1_TO_L2_LEAK
redistributeisisiplevel2intolevel1routemapL2_TO_L1_LEAK
ipprefixlistL2_TO_L1_PLpermit5.5.5.5/32
!
ipprefixlistL1_TO_L2_PLpermit2.2.2.2/32
!
CONTENTS
routemapL2_TO_L1_LEAKpermit10
matchipaddressprefixL2_TO_L1_PL
routemapL1_TO_L2_LEAKdeny10
matchipaddressprefixL1_TO_L2_PL
routemapL1_TO_L2_LEAKpermit20
R4:
routerisis
redistributeisisiplevel1intolevel2routemapL1_TO_L2_LEAK
redistributeisisiplevel2intolevel1routemapL2_TO_L1_LEAK
ipprefixlistL2_TO_L1_PLpermit6.6.6.6/32
ipprefixlistL1_TO_L2_PLpermit1.1.1.1/32
routemapL2_TO_L1_LEAKpermit10
matchipaddressprefixL2_TO_L1_PL
routemapL1_TO_L2_LEAKdeny10
matchipaddressprefixL1_TO_L2_PL
routemapL1_TO_L2_LEAKpermit20
XR1:
routepolicyISIS_ROUTE_LEAKING
ifdestinationin(3.3.3.3/32,4.4.4.4/32)then
pass
endif
endpolicy
routerisis1
addressfamilyipv4unicast
propagatelevel2intolevel1routepolicyISIS_ROUTE_LEAKING
end
Verification
PreviouslyR1andR2onlyknewtheirownL1routesaswellasadefaultroutetotheL1/L2routes.Now
thespecificroutes5.5.5.5/32and6.6.6.6/32areadvertisedviaR3andR4respectively.
R2#showiprouteisis
Codes:Llocal,Cconnected,Sstatic,RRIP,Mmobile,BBGP
DEIGRP,EXEIGRPexternal,OOSPF,IAOSPFinterarea
N1OSPFNSSAexternaltype1,N2OSPFNSSAexternaltype2
E1OSPFexternaltype1,E2OSPFexternaltype2
iISIS,suISISsummary,L1ISISlevel1,L2ISISlevel2
CONTENTS
iaISISinterarea ,*candidatedefault,Uperuserstaticroute
oODR,Pperiodicdownloadedstaticroute,HNHRP,lLISP
aapplicationroute
+replicatedroute,%nexthopoverride
Gatewayoflastresortis20.2.4.4tonetwork0.0.0.0
i*L10.0.0.0/0[115/10]via20.2.4.4,00:21:12,GigabitEthernet1.24
[115/10]via20.2.3.3,00:21:12,GigabitEthernet1.23
1.0.0.0/32issubnetted,1subnets
iL11.1.1.1[115/10]via10.1.2.1,00:21:43,GigabitEthernet1.12
5.0.0.0/32issubnetted,1subnets
iia5.5.5.5 [115/158]via20.2.3.3,00:13:20,GigabitEthernet1.23
6.0.0.0/32issubnetted,1subnets
iia6.6.6.6 [115/148]via20.2.4.4,00:13:12,GigabitEthernet1.24
Duetothelongestmatchroutingprinciple,trafficgoingto5.5.5.5/32willalwayspreferR3astheexit
point,whiletrafficgoingto6.6.6.6/32willalwayspreferR4.
R1#traceroute5.5.5.5
Typeescapesequencetoabort.
Tracingtherouteto5.5.5.5
VRFinfo:(vrfinname/id,vrfoutname/id)
110.1.2.22msec1msec1msec
220.2.3.36msec2msec1msec
320.3.6.61msec1msec1msec
420.5.6.510msec*3msec
R1#traceroute6.6.6.6
Typeescapesequencetoabort.
Tracingtherouteto6.6.6.6
VRFinfo:(vrfinname/id,vrfoutname/id)
110.1.2.21msec2msec1msec
220.2.4.41msec6msec2msec
320.4.6.62msec*2msec
Inthecasethatoneoftheseexitpointsaredown,trafficwillfallbacktotheleastspecificmatchof
0.0.0.0/0thatisinstalledduetotheAttached(ATT)bitbeingsetintheISISLSDB.
R1#showipcef6.6.6.6detail
6.6.6.6/32,epoch2
nexthop10.1.2.2GigabitEthernet1.12
R1#traceroute6.6.6.6
Typeescapesequencetoabort.
Tracingtherouteto6.6.6.6
CONTENTS
VRFinfo:(vrfinname/id,vrfoutname/id)
110.1.2.21msec2msec1msec
220.2.4.41msec6msec2msec
320.4.6.62msec*2msec
R2#conft
Enterconfigurationcommands,oneperline.EndwithCNTL/Z.
R2(config)#interfaceGig1.24
R2(configsubif)#shutdown
R2(configsubif)#end
R2#showipcef6.6.6.6detail
0.0.0.0/0 ,epoch2,flags[defaultroute]
nexthop10.1.2.2GigabitEthernet1.12
R1#traceroute6.6.6.6
Typeescapesequencetoabort.
Tracingtherouteto6.6.6.6
VRFinfo:(vrfinname/id,vrfoutname/id)
110.1.2.24msec1msec6msec
220.2.3.32msec1msec1msec
320.3.6.62msec*2msec
RouteleakingcanalsobeusedtofilterroutesastheyareconvertedfromL1toL2.PreviouslyR6had
equallongestmatchesto1.1.1.1/32and2.2.2.2/32viaR3andR4.Afterrouteleakingfilteringis
applied,R6hasonlyonepossiblepathtoeachofthesedestinations.
R6#showiproute1.1.1.1
Routingentryfor1.1.1.1/32
Knownvia"isis",distance115,metric30,typelevel2
Redistributingviaisis
Lastupdatefrom20.3.6.3onGigabitEthernet1.36,00:20:33ago
RoutingDescriptorBlocks:
* 20.3.6.3,from3.3.3.3,00:20:33ago,viaGigabitEthernet1.36
Routemetricis30,trafficsharecountis1
R6#showiproute2.2.2.2
Routingentryfor2.2.2.2/32
Knownvia"isis",distance115,metric20,typelevel2
Redistributingviaisis
Lastupdatefrom20.4.6.4onGigabitEthernet1.46,00:00:02ago
RoutingDescriptorBlocks:
* 20.4.6.4,from4.4.4.4,00:00:02ago,viaGigabitEthernet1.46
Routemetricis20,trafficsharecountis1
UnlikeL2toL1routeleaking,whichallowstrafficengineeringbasedonlongestmatch,butstillallows
forfallbacktoadefaultroute,filteringofL1toL2originationviarouteleakingdoesnotallowfor
redundancy.ForexampleinthiscasethatR3losesitslinktotheL1domain,the1.1.1.1/32prefix
becomesunreachablebecauseR4isconfiguredtodenyoriginationofthisprefixfromL1intoL2.
R6#showiproute1.1.1.1
Routingentryfor1.1.1.1/32
Knownvia"isis",distance115,metric30,typelevel2
Redistributingviaisis
Lastupdatefrom20.3.6.3onFastEthernet0/0.36,00:20:02ago
CONTENTS
RoutingDescriptorBlocks:
*20.3.6.3,from3.3.3.3 ,00:20:02ago,viaFastEthernet0/0.36
Routemetricis30,trafficsharecountis1
R6#ping1.1.1.1
Typeescapesequencetoabort.
Sending5,100byteICMPEchosto1.1.1.1,timeoutis2seconds:
!!!!!
Successrateis100percent(5/5),roundtripmin/avg/max=1/1/4ms
R6#
R3#conft
Enterconfigurationcommands,oneperline.EndwithCNTL/Z.
R3(config)#intGig1.23
R3(configsubif)#shut
R3(configsubif)#end
R6#showiproute1.1.1.1
%Networknotintable
R6#showipcef1.1.1.1
0.0.0.0/0
noroute
R6#ping1.1.1.1
Typeescapesequencetoabort.
Sending5,100byteICMPEchosto1.1.1.1,timeoutis2seconds:
.....
Successrateis0percent(0/5)
RouteleakinginIOSXRusesthesamelogicasregularIOS,howeverthematchingofprefixesoccurs
throughtheusageoftheRoutingPolicyLanguage(RPL).
RP/0/0/CPU0:XR1#showrpl
TueApr2800:39:42.306UTC
routepolicyISIS_ROUTE_LEAKING
ifdestinationin(3.3.3.3/32,4.4.4.4/32)then
pass
endif
endpolicy
!
CONTENTS
RP/0/0/CPU0:XR1#showrunrouterisis
TueApr2800:40:07.194UTC
routerisis1
net49.1920.0000.0000.0019.00
addressfamilyipv4unicast
propagatelevel2intolevel1routepolicyISIS_ROUTE_LEAKING
<snip>
TheresultofthisconfigurationisthatXR2learnsthespecificroutesof3.3.3.3/32and4.4.4.4/32via
XR1.
RP/0/0/CPU0:XR2#showrouteisis
TueApr2800:42:15.775UTC
i*L10.0.0.0/0[115/10]via10.19.20.19,00:27:24,GigabitEthernet0/0/0/0.1920
iia3.3.3.3/32[115/30]via10.19.20.19,00:27:24,GigabitEthernet0/0/0/0.1920
iia4.4.4.4/32[115/30]via10.19.20.19,00:27:24,GigabitEthernet0/0/0/0.1920
Tomakethisconfigurationmoremodular,theRPLpolicycouldhavecalledanexternalprefixset,similar
toaprefixlistinregularIOS,thatcouldbeusedtomatchtheprefixesinquestiontobeleaked.A
configurationsuchasthiscouldbewrittenasfollows:
RP/0/0/CPU0:XR1#showrpl
TueApr2800:44:13.650UTC
prefixsetISIS_ROUTES
3.3.3.3/32,
4.4.4.4/32
endset
!
routepolicyISIS_ROUTE_LEAKING
ifdestinationinISIS_ROUTESthen
CONTENTS
pass
endif
endpolicy
RP/0/0/CPU0:XR1#showrunrouterisis
TueApr2800:44:18.881UTC
routerisis1
net49.1920.0000.0000.0019.00
addressfamilyipv4unicast
propagatelevel2intolevel1routepolicyISIS_ROUTE_LEAKING
<snip>
RoutemapscanbeusedtocontrolredistributioninIOS,asshowninthisexample,inadditionto
distributelists.
WhenanL1L2routerleaksL2routesintoL1,theroutesareadvertisedinIPInternalReachability
InformationTLVs.AnimportantfactoraboutrouteleakinginISISisthesettingoftheU/Dbitwithinthe
TLVoftheleakedroute.Thisissimilartothe"Down"bitinOSPF,anditisparamountinpreventing
loops.AnL1L2routerthatreceivesaroutewiththeU/DbitattachedviaL1willnotreadvertisethis
samerouteintoL2.ThisbehaviorisdescribedinRFC2966.
TheleakedroutescanbeobservedbylookingattheL1L2router'sLSPdoingtheleaking:
RP/0/0/CPU0:XR2#showisisdatabaseXR1.0000detail
TueApr2800:48:24.390UTC
ISIS1(Level1)LinkStateDatabase
LSPIDLSPSeqNumLSPChecksumLSPHoldtimeATT/P/OL
XR1.00000x000000060x1a474781/0/0
AreaAddress:49.1920
NLPID:0xcc
Hostname:XR1
IPAddress:19.19.19.19
Metric:10ISXR1.01
Metric:20IPInterarea3.3.3.3/32
Metric:20IPInterarea4.4.4.4/32
Metric:10IP10.19.20.0/24
MultiLevelISIS(/workbook/view/serviceproviderv4/task/multilevelisisMjg0Mg%3D%3D)|SingleTopology
ISIS(/workbook/view/serviceproviderv4/task/singletopologyisisMjg0NA%3D%3D)