Example for Configuring Basic IS-IS Functions
This part provides an example for interconnecting IPv4 networks through IS-IS.
Networking Requirements
As shown in Figure 1:
RouterA, RouterB, FW_C, and FW_D belong to the same AS. IS-IS is enabled on the devices to implement interconnection in the IP network.
The area addresses of RouterA, RouterB, and FW_C are all 10, and the area address of FW_D is 20.
RouterA and RouterB are Level-1 routers, FW_C is a Level-1-2 router. FW_D is a Level-2 router.
Configuration Roadmap
The configuration roadmap is as follows:
Enable IS-IS on each device, configure the levels of routers, and specify an NET.
Set RouterA and FW_C to authenticate Hello packets in specified mode and with the specified password.
Check the IS-IS database and the routing table of each device.
Data Preparation
To complete the configuration, you need the following data:
Area addresses of RouterA, RouterB, FW_C and FW_D
Levels of RouterA, RouterB, FW_C, and FW_D
Procedure
- Configure an IP address for each interface.
# Configure RouterA.
<Router> system-view
[Router] sysname RouterA
[RouterA] interface GigabitEthernet 0/0/0[RouterA-GigabitEthernet 0/0/0] ip address 10.1.1.2 24[RouterA-GigabitEthernet 0/0/0] quit# Configure RouterB.
<Router> system-view
[Router] sysname RouterB
[RouterB] interface GigabitEthernet 0/0/0[RouterB-GigabitEthernet 0/0/0] ip address 10.1.2.2 24[RouterB-GigabitEthernet 0/0/0] quit# Configure FW_C.
<FW> system-view [FW] sysname FW_C [FW_C] interface GigabitEthernet 0/0/0 [FW_C-GigabitEthernet 0/0/0] ip address 10.1.1.1 24 [FW_C-GigabitEthernet 0/0/0] quit [FW_C] interfaceGigabitEthernet 0/0/1 [FW_C-GigabitEthernet 0/0/1] ip address 10.1.2.1 24 [FW_C-GigabitEthernet 0/0/1] quit [FW_C] interface GigabitEthernet 0/0/2 [FW_C-GigabitEthernet 0/0/2] ip address 192.168.0.1 24 [FW_C-GigabitEthernet 0/0/2] quit
# Configure FW_D.
<FW> system-view [FW] sysname FW_D [FW_D] interface GigabitEthernet 0/0/0 [FW_D-GigabitEthernet 0/0/0] ip address 192.168.0.2 24 [FW_D-GigabitEthernet 0/0/0] quit [FW_D] interfaceGigabitEthernet 0/0/1 [FW_D-GigabitEthernet 0/0/1] ip address 172.16.1.1 16 [FW_D-GigabitEthernet 0/0/1] quit
- Assign interfaces of FW_C and FW_D to security zones and enable interzone security policies.
# Assign interfaces of FW_C to security zones.
[FW_C] firewall zone trust [FW_C-zone-trust] add interface GigabitEthernet 0/0/0 [FW_C-zone-trust] add interface GigabitEthernet 0/0/1 [FW_C-zone-trust] quit
[FW_C] firewall zone untrust [FW_C-zone-untrust] add interface GigabitEthernet 0/0/2 [FW_C-zone-untrust] quit
# Assign interfaces of FW_D to security zones.
[FW_D] firewall zone trust [FW_D-zone-trust] add interface GigabitEthernet 0/0/0 [FW_D-zone-trust] quit
[FW_D] firewall zone untrust [FW_D-zone-untrust] add interface GigabitEthernet 0/0/1 [FW_D-zone-untrust] quit
# Enable Trust-Untrust, Local-Untrust, and Untrust-Local interzone policies FW_C to ensure normal packet transmission.
This section provides only required security policy parameters. Set other security policy parameters as required.[FW_C] security-policy [FW_C-policy-security] rule name policy_sec_1 [FW_C-policy-security-rule-policy_sec_1] source-zone trust [FW_C-policy-security-rule-policy_sec_1] destination-zone untrust [FW_C-policy-security-rule-policy_sec_1] action permit [FW_C-policy-security-rule-policy_sec_1] quit [FW_C-policy-security] rule name policy_sec_2 [FW_C-policy-security-rule-policy_sec_2] source-zone local untrust [FW_C-policy-security-rule-policy_sec_2] destination-zone local untrust [FW_C-policy-security-rule-policy_sec_2] action permit [FW_C-policy-security-rule-policy_sec_2] quit [FW_C-policy-security] rule name policy_sec_3 [FW_C-policy-security-rule-policy_sec_3] source-zone local trust [FW_C-policy-security-rule-policy_sec_3] destination-zone local trust [FW_C-policy-security-rule-policy_sec_3] action permit [FW_C-policy-security-rule-policy_sec_3] quit [FW_C-policy-security] quit
# Enable Trust-Untrust, Local-Untrust, and Untrust-Local interzone policies on FW_D to ensure normal packet transmission.
This section provides only required security policy parameters. Set other security policy parameters as required.[FW_D] security-policy [FW_D-policy-security] rule name policy_sec_1 [FW_D-policy-security-rule-policy_sec_1] source-zone trust [FW_D-policy-security-rule-policy_sec_1] destination-zone untrust [FW_D-policy-security-rule-policy_sec_1] action permit [FW_D-policy-security-rule-policy_sec_1] quit [FW_D-policy-security] rule name policy_sec_2 [FW_D-policy-security-rule-policy_sec_2] source-zone local untrust [FW_D-policy-security-rule-policy_sec_2] destination-zone local untrust [FW_D-policy-security-rule-policy_sec_2] action permit [FW_D-policy-security-rule-policy_sec_2] quit [FW_D-policy-security] rule name policy_sec_3 [FW_D-policy-security-rule-policy_sec_3] source-zone local trust [FW_D-policy-security-rule-policy_sec_3] destination-zone local trust [FW_D-policy-security-rule-policy_sec_3] action permit [FW_D-policy-security-rule-policy_sec_3] quit [FW_D-policy-security] quit
- Configure basic IS-IS functions.
# Configure RouterA.
[RouterA] isis 1 [RouterA-isis-1] is-level level-1 [RouterA-isis-1] network-entity 10.0000.0000.0001.00 [RouterA-isis-1] quit [RouterA] interface GigabitEthernet 0/0/0 [RouterA-GigabitEthernet 0/0/0] isis enable 1 [RouterA-GigabitEthernet 0/0/0] quit
# Configure RouterB.
[RouterB] isis 1 [RouterB-isis-1] is-level level-1 [RouterB-isis-1] network-entity 10.0000.0000.0002.00 [RouterB-isis-1] quit [RouterB] interface GigabitEthernet 0/0/0 [RouterB-GigabitEthernet 0/0/0] isis enable 1 [RouterB-GigabitEthernet 0/0/0] quit
# Configure FW_C.
[FW_C] isis 1 [FW_C-isis-1] network-entity 10.0000.0000.0003.00 [FW_C-isis-1] quit [FW_C] interface GigabitEthernet 0/0/0 [FW_C-GigabitEthernet 0/0/0] isis enable 1 [FW_C-GigabitEthernet 0/0/0] quit [FW_C] interface GigabitEthernet 0/0/1 [FW_C-GigabitEthernet 0/0/1] isis enable 1 [FW_C-GigabitEthernet 0/0/1] quit [FW_C] interface GigabitEthernet 0/0/2 [FW_C-GigabitEthernet 0/0/2] isis enable 1 [FW_C-GigabitEthernet 0/0/2] quit
# Configure FW_D.
[FW_D] isis 1 [FW_D-isis-1] is-level level-2 [FW_D-isis-1] network-entity 20.0000.0000.0004.00 [FW_D-isis-1] quit [FW_D] interface GigabitEthernet 0/0/1 [FW_D-GigabitEthernet 0/0/1] isis enable 1 [FW_D-GigabitEthernet 0/0/1] quit [FW_D] interface GigabitEthernet 0/0/0 [FW_D-GigabitEthernet 0/0/0] isis enable 1 [FW_D-GigabitEthernet 0/0/0] quit
- Configure the authentication mode and password for RouterA and FW_C to authenticate Hello packets.
# Configure RouterA.
[RouterA] interface GigabitEthernet 0/0/0 [RouterA-GigabitEthernet 0/0/1] isis authentication-mode md5 huawei
# Configure FW_C.
[FW_C] interface GigabitEthernet 0/0/0 [FW_C-GigabitEthernet 0/0/1] isis authentication-mode md5 huawei
- Verify the configuration.
# Display the IS-IS LSDB of each Router.
[RouterA] display isis lsdb Database information for ISIS(1) -------------------------------- Level-1 Link State Database LSPID Seq Num Checksum Holdtime Length ATT/P/OL ------------------------------------------------------------------------- 0000.0000.0001.00-00* 0x00000006 0xbf7d 649 68 0/0/0 0000.0000.0002.00-00 0x00000003 0xef4d 545 68 0/0/0 0000.0000.0003.00-00 0x00000008 0x3340 582 111 1/0/0 Total LSP(s): 3 *(In TLV)-Leaking Route, *(By LSPID)-Self LSP, +-Self LSP(Extended), ATT-Attached, P-Partition, OL-Overload[RouterB] display isis lsdb Database information for ISIS(1) -------------------------------- Level-1 Link State Database LSPID Seq Num Checksum Holdtime Length ATT/P/OL ------------------------------------------------------------------------- 0000.0000.0001.00-00 0x00000006 0xbf7d 642 68 0/0/0 0000.0000.0002.00-00* 0x00000003 0xef4d 538 68 0/0/0 0000.0000.0003.00-00 0x00000008 0x3340 574 111 1/0/0 Total LSP(s): 3 *(In TLV)-Leaking Route, *(By LSPID)-Self LSP, +-Self LSP(Extended), ATT-Attached, P-Partition, OL-Overload[FW_C] display isis lsdb Database information for ISIS(1) -------------------------------- Level-1 Link State Database LSPID Seq Num Checksum Holdtime Length ATT/P/OL ------------------------------------------------------------------------- 0000.0000.0001.00-00 0x00000006 0xbf7d 638 68 0/0/0 0000.0000.0002.00-00 0x00000003 0xef4d 533 68 0/0/0 0000.0000.0003.00-00* 0x00000008 0x3340 569 111 1/0/0 Total LSP(s): 3 *(In TLV)-Leaking Route, *(By LSPID)-Self LSP, +-Self LSP(Extended), ATT-Attached, P-Partition, OL-Overload Level-2 Link State Database LSPID Seq Num Checksum Holdtime Length ATT/P/OL ------------------------------------------------------------------------- 0000.0000.0003.00-00* 0x00000008 0x55bb 650 100 0/0/0 0000.0000.0004.00-00 0x00000005 0x6510 629 84 0/0/0 Total LSP(s): 2 *(In TLV)-Leaking Route, *(By LSPID)-Self LSP, +-Self LSP(Extended), ATT-Attached, P-Partition, OL-Overload
[FW_D] display isis lsdb Database information for ISIS(1) -------------------------------- Level-2 Link State Database LSPID Seq Num Checksum Holdtime Length ATT/P/OL ------------------------------------------------------------------------- 0000.0000.0003.00-00 0x00000008 0x55bb 644 100 0/0/0 0000.0000.0004.00-00* 0x00000005 0x6510 624 84 0/0/0 Total LSP(s): 2 *(In TLV)-Leaking Route, *(By LSPID)-Self LSP, +-Self LSP(Extended), ATT-Attached, P-Partition, OL-Overload
# Display the IS-IS routing information of each device. A default route must exist in the Level-1 routing table and the next hop is a Level-1-2 router. A Level-2 router must have all Level-1 and Level-2 routes.
[RouterA] display isis route Route information for ISIS(1) ----------------------------- ISIS(1) Level-1 Forwarding Table -------------------------------- IPV4 Destination IntCost ExtCost ExitInterface NextHop Flags ------------------------------------------------------------------------- 10.1.1.0/24 10 NULL GigabitEthernet 0/0/0 Direct D/-/L/- 10.1.2.0/24 20 NULL GigabitEthernet 0/0/0 10.1.1.1 A/-/-/- 192.168.0.0/24 20 NULL GigabitEthernet 0/0/0 10.1.1.1 A/-/-/- 0.0.0.0/0 10 NULL GigabitEthernet 0/0/0 10.1.1.1 A/-/-/- Flags: D-Direct, A-Added to URT, L-Advertised in LSPs, S-IGP Shortcut, U-Up/Down Bit Set[FW_C] display isis route Route information for ISIS(1) ----------------------------- ISIS(1) Level-1 Forwarding Table -------------------------------- IPV4 Destination IntCost ExtCost ExitInterface NextHop Flags ------------------------------------------------------------------------- 10.1.1.0/24 10 NULL GigabitEthernet 0/0/0 Direct D/-/L/- 10.1.2.0/24 10 NULL GigabitEthernet 0/0/1 Direct D/-/L/- 192.168.0.0/24 10 NULL GigabitEthernet 0/0/2 Direct D/-/L/- Flags: D-Direct, A-Added to URT, L-Advertised in LSPs, S-IGP Shortcut, U-Up/Down Bit Set ISIS(1) Level-2 Forwarding Table -------------------------------- IPV4 Destination IntCost ExtCost ExitInterface NextHop Flags ------------------------------------------------------------------------- 10.1.1.0/24 10 NULL GigabitEthernet 0/0/0 Direct D/-/L/- 10.1.2.0/24 10 NULL GigabitEthernet 0/0/1 Direct D/-/L/- 192.168.0.0/24 10 NULL GigabitEthernet 0/0/2 Direct D/-/L/- 172.16.0.0/16 20 NULL GigabitEthernet 0/0/2 192.168.0.2 A/-/-/- Flags: D-Direct, A-Added to URT, L-Advertised in LSPs, S-IGP Shortcut, U-Up/Down Bit Set
[FW_D] display isis route Route information for ISIS(1) ----------------------------- ISIS(1) Level-2 Forwarding Table -------------------------------- IPV4 Destination IntCost ExtCost ExitInterface NextHop Flags -------------------------------------------------------------------------- 192.168.0.0/24 10 NULL GigabitEthernet 0/0/0 Direct D/-/L/- 10.1.1.0/24 20 NULL GigabitEthernet 0/0/0 192.168.0.1 A/-/-/- 10.1.2.0/24 20 NULL GigabitEthernet 0/0/0 192.168.0.1 A/-/-/- 172.16.0.0/16 10 NULL GigabitEthernet 0/0/1 Direct D/-/L/- Flags: D-Direct, A-Added to URT, L-Advertised in LSPs, S-IGP Shortcut, U-Up/Down Bit Set
Configuration Files
Configuration file of RouterA
#
sysname RouterA
#
isis 1
is-level level-1
network-entity 10.0000.0000.0001.00
#
interface GigabitEthernet 0/0/0ip address 10.1.1.2 255.255.255.0
isis enable 1
isis authentication-mode md5 N`C55QK<`=/Q=^Q`MAF4<1!!
#
return
Configuration file of RouterB
#
sysname RouterB
#
isis 1
is-level level-1
network-entity 10.0000.0000.0002.00
#
interface GigabitEthernet 0/0/0ip address 10.1.2.2 255.255.255.0
isis enable 1
#
return
Configuration file of FW_C
#
sysname FW_C#
isis 1
network-entity 10.0000.0000.0003.00
#
interface GigabitEthernet 0/0/0ip address 10.1.1.1 255.255.255.0
isis enable 1
isis authentication-mode md5 N`C55QK<`=/Q=^Q`MAF4<1!!
#
interface GigabitEthernet 0/0/1ip address 10.1.2.1 255.255.255.0
isis enable 1
#
interface GigabitEthernet 0/0/2ip address 192.168.0.1 255.255.255.0
isis enable 1
# firewall zone trust set priority 85 add interface GigabitEthernet 0/0/0 add interface GigabitEthernet 0/0/1 # firewall zone untrust set priority 5 add interface GigabitEthernet 0/0/2 # security-policy rule name policy_sec_1 source-zone trust destination-zone untrust action permit rule name policy_sec_2 source-zone local source-zone untrust destination-zone local destination-zone untrust action permit rule name policy_sec_3 source-zone local source-zone trust destination-zone local destination-zone trust action permit
#
return
Configuration file of FW_D
#
sysname FW_D#
isis 1
is-level level-2
network-entity 20.0000.0000.0004.00
#
interface GigabitEthernet 0/0/0ip address 192.168.0.2 255.255.255.0
isis enable 1
#
interface GigabitEthernet 0/0/1ip address 172.16.1.1 255.255.0.0
isis enable 1
# firewall zone trust set priority 85 add interface GigabitEthernet 0/0/0 # firewall zone untrust set priority 5 add interface GigabitEthernet 0/0/1 # security-policy rule name policy_sec_1 source-zone trust destination-zone untrust action permit rule name policy_sec_2 source-zone local source-zone untrust destination-zone local destination-zone untrust action permit rule name policy_sec_3 source-zone local source-zone trust destination-zone local destination-zone trust action permit
#
return