Nov 20 18:47:03.340680 restart RR reset RA reset holdtime 0 Nov 20 18:47:03.340711 1386 bytes of total padding Nov 20 18:47:03.340752 checksum 0x6b7f Nov 20 18:47:03.360591 Rebuilding L1 fragment Frankfurt.00-00, sequence 0x69 Nov 20 18:47:03.361195 Rebuilding LSP Frankfurt.00-00, free bytes 1320 Nov 20 18:47:03.361310 Next type: 1, estimated free bytes 1455, free bytes 1455 Nov 20 18:47:03.361463 Next type: 129, estimated free bytes 1449, free bytes 1449 Nov 20 18:47:03.361795 Next type: 134, estimated free bytes 1445, free bytes 1445 Nov 20 18:47:03.361880 Next type: 137, estimated free bytes 1433, free bytes 1433 Nov 20 18:47:03.362003 Next type: 22, estimated free bytes 1424, free bytes 1424 Nov 20 18:47:03.362100 Next type: 128, estimated free bytes 1353, free bytes 1353 Nov 20 18:47:03.362149 IP TLVs generated, used 29 bytes Nov 20 18:47:03.362195 Rebuilt L1 fragment Frankfurt.00-00, size 168 After acquiring an understanding of what the network is doing wrong, perhaps the pre- requisite for further troubleshooting is to know what the network is supposed to do. As such, you need to know where the router keeps IS-IS-related configurations and how to modify them. 15.2.3 Configuration File The IS-IS-related configuration is scattered across many places in a router configuration. There is interface related configuration, router process related configuration, authentica- tion information and finally routing-policies, route-maps and access-lists that deal with prefix exchange with other protocols. In IOS most of the relevant IS-IS configuration is accommodated in the router isis and interface section. Authentication information (key chains) is present in the top level context and policies are defined as route-maps. In the configuration out- put below you can see an example of a full-blown IOS IS-IS configuration. IOS configuration In the IOS configuration most command parameters are set in the interface and router isis command hierarchy. Policies are defined inside route-maps and access-lists. The Authentication strings are stored within a key chain. Static host-name mapping is stored at the end of the configuration file underneath the clns host prefix. London#show running-config [… ] key chain MY-SECRET-KEYSTRING key 100 key-string 7 0702244B4F0F16171417 452 15. Troubleshooting ! interface FastEthernet0/0 ip address 172.16.33.29 255.255.255.252 ip router isis ipv6 router isis [… ] isis authentication mode md5 isis authentication key-chain MY-SECRET-KEYSTRING isis network point-to-point isis three-way-handshake ietf ! router isis net 49.0002.1720.2602.6029.00 authentication mode md5 level-2 authentication key-chain MY-SECRET-KEYSTRING level-2 metric-style wide passive-interface Loopback0 redistribute level-2 route-map isis_leak ! address-family ipv6 multi-topology exit-address-family ! access-list 1 permit 192.168.0.0 0.0.0.255 access-list 1 deny any ! route-map isis_leak permit 1 match ip route-source 1 ! clns host London 00.1921.6800.1019.00 [… ] The JUNOS configuration file follows a slightly different logic. Most notably routing protocol specific parameters are not in the interfaces {} hierarchy. There is an additional protocols isis interface {} stanza that holds IS-IS exclusive parameters. Almost all IS-IS behaviour is configured in the protocols isis {} stanza. The only IS-IS relevant configuration is the family iso {} stanza underneath a logical interface which tells the Packet Forwarding Engine (PFE) that we would like to receive IS-IS PDUs on this interface. One interface, preferably the lo0 interface, also holds one or more family iso address statements that control the Area and System-ID settings of the router. IS-IS specific authentication strings are confi- gured under the protocols isis level or protocols isis interface level stanza, depending on which PDU type you want to configure. In JUNOS, policy processing is a protocol-independent thing and so all policy relevant configuration is done in the policy-options {} stanza. Finally static-host-mappings for System-ID to Host Name translation services are configured in the system stanza {}. Tools 453 JUNOS configuration The most notable difference between JUNOS and IOS is that the majority of IS-IS param- eters are configured under the protocols isis {} stanza. For IS-IS interface related configurations JUNOS features a protocol isis interface {} hierarchy that exclu- sively carries IS-IS per-circuit configuration. hannes@Frankfurt> show configuration [… ] system { static-host-mapping { London sysid 1921.6800.1019; } } interfaces { ge-0/5/0 { unit 0 { family inet { address 172.16.33.10/30; } family iso; } } lo0 { unit 0 { family inet { address 192.168.0.8/32; } family iso { address 49.0001.1921.6800.1008.00; } } } } protocols { isis { traceoptions { file isis-trace size 10m; flag error; flag lsp; flag state; } export lo0-only; level 1 { authentication-key “$9$I7ShyKX7V4aUM8aUjH5TRhS”; # SECRET-DATA authentication-type simple; # SECRET-DATA wide-metrics-only; } level 2 wide-metrics-only; 454 15. Troubleshooting interface all; interface ge-0/5/0.0 { point-to-point; } } } policy-options { policy-statement lo0-only { term 1 { from { interface lo0.0; } then accept; } term final { then reject; } } } Seeing the configuration and debug logs provides good insight for the majority of troubleshooting scenarios. Sometimes even the debug output, which often shows just an interpretation of the data, does not provide sufficient insight into what the router does not like about a given packet. Network analyzers can display every bit of a given packet and provide additional intelligence during the troubleshooting process. 15.2.4 Network Analyzers Network analyzers are an excellent tool for the experienced network troubleshooter because they unveil what is really transported over the wire. The main disadvantage of evaluating debug logs is that they show only an interpretation of the protocol and not the actual content. If you need to deal with (for example) a malformed TLV, then the informa- tion that the debug log provides is probably not more than a line saying “bogus TLV”. The network analyzer in contrast does provide you with the exact data, and your vendor support organization can look for evidence as to what went wrong and how the data is corrupted. When capturing data using commercial network analyzers, the authors found that all too often the network analyzer incorrectly interprets some of the newer TLVs, such as the Extended IS Reach, Multi-Topology IS Reach and their nested sub-TLVs. Surprisingly, the two open-source network analyzers, tcpdump and Ethereal, have sound support for IS-IS. Because the software is free and maintained on an ongoing basis, the authors warmly recommend use of tcpdump and/or Ethereal to troubleshoot your network and learn about IS-IS at the same time. Another reason to learn about tcpdump is that JUNOS embeds tcpdump as part of its router software. Tcpdump in JUNOS is wrapped inside the monitor traffic interface command. If you enter that command, then tcpdump (with its default settings) will start producing single line output. If the output does not immediately start, then you should probably turn off DNS resolution, as the screen output may need to wait for a DNS response. The no-resolve knob turns off name resolution and makes the analyzer Tools 455 report one packet per line. Tcpdump also features a multi-line output if the detail flag is provided as a command option. Note that tcpdump by default only captures the first 96 bytes of an IP packet. While this short capture of the IP packet is sufficient to interpret the TCP headers (which are the origin of the name “tcpdump”), it is not enough to display the content of a control plane packet. For example, just recall that a link-state PDU may be up to hundreds of bytes in size. The size parameter controls the capture length of the data. For IS-IS, the highest possible packet size is 1492 bytes. However, specifying a capture size of 1492 is not enough because tcpdump does its capturing on the data-link layer and this implies that this 1492-byte frame length is the total length of the packet. For Ethernet, you need to add 17 bytes (Destination MAC Address, Source MAC Address, Length, DSAP, SSAP, Control – see Figure 4.2 for details) which results in a capture size of 1509. Many people just use the “default” Ethernet MTU of 1514 instead, as it also catches all IP control plane packets that can fit on an Ethernet. Tcpdump also allows you to filter the output using the matching keyword. Unfortunately, the filter string support for IS-IS is not very rich in the packet-capture library that Juniper is using. It only allows specifying the keyword isis for filtering just IS-IS frames. The public version of tcpdump has much broader sup- port for IS-IS: it can filter based on level, PDU type and combinations of those. Analyzing the traffic on a Gigabit Ethernet interface (for example) would require the following command string. JUNOS command output hannes@Frankfurt> monitor traffic interface ge-0/1/0.0 size 1514 no-resolve matching isis 08:04:12.675185 In OSI, IS-IS, L2 Lan IIH, src-id 1921.6800.0008, lan-id 1921.6800.0024.02, prio 64, length 1492 08:04:12.972945 Out OSI, IS-IS, L1 Lan IIH, src-id 1921.6800.0024, lan-id 1921.6800.0008.02, prio 64, length 1492 08:04:14.262970 Out OSI, IS-IS, L2 Lan IIH, src-id 1921.6800.0024, lan-id 1921.6800.0024.02, prio 64, length 1492 08:04:14.295254 In OSI, IS-IS, L1 Lan IIH, src-id 1921.6800.0008, lan-id 1921.6800.0008.02, prio 120, length 1492 08:04:16.783397 In OSI, IS-IS, L1 Lan IIH, src-id 1921.6800.0008, lan-id 1921.6800.0008.02, prio 120, length 1492 08:04:16.933018 Out OSI, IS-IS, L2 Lan IIH, src-id 1921.6800.0024, lan-id 1921.6800.0024.02, prio 64, length 1492 08:04:17.734220 In OSI, IS-IS, L1 CSNP, src-id 1921.6800.0008, length 96 08:04:19.525291 In OSI, IS-IS, L1 Lan IIH, src-id 1921.6800.0008, lan-id 1921.6800.0008.02, prio 120, length 1492 08:04:19.732283 Out OSI, IS-IS, L2 CSNP, src-id 1921.6800.0024, length 113 08:04:19.943063 Out OSI, IS-IS, L2 Lan IIH, src-id 1921.6800.0024, lan-id 1921.6800.0024.02, prio 64, length 1492 08:04:20.015298 In OSI, IS-IS, L2 Lan IIH, src-id 1921.6800.0008, lan-id 1921.6800.0024.02, prio 64, length 1492 You can write the captured data to a file which can later be examined using third party analyzers like Ethereal. 456 15. Troubleshooting JUNOS command output hannes@Frankfurt> monitor traffic interface ge-0/1/0.0 size 1514 write-file hello-problem.pcap Listening on ge-0/1/0.0, capture size 1514 bytes You can now transfer the file to your workstation where you run your network ana- lyzer and examine it closer there. Alternatively, you can pipe your captured data over an SSH session to a UNIX host and make the router a remote probe performing a live cap- ture as illustrated in Figure 15.2. The captured stream is conveyed using the SSH proto- col and fed into a network analyzer like Ethereal. Unfortunately, real-time capturing and decoding cannot be done using the command line interface. You need to start a shell and become a super-user in order to do that. This practice is not encouraged by Juniper Networks, because of the potential for great harm to the router, but under the guidance of very experienced operators or with Juniper Networks technical assistance, this can be a valuable tool. JUNOS/tcpdump output The JUNOS embedded tcpdump command in combination with the SSH protocol can be a powerful remote capturing “device” for Ethereal. The command assumes that your UNIX machine is also your X11 display server for your Ethereal session.You have to replace the USER and REMOTEHOST fields with your username and IP address or name of the machine where you run Ethereal. hannes@Frankfurt> start shell % su Password: root@Frankfurt% tcpdump -i ge-0/1/0 -s1514 -w - “isis” | ssh USER@REMOTEHOST “( ethereal -knSli - )” Listening on ge-0/1/0, capture size 1514 bytes USER@REMOTEHOST’s password: <PASSWORD> Tools 457 Network Cloud Network Analyzer Capture Interface SSH Connection FIGURE 15.2. The JUNOS router captures data from one of its control plane interfaces and pipes it through the Secure Shell (SSH) Protocol to a workstation running the analyzer software After 1–2 seconds you should see Ethereal starting up, as illustrated in Figure 15.3. Two windows will be opened. On the foreground capture window you can see brief per- protocol statistics. The background window is divided into three parts. The top window is the packet browser which shows a packet per line. The middle section decodes the selected packet. In the third window there is a hex dump of the packet. A nice function of Ethereal is that once you select a branch in the middle section, for example a TLV, then the corresponding hex dump digits do get highlighted. If the screen output needs to get redirected to a remote station using the X11 protocol, you first need to give a hint where the display server is located. You need to properly set the DISPLAY environment variable for specifying the IP address of the X11 server. Changing environment variables depends on the UNIX shell type. The example shows a remote X11 server and assumes that the shell for changing the DISPLAY variable is the Bourne Again Shell (bash) that is today the preferred shell on many UNIX-based systems. JUNOS/tcpdump output If your display server is not the machine where Ethereal is running, you need to specify the IP address of the X11 server. Replace the XSERVERHOST string with the name or IP address of your X11 server. hannes@Frankfurt> start shell % su Password: root@Frankfurt% tcpdump -i ge-0/1/0 -s1514 -w - “isis” | ssh USER@REMOTEHOST “( export DISPLAY = XSERVERHOST:0; ethereal -knSli - )” Listening on ge-0/1/0, capture size 1514 bytes USER@REMOTEHOST’s password: <PASSWORD> Ethereal comes in two flavours: the first one features a graphical user interface (GUI). The GUI version has been utilized in the previous examples. The second one renders the entire packet as a text-only output that may be used for users that just have terminal access to a UNIX station. The text version of Ethereal is called Tethereal and displays the full networking stack, including Layer 2 information of a given packet. JUNOS/Ethereal output T-Ethereal provides a very nice text-only output variant displaying the full Networking Stack and all of its details. hannes@Frankfurt> start shell % su Password: root@Frankfurt% tcpdump -i ge-0/1/0 -s1514 -w - “isis” | ssh USER@REMOTEHOST “( tethereal -nVli - )” Listening on ge-0/1/0, capture size 1514 bytes USER@REMOTEHOST’s password: <PASSWORD> 458 15. Troubleshooting F IGURE 15.3. Ethereal starts with a capture window giving brief per-protocol statistics and a v erbose decoder window in the background 459 Capturing on - Frame 1 (1509 bytes on wire, 1509 bytes captured) Arrival Time: Nov 20, 2003 11:39:56.002525000 Time delta from previous packet: 0.000000000 seconds Time since reference or first frame: 0.000000000 seconds Frame Number: 1 Packet Length: 1509 bytes Capture Length: 1509 bytes [… ] ISO 10589 ISIS InTRA Domain Routeing Information Exchange Protocol Intra Domain Routing Protocol Discriminator: ISIS (0x83) PDU Header Length : 27 Version (==1) : 1 System ID Length : 6 PDU Type : L2 HELLO (R:000) Version2 (==1) : 1 Reserved (==0) : 0 Max.AREAs: (0==3) : 0 ISIS HELLO Circuit type : Level 1 and 2, reserved(0x00 == 0) System-ID {Sender of PDU} : 0000.0000.0001 Holding timer : 27 PDU length : 1492 Priority : 64, reserved(0x00 == 0) System-ID {Designated IS} : 0000.0000.0002.02 IS Neighbor(s) (12) IS Neighbor: 00:d0:b7:b2:71:cc IS Neighbor: 00:02:b3:2b:0e:52 [… ] 15.3 Case Studies In this section you will see examples of broken IS-IS configurations. The majority of problems revolve around adjacency and sub-net configuration which mostly have router- local impact only. There is, however, a devastating example that can cause an entire net- work meltdown. Frequent encounters with this latter problem even caused the router vendors to provide a protection knob that should be turned on. Most IS-IS problems are problems bringing up an adjacency. Therefore, we will dis- cuss the main six problems on the topic of adjacencies and how to quickly diagnose what the problem is. 15.3.1 Broken IS-IS Adjacency Rather than comparing individual configurations against another, we will start out with two configurations that encompass in total five mistakes and incrementally troubleshoot the two configurations. 460 15. Troubleshooting JUNOS configuration The complete IS-IS configuration of Frankfurt. We want to run an authenticated IS-IS Level 1 Adjacency over a SONET Link and route IPv4, IPv6 traffic over the circuit. hannes@Frankfurt> show configuration [… ] interfaces { so-0/2/0 { description “to London POS4/1”; unit 0 { family inet { address 172.16.33.14/30; } } } lo0 { unit 0 { family inet { address 192.168.0.8/32; } family iso { address 49.0001.1921.6800.0008.00; } } } [… ] } protocols { isis { level 1 { authentication-key “$9$LkT7dskqf5F/”; # SECRET-DATA authentication-type md5; # SECRET-DATA wide-metrics-only; } interface so-0/2/0.0 { level 1 disable; } lo0.0; } [… ] } IOS configuration The IOS configuration of London should match that of Frankfurt. London#show running-config [… ] key chain MY-ISIS-PASSWORD Case Studies 461 . into three parts. The top window is the packet browser which shows a packet per line. The middle section decodes the selected packet. In the third window there is a hex dump of the packet. A nice. interface {} stanza that holds IS-IS exclusive parameters. Almost all IS-IS behaviour is configured in the protocols isis {} stanza. The only IS-IS relevant configuration is the family iso {} stanza. as the Extended IS Reach, Multi-Topology IS Reach and their nested sub-TLVs. Surprisingly, the two open-source network analyzers, tcpdump and Ethereal, have sound support for IS-IS. Because the