Filter ISIS Interface Routes Using JUNOS Policy

In this article, I'm going to explain how to use JUNOS policy to filter ISIS interface routes. We will look exclusively at export filtering. Import route policy is not allowed when using a link-state protocol such as ISIS or OSPF. This is because all nodes much synchronise their link-state database and import policy may alter this required behavior. The main use case whereby export route filtering can be useful is to reduce the size of your link-state database by filtering interface routes. Large deployments can see many thousands of IGP prefixes. ISIS does not rely on IP for transport thus we can safely filter these. Quite often only certain prefixes are actually required to be exchanged via an IGP such as loopbacks for PE reachability. In this example we will filter interface routes from the ISIS process and verify loopback reachability still exists. 

Topology:

We have 3 routers in the setup with an ISIS L2 adjacency formed between R1 and R2, and also between R2 and R3:

R1

lab@R1> show isis adjacency

Interface             System         L State        Hold (secs) SNPA

ge-0/0/1.0            R2             2  Up                   20

lab@R1> show configuration protocols isis

level 1 disable;

interface ge-0/0/1.0 {

    point-to-point;

}

interface lo0.0 {

    passive;

}

R2

lab@R2> show isis adjacency

Interface             System         L State        Hold (secs) SNPA

fe-0/0/0.0            R1             2  Up                   22

fe-0/0/1.0            R3             2  Up                   19

lab@R2> show configuration protocols isis

level 1 disable;

interface fe-0/0/0.0 {

    point-to-point;

}

interface fe-0/0/1.0 {

    point-to-point;

}

interface lo0.0 {

    passive;

}

R3

lab@R3> show isis adjacency  

Interface             System         L State        Hold (secs) SNPA

ge-0/0/0.0            R2             2  Up                   23

lab@R3> show configuration protocols isis

level 1 disable;

interface ge-0/0/0.0 {

    point-to-point;

}

interface lo0.0 {

    passive;

}

The physical and loopback interfaces form a part of the ISIS process. As this is ISIS we also need to enable family ISO under the physical and loopback interfaces and we need to configure an ISO address under the loopback. 

Interface routes filter:

Now let's take a look at the routing tables on R1, R2 and R3. As expected we can see interface and loopback prefixes learned via ISIS. We can also successfully instantiate a flow between R1 and R3 loopback.

R1

lab@R1> show route protocol isis  

inet.0: 13 destinations, 13 routes (13 active, 0 holddown, 0 hidden)

+ = Active Route, - = Last Active, * = Both

10.0.255.5/32      *[IS-IS/18] 14:08:27, metric 20

                    > to 137.221.196.2 via ge-0/0/1.0

10.0.255.6/32      *[IS-IS/18] 01:02:37, metric 10

                    > to 137.221.196.2 via ge-0/0/1.0

137.221.196.4/30   *[IS-IS/18] 00:16:17, metric 20

                    > to 137.221.196.2 via ge-0/0/1.0

R2

lab@R2> show route protocol isis

inet.0: 10 destinations, 10 routes (10 active, 0 holddown, 0 hidden)

+ = Active Route, - = Last Active, * = Both

10.0.255.5/32      *[IS-IS/18] 14:11:10, metric 10

                    > to 137.221.196.6 via fe-0/0/1.0

10.0.255.7/32      *[IS-IS/18] 14:12:53, metric 10

                    > to 137.221.196.1 via fe-0/0/0.0

R3

lab@R3> show route protocol isis

inet.0: 9 destinations, 9 routes (9 active, 0 holddown, 0 hidden)

+ = Active Route, - = Last Active, * = Both

10.0.255.6/32      *[IS-IS/18] 01:08:23, metric 10

                    > to 137.221.196.5 via ge-0/0/0.0

10.0.255.7/32      *[IS-IS/18] 14:15:56, metric 20

                    > to 137.221.196.5 via ge-0/0/0.0

137.221.196.0/30   *[IS-IS/18] 00:22:02, metric 20

                    > to 137.221.196.5 via ge-0/0/0.0

R1 - R3 Flow

lab@R3> ping 10.0.255.7 source 10.0.255.5 rapid count 10

PING 10.0.255.7 (10.0.255.7): 56 data bytes

!!!!!!!!!!

--- 10.0.255.7 ping statistics ---

10 packets transmitted, 10 packets received, 0% packet loss

round-trip min/avg/max/stddev = 1.267/1.464/1.918/0.229 ms

Now we will create a policy on each router to filter the prefix associated with the physical link. The policy is then applied as export under protocols ISIS. It's important to note that we cannot simply remove the interface from the ISIS process as we still need to instantiate an ISIS adjacency over the link. However, we can safely filter the prefix from being advertised into ISIS.

R1

lab@R3> show configuration policy-options policy-statement ISIS_EXPORT_FILTER

term 1 {

    from {

        protocol direct;

        route-filter 137.221.196.4/30 exact;

    }

    then reject;

}

lab@R3> show configuration protocols isis                                      

export ISIS_EXPORT_FILTER;

level 1 disable;

interface ge-0/0/0.0 {

    point-to-point;

}

interface lo0.0 {

    passive;

}

R2

lab@R2> show configuration policy-options policy-statement ISIS_EXPORT_FILTER

term 1 {

    from {

        protocol direct;

        route-filter 137.221.196.0/30 exact;

        route-filter 137.221.196.4/30 exact;

    }

    then reject;

}

lab@R2> show configuration protocols isis

export ISIS_EXPORT_FILTER;

level 1 disable;

interface fe-0/0/0.0 {

    point-to-point;

}

interface fe-0/0/1.0 {

    point-to-point;

}

interface lo0.0 {

    passive;

}

R3

lab@R3> show configuration policy-options policy-statement ISIS_EXPORT_FILTER

term 1 {

    from {

        protocol direct;

        route-filter 137.221.196.4/30 exact;

    }

    then reject;

}

lab@R3> show configuration protocols isis

export ISIS_EXPORT_FILTER;

level 1 disable;

interface ge-0/0/0.0 {

    point-to-point;

}

interface lo0.0 {

    passive;

}

The result is we no longer advertise physical prefixes into ISIS and we can verify this by checking the routing-table on each device. You can also check the link-state database.

R1

lab@R1> show route protocol isis  

inet.0: 12 destinations, 12 routes (12 active, 0 holddown, 0 hidden)

+ = Active Route, - = Last Active, * = Both

10.0.255.5/32      *[IS-IS/18] 22:06:25, metric 20

                    > to 137.221.196.2 via ge-0/0/1.0

10.0.255.6/32      *[IS-IS/18] 09:00:35, metric 10

                    > to 137.221.196.2 via ge-0/0/1.0

R2

lab@R2> show route protocol isis

inet.0: 10 destinations, 10 routes (10 active, 0 holddown, 0 hidden)

+ = Active Route, - = Last Active, * = Both

10.0.255.5/32      *[IS-IS/18] 22:08:02, metric 10

                    > to 137.221.196.6 via fe-0/0/1.0

10.0.255.7/32      *[IS-IS/18] 22:09:45, metric 10

                    > to 137.221.196.1 via fe-0/0/0.0

R3

lab@R3> show route protocol isis

inet.0: 8 destinations, 8 routes (8 active, 0 holddown, 0 hidden)

+ = Active Route, - = Last Active, * = Both

10.0.255.6/32      *[IS-IS/18] 09:09:10, metric 10

                    > to 137.221.196.5 via ge-0/0/0.0

10.0.255.7/32      *[IS-IS/18] 22:16:43, metric 20

                    > to 137.221.196.5 via ge-0/0/0.0

Lastly, let's verify that we still have reachability between R1 and R3 loopback interfaces. It's important that we now explicitly source from the loopback as we clearly no longer have reachability between physical prefixes.

lab@R3> ping 10.0.255.7 source 10.0.255.5 rapid count 10        

PING 10.0.255.7 (10.0.255.7): 56 data bytes

!!!!!!!!!!

--- 10.0.255.7 ping statistics ---

10 packets transmitted, 10 packets received, 0% packet loss

round-trip min/avg/max/stddev = 1.270/1.388/2.017/0.212 ms

lab@R3> traceroute 10.0.255.7 source 10.0.255.5            

traceroute to 10.0.255.7 (10.0.255.7) from 10.0.255.5, 30 hops max, 40 byte packets

 1  137.221.196.5 (137.221.196.5)  8.291 ms  45.737 ms  8.106 ms

 2  10.0.255.7 (10.0.255.7)  1.590 ms  1.373 ms  1.323 ms