IS-IS Adjacency Packet Capture [Step by Step Wireshark Analysis]
You may first want to check this article about IS-IS protocol basics:
Topology
We have 2 switches one named “NXOS” and the other is “NX7K-01” (I know the naming isn’t on point):
Basic configuration
NXOS:
NXOS# sh run | sec isis
feature isis
router isis 10
net 11.1111.1111.1111.1111.00
is-type level-1
NXOS# show running-config interface Ethernet1/1
interface Ethernet1/1
no switchport
ip address 172.31.10.1/30
ip router isis 10
no shutdown
NX7K-01:
NX7K-01# sh run | sec isis
feature isis
router isis 10
net 11.1111.2222.2222.2222.00
is-type level-1
NX7K-01# show run interface ethernet 1/1
!Command: show running-config interface Ethernet1/1
!Running configuration last done at: Fri Feb 9 20:34:23 2024
!Time: Fri Feb 9 21:29:06 2024
version 9.3(9) Bios:version
interface Ethernet1/1
no switchport
ip address 172.31.10.2/30
ip router isis 10
no shutdownIS-IS Adjacency Packet capture
ISIS Hello
Let’s discover the field and TLVs for the ISIS Hello PDU:
Circuit Type: This indicates the type of router.
- 01: Level-1
- 10: Level-2
- 11: Level-1-2
SystemID {Sender of PDU}: Originator of the Hello packet.
Holding Timer: interval a neighbor should wait for a Hello before declaring the neighbor dead.
PDU Length: Length of the entire PDU in bytes.
Priority: Carries a value between 0 and 127 which is used for DIS (Designated IS) election on a LAN network. The default value is 64.
LAN ID: This is the System ID plus the Pseudonode ID.
ISIS Hello contain the following TLVs:
- Area Address(es): indicates the area address(es). A router can be configured with multiple area addresses.
- IS Neighbor(s): This TLV is used only in LAN Hellos. Level-1 LAN Hellos list L1 neighbors only, and Level-2 LAN Hellos list L2 neighbors only. It carries the MAC address of the neighbors on the LAN.
- Protocols Supported: This TLV carries the Network Layer Protocol ID (NLPID) of the protocols supported. IP is 0x81.
- IP Interface Address(es): This TLV contains the IP address of the interface out which the PDU was sent.
- Padding: This TLV is used to pad a Hello PDU to at least its minimum allowed size.
1- NX7K-01 sends an ISIS Hello PDU:
The ISIS Hello PDU will be received by the neighbor, since there is no “IS Neighbor” field in this hello PDU including “NXOS” MAC address, it indicates that NX7K-01 didn’t receive yet a Hello from “NXOS” switch.
2- “NXOS“ sends an ISIS Hello PDU:
3- “NX7K-01“ sends an ISIS Hello PDU (including “IS Neighbor”):
Since “NX7K-01” received the Hello from “NXOS”, it will send a Hello, but this time it will contain the “IS Neighbor” field including the MAC address of “NXOS” (because “NX7K-01” already received Hello from “NXOS”).
4- “NXOS“ sends an ISIS Hello PDU (including “IS Neighbor”):
Same for “NXOS“, since it already received an ISIS Hello PDU from neighbor “NX7K-01“, it sends an ISIS Hello with “IS Neighbor” including the address of “NX7K-01“.
➤ At this point, both Neighbors received an ISIS Hello packet including their own address in the “IS Neighbor”, so the Neighborship state will be UP.
ISIS LSP packet:
I’ve added a loopback on “NXOS” switch and advertise it:
interface loopback1
ip address 10.1.1.1/32
ip router isis 10
Then, from the Wireshark, we see routing information exchange via LSPDU (Link State Protocol Data unit) for this route:
Let’s discover the LSP PDU format:
- PDU Length: Length of the entire PDU in bytes.
- Remaining Lifetime: Number of seconds before an LSP is considered expired. Cisco IOS uses 20 mins (1200 seconds).
- LSP ID: It is the System ID, the Pseudonode ID and the LSP number of the LSP.
- Sequence Number: It is the sequence number of the LSP.
Each modification of an LSP causes the sequence number to increment by 1. this is the mechanism allowing IS-IS informs neighbors of changes,
When sequence number with increased value is received on neighbor, it causes neighbor to update its LSDBs according to the recent LSP (with higher seq number). - Type block:
- Checksum: It is the checksum of the contents of the LSP.
- Attachment (ATT): This is a 4-bit field, however, Cisco IOS uses only 1 bit to indicate if the originating router is attached to more than one areas.
- Overload (OL) bit: If the originating router is experiencing a memory overload, it will set this bit to 1. The receiving router will then not use this router as the transit.
- IS Type: This indicates whether the originating router is a L1 or L2.
- 01- Level-1
- 11- Level-2
A L1 and L2 LSP packets contain other TLVs apart from Area Address(es), Protocols Supported, IP Interface Address(es) like:
- IP Internal reachability: This TLV contains the IP addresses/masks within the routing domain that are directly connected to the advertising router. It also includes the metric associated with the prefix.
- IS Reachability: This TLV lists the originating router’s IS-IS neighbors (including Pseudonodes) and the metrics of the router’s link to each of its neighbors.
A L2 LSP packet also contains the following TLVs:
- IP External reachability: This TLV lists the IP addresses/ masks external to the routing domain, which can be reached via one of the originating router’s interface.
ISIS CSNP (Complete Sequence Number Protocol)
CSNP contain LSP Entries:
LSP Entries: This TLV summarizes an LSP by listing its Remaining Lifetime, LSP ID, Sequence Number and Checksum.
We can CSNP being sent by DIS (Designated IS) including the list of LSPs including the update sent for 10.1.1.1/32:
Reference:
