Monday, January 2, 2017

ISIS Routing: Example Config/Notes



With ISIS now on the CCIE R&S written blueprint a brief summary of ISIS routing, and an example config.

R1(L1) FA0/0 ---- FA0/0 R2(L1/L2) FA0/1 ----- FA0/0 R3 (L2)

R1: NET 49.0001.1111.1111.1111.00
R2: NET 49.0001.2222.2222.2222.00
R3: NET 49.0002.3333.3333.3333.00

R1 Area = 49.0001
R1 Unique System ID = 1111.1111.1111 (must be unique)
R1 N-Selector = 00  (must always be 00)

R1 and R2 are in the same area.
R2 and R3 are in different areas.

R1 and R2 within the same area only require a Level 1 adjacency
R2 and R3 within different areas only require a Level 2 adjacency

Level 2 is equivalent to the ISIS backbone area (akin to OSPF area 0)
Level 1 adjacencies are equivalent to OSPF stub areas

Whereas in OSPF the router id is derived from a local IP address, ISIS is not a L3 or IP protocol. Its equivalent of a router id is configured with the net command.  ISIS is encapsulated in the Ethernet protocol, and link state advertisements are carried as Ethernet payload.

By default ISIS is a single topology protocol. If both IPV4 and IPV6 are configured they will share the same routing table and control plane. In OSPF these protocols have their own control plane and routing tables.

Example Config

R1
interface Loopback0
 ip address 172.16.1.1 255.255.255.255
 ip router isis 1
!
interface FastEthernet0/0
 ip address 172.16.12.1 255.255.255.0
 ip router isis 1

router isis 1
 net 49.0001.1111.1111.1111.00
 is-type level-1

R2
interface Loopback0
 ip address 172.16.2.2 255.255.255.255
 ip router isis 1
!
interface FastEthernet0/0
 ip address 172.16.12.2 255.255.255.0
 ip router isis 1

interface FastEthernet0/1
 ip address 172.16.23.1 255.255.255.252
 ip router isis 1
 isis circuit-type level-2-only

router isis 1
 net 49.0001.2222.2222.2222.00

R3
interface Loopback0
 ip address 172.16.3.3 255.255.255.255
 ip router isis 1
!
interface Loopback1
 ip address 5.5.5.5 255.255.255.0
!
interface FastEthernet0/0
 ip address 172.16.23.2 255.255.255.252
 ip router isis 1
 isis circuit-type level-2-only

router isis 1
 net 49.0002.3333.3333.3333.00
 redistribute connected



Show commands
R1#show isis nei
System Id      Type Interface   IP Address      State Holdtime Circuit Id
R2             L1   Fa0/0       172.16.12.2     UP    8        R2.01


R2#show isis nei
System Id      Type Interface   IP Address      State Holdtime Circuit Id
R1             L1   Fa0/0       172.16.12.1     UP    27       R2.01
R3             L2   Fa0/1       172.16.23.2     UP    8        R3.02

R3#show isis nei
System Id      Type Interface   IP Address      State Holdtime Circuit Id
R2             L2   Fa0/0       172.16.23.1     UP    22       R3.02


N.B. R1 only has L1 routes. To reach any L2 domains it follows the default route to the L1/L2 router. In this topology that is Router 2

R1#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route
Gateway of last resort is 172.16.12.2 to network 0.0.0.0

     172.16.0.0/16 is variably subnetted, 3 subnets, 2 masks
C       172.16.12.0/24 is directly connected, FastEthernet0/0
i L1    172.16.2.2/32 [115/20] via 172.16.12.2, FastEthernet0/0
C       172.16.1.1/32 is directly connected, Loopback0
i*L1 0.0.0.0/0 [115/10] via 172.16.12.2, FastEthernet0/0


N.B. Router 2 has a full routing table with all L1/L2 Routes

R2#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

     5.0.0.0/24 is subnetted, 1 subnets
i L2    5.5.5.0 [115/10] via 172.16.23.2, FastEthernet0/1
     172.16.0.0/16 is variably subnetted, 6 subnets, 3 masks
i L2    172.16.24.0/24 [115/10] via 172.16.23.2, FastEthernet0/1
C       172.16.23.0/30 is directly connected, FastEthernet0/1
C       172.16.12.0/24 is directly connected, FastEthernet0/0
i L2    172.16.3.3/32 [115/20] via 172.16.23.2, FastEthernet0/1
C       172.16.2.2/32 is directly connected, Loopback0
i L1    172.16.1.1/32 [115/20] via 172.16.12.1, FastEthernet0/0


N.B. Router 3 has a full L2 routing table. This includes L1 level routes from Area 49.0001 seen as L2 (Inter Area)  entries
R3#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

     5.0.0.0/24 is subnetted, 1 subnets
C       5.5.5.0 is directly connected, Loopback1
     172.16.0.0/16 is variably subnetted, 6 subnets, 3 masks
C       172.16.24.0/24 is directly connected, FastEthernet0/1
C       172.16.23.0/30 is directly connected, FastEthernet0/0
i L2    172.16.12.0/24 [115/20] via 172.16.23.1, FastEthernet0/0
C       172.16.3.3/32 is directly connected, Loopback0
i L2    172.16.2.2/32 [115/20] via 172.16.23.1, FastEthernet0/0
i L2    172.16.1.1/32 [115/30] via 172.16.23.1, FastEthernet0/0

Payment Card Industry Data Security Standard - PCI DSS




PCI DSS fundamentals. 

PCI DSS requirements apply to any organisation that stores or transmits the following:

Primary Account Number
Cardholder Name
Expiration Date
Service Code
Full track data *
CAV2/CVC2/CVV2/CID *
PIN *

*these items are determined extremely sensitive and cannot be stored after authorisation even if encrypted

PCI-DSS applies to all system components in the CDE – Cardholder data environment.  The CDE is comprised people, processes and technologies that store, process or transmit cardholder data (as above)



Merchant Levels

There are different levels of merchants: Level 1 thru Level 4 with level 1 being the highest. In general merchant level is determined by transaction volume and classification varies between Service Provider (Amex, Visa and Mastercard).  

There is a misconception that the degree to which you must comply with PCI DSS varies among the different levels. In fact merchants must comply with the entire DSS regardless of their level. The only variant is the way and frequency that compliance is reported upstream.  The exact scope of compliance validation is determined by merchant level (transaction volume, card brand, and method of accepting cards). Also if a merchant has been subject to a hack that has left card data comprised this raises them to Level 1!

Level 1            ASV Scan, QSA on-site assessment
Level 2            ASV Scan, SAQ self-assessment
Level 3            ASV Scan, SAQ self-assement
Level 4            ASV Scan if requested by acquirier, SAQ self-assessment

Notes:
ASV = Approved Scanning  Vendor
SAQ = Self-Assessment Questionnaire