IS-IS in virtual routers

Multiple IS-IS instances can be hosted in Virtual Service Router. There are two ways of separating those instances:

• using VRFs, when strong isolation is needed between each routing instance. IS-IS per VRF instances are mainly used for connecting to the backbone network.

• using L3VRFs, when light and scalable isolation is needed. When acting as PE, IS-IS redistributes VPN routes to CPEs connected to L3VRFs.

IS-IS separate instances per VRF

VRF provides hard isolation. Each VRF acts like a separate logical autonomous router. Unless veth interfaces are used to cross the border, each VRF has no shared network with the other VRFs. Also, using VRFs enables to configure overlapping interface names, and can help in simplifying the deployment.

Note

We recommend using L3VRFs when a lot of instances are needed, as VRFs cost a lot of resources.

The following configuration creates two IS-IS instances in separate VRFs. The network addressing and the logical interface naming remain the same. IS-IS ensures route distribution between the two physical interfaces where adjacencies are done.

vsr running config# vrf customer1
vsr running vrf customer1# interface
vsr running interface# loopback loop1
vsr running loopback loop1# ipv4 address 1.1.1.1/32
vsr running loopback loop1# ..
vsr running interface# physical eth0
vsr running physical eth0#! port pci-b0s4
vsr running physical eth0# ipv4 address 10.125.0.1/24
vsr running physical eth0# ..
vsr running interface# physical eth1
vsr running physical eth1#! port pci-b0s5
vsr running physical eth1# ipv4 address 10.200.0.1/24
vsr running physical eth1# ..
vsr running interface# ..
vsr running vrf customer1# routing isis instance 1
vsr running instance 1# area-address 49.0123.6452.1972.00
vsr running instance 1# is-type level-1
vsr running instance 1# .. ..
vsr running routing# interface loop1
vsr running interface loop1# isis area-tag 1
vsr running interface loop1#! isis ipv4-routing true
vsr running interface loop1# isis passive true
vsr running interface loop1# ..
vsr running routing# interface eth0
vsr running interface eth0# isis ipv4-routing true
vsr running interface eth0#! isis area-tag 1
vsr running interface eth0# ..
vsr running routing# interface eth1
vsr running interface eth1# isis ipv4-routing true
vsr running interface eth1#! isis area-tag 1
vsr running interface eth1# ..
vsr running routing# ..
vsr running vrf customer1# ..
vsr running config# vrf customer2
vsr running vrf customer2# interface
vsr running interface# loopback loop1
vsr running loopback loop1# ipv4 address 1.1.1.1/32
vsr running loopback loop1# ..
vsr running interface# physical eth2
vsr running physical eth2#! port pci-b0s6
vsr running physical eth2# ipv4 address 10.125.0.1/24
vsr running physical eth2# ..
vsr running interface# physical eth3
vsr running physical eth3#! port pci-b0s7
vsr running physical eth3# ipv4 address 10.200.0.1/24
vsr running physical eth3# ..
vsr running interface# ..
vsr running vrf customer1# routing isis instance 2
vsr running instance 2# area-address 49.0123.6452.1973.00
vsr running instance 2# is-type level-1
vsr running instance 2# .. ..
vsr running routing# interface loop1
vsr running interface loop1# isis area-tag 2
vsr running interface loop1#! isis ipv4-routing true
vsr running interface loop1# isis passive true
vsr running interface loop1# ..
vsr running routing# interface eth2
vsr running interface eth2# isis ipv4-routing true
vsr running interface eth2#! isis area-tag 2
vsr running interface eth2# ..
vsr running routing# interface eth3
vsr running interface eth3# isis ipv4-routing true
vsr running interface eth3#! isis area-tag 2
vsr running interface eth3# ..
vsr running routing#

The IS-IS adjacencies can be dumped by using the following command:

vsr> show isis vrf customer1 neighbor
Area 1:
  System Id           Interface   L  State        Holdtime SNPA
  vsr2            eth0        2  Up            29       deed.e2d5.5e21

IS-IS separate instances per L3VRF

Using L3VRF IS-IS instances helps to reach good scalability (each instance is smaller, uses less memory and CPU than a VRF instance), but the isolation provided is light (each L3VRF instance of a VRF is part of the same IS-IS process). The solution guarantees isolation between the configured IS-IS instances and allows leaking traffic as well. A typical use case is when Virtual Service Router acts as a PE, where VPN routes are redistributed to CPEs.

The following configuration creates two L3VRF instances named customer1 and customer2.

vsr running config# vrf main
vsr running vrf main# l3vrf customer1
vsr running l3vrf customer1#! table-id 10
vsr running l3vrf customer1# interface loopback loop_cust1
vsr running loopback loop_cust1# ipv4 address 1.1.1.1/32
vsr running loopback loop_cust1# .. ..
vsr running l3vrf customer1# interface physical eth1
vsr running physical eth1#! port pci-b0s4
vsr running physical eth1# ipv4 address 10.125.0.1/24
vsr running physical eth1# .. ..
vsr running l3vrf customer1# interface physical eth0
vsr running physical eth0#! port pci-b0s5
vsr running physical eth0# ipv4 address 10.200.0.1/24
vsr running physical eth0# .. ..
vsr running l3vrf customer1# routing isis instance 1
vsr running instance 1# area-address 49.0123.6452.1972.00
vsr running instance 1# is-type level-1
vsr running instance 1# redistribute ipv4 bgp level-1
vsr running instance 1# .. ..
vsr running routing# interface loop_cust1
vsr running interface loop_cust1# isis area-tag 1
vsr running interface loop_cust1#! isis ipv4-routing true
vsr running interface loop_cust1# isis passive true
vsr running interface loop_cust1# ..
vsr running routing# interface eth0
vsr running interface eth0# isis ipv4-routing true
vsr running interface eth0#! isis area-tag 1
vsr running interface eth0# ..
vsr running routing# interface eth1
vsr running interface eth1# isis ipv4-routing true
vsr running interface eth1#! isis area-tag 1
vsr running interface eth1# ..
vsr running routing# ..
vsr running l3vrf customer1# ..
vsr running vrf main# l3vrf customer2
vsr running l3vrf customer2#! table-id 20
vsr running l3vrf customer2# interface loopback loop_cust2
vsr running loopback loop_cust2# ipv4 address 1.1.1.1/32
vsr running loopback loop_cust2# .. ..
vsr running l3vrf customer2# interface physical eth2
vsr running physical eth2#! port pci-b0s6
vsr running physical eth2# ipv4 address 10.125.0.1/24
vsr running physical eth2# .. ..
vsr running l3vrf customer2# interface physical eth3
vsr running physical eth3#! port pci-b0s7
vsr running physical eth3# ipv4 address 10.200.0.1/24
vsr running physical eth3# .. ..
vsr running l3vrf customer2# routing isis instance 2
vsr running instance 2# area-address 49.0123.6452.1973.00
vsr running instance 2# is-type level-1
vsr running instance 2# redistribute ipv4 bgp level-1
vsr running instance 2# .. ..
vsr running routing# interface loop_cust2
vsr running interface loop_cust2# isis area-tag 2
vsr running interface loop_cust2#! isis ipv4-routing true
vsr running interface loop_cust2# isis passive true
vsr running interface loop_cust2# ..
vsr running routing# interface eth2
vsr running interface eth2# isis ipv4-routing true
vsr running interface eth2#! isis area-tag 2
vsr running interface eth2# ..
vsr running routing# interface eth3
vsr running interface eth3# isis ipv4-routing true
vsr running interface eth3#! isis area-tag 2
vsr running interface eth3# ..
vsr running routing#

Like for VRF, the IS-IS adjacencies can be dumped by using the below command:

vsr> show isis l3vrf customer1 neighbor
Area 1:
  System Id           Interface   L  State        Holdtime SNPA
  vsr2            eth0        2  Up            29       deed.e2d5.5e21