Hi Team,
Thanks for checking this one out! I am confused about the ISIS import policy while doing lab and reading the official doc.
Since ISIS is a link-state like OSPF we need to have the same LSDB, which may limit us in configuring routing policy like an import policy, I get that it makes totally sense, however in the lab, I configured an import policy on ISIS and that did work, which creates a black hole traffic situation.
Topology:
R3-----------R2-----------R7 --> level 2 adj only
R3: 172.26.1.3, R2:172.26.1.2, R7: 172.26.1.7 --> Loopback address advertised in ISIS
ON R2: Checking the LSDB, looking at LSP from R3 I can see that his advertising his loopback as an internal route:
TLVs:
Area address: 49.0002.1720 (5)
LSP Buffer Size: 1492
Speaks: IP
Speaks: IPV6
IP router id: 172.26.1.3
IP address: 172.26.1.3
Hostname: vMx3
IS neighbor: vMX2.00, Internal, Metric: default 10
Extended IS Reachability TLV, Type: 22, Length: 33
IS extended neighbor: vMX2.00, Metric: default 10 SubTLV len: 22
IP address: 10.0.23.3
Neighbor's IP address: 10.0.23.2
Local interface index: 336, Remote interface index: 336
IP prefix: 172.26.1.3/32, Internal, Metric: default 0, UpNow if I check R2 I have an ISIS route to R3, which works as expected.
root@vMX2# run show route 172.26.1.3
inet.0: 16 destinations, 16 routes (16 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
172.26.1.3/32 *[IS-IS/18] 00:00:37, metric 10
> to 10.0.23.3 via ge-0/0/3.0
-> Import Policy on R2:
root@vMX2# top show policy-options policy-statement ISIS-IMPORT
term 1 {
from {
protocol isis;
route-filter 172.26.1.3/32 exact;
}
then reject;
}
I applied this as an import on ISIS, set protocols isis import ISIS-IMPORT on R2
When I check the routing table, I no longer have that 172.26.1.3, it got filtered, however, the LSDB is the same, if I check the R7 he is computing that 172.26.1.3 with R2 as the next hop, this leads to blackholing the traffic.
root@vMX2# run show isis route 172.26.1.3
IS-IS routing table Current version: L1: 289 L2: 294
[edit protocols isis]
root@vMX2# run show route protocol isis 172.26.1.3
[edit protocols isis]
root@vMX2# run show policy ISIS-IMPORT statistics
Policy ISIS-IMPORT:
[150] Term 1:
from [108 0] proto IS-IS
[8 0] route filter:
172.26.1.3/32 exact
then [8 0] reject
[edit protocols isis]
root@vMX2#
Juniper Doc:
NOTE:
If an IS-IS import policy is applied that results in a reject
terminating action for a non-external route, then the reject
action is ignored and the route is accepted anyway. By default, such a route is now installed in the routing table with a priority of low. This behavior prevents traffic black holes, that is, silently discarded traffic, by ensuring consistent routing. However, you can use the the reject
policy option to reject routes based on the prefix or the configured tag.
Example: Configuring a Routing Policy to Prioritize IS-IS Routes
Are import policies allowed? Why is that? Besides the use case of prioritizing the routes is there any other use case? For now, I see the import policy similar to OSPF import on externals with the difference that it filters not only externals but the internals and external ISIS routes.
Many Thanks!
Alin
------------------------------
Alin Bandiu
------------------------------