Routing
Showing results for 
Search instead for 
Do you mean 
Reply
New User
Posts: 3
Registered: ‎04-03-2017
0 Kudos
Accepted Solution

Filtering routes from IS-IS

Is there a JunOS equivalent to Cisco's "no isis advertise prefix" or "advertise-passive-only"?

 

Thank you.

Contributor
Posts: 10
Registered: ‎05-12-2012
0 Kudos

Re: Filtering routes from IS-IS

Hi, 

 

Yes you can use policy to filter routes that are advised by ISIS: 

 

Here we can see the downstream device is receiving the loopback (10.0.255.7/32) from the upstream node via ISIS:

 

lab@srx-vpn> show route protocol isis    

inet.0: 8 destinations, 8 routes (8 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

0.0.0.0/0          *[IS-IS/165] 2w0d 04:29:05, metric 30
                    > to 137.221.196.5 via ge-0/0/0.0
10.0.255.7/32      *[IS-IS/18] 2w0d 04:29:05, metric 20
                    > to 137.221.196.5 via ge-0/0/0.0
137.221.196.0/30   *[IS-IS/18] 2w0d 04:29:15, metric 20
                    > to 137.221.196.5 via ge-0/0/0.0

Now let's create a policy to filter the prefix from being advertised in the ISIS process:

 

[edit]
lab@mx104-edge# show policy-options policy-statement isis-filter    
from {
    protocol direct;
    route-filter 10.0.255.7/32 exact;
}
then reject;

Apply the policy as an export policy under protocols isis:

 

lab@mx104-edge# show protocols isis 
export [ DEFAULT-TO-ISIS isis-filter ];
level 1 disable;
interface ge-0/0/1.0 {
    point-to-point;
}
interface lo0.0 {
    passive;
}

Now we can see the prefix 10.0.255.7/32 is filtered and no longer present on the downstream device whilst other ISIS routes are still present: 

 

lab@srx-vpn> show route protocol isis    

inet.0: 7 destinations, 7 routes (7 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

0.0.0.0/0          *[IS-IS/165] 2w0d 04:29:06, metric 30
                    > to 137.221.196.5 via ge-0/0/0.0
137.221.196.0/30   *[IS-IS/18] 2w0d 04:29:16, metric 20
                    > to 137.221.196.5 via ge-0/0/0.0

You can also filter at ingress.

 

I hope this helps Smiley Happy 

 

New User
Posts: 3
Registered: ‎04-03-2017
0 Kudos

Re: Filtering routes from IS-IS

It makes sense, but I don't understand what "DEFAULT-TO-ISIS" is, or what it is supposed to mean.

Highlighted
Contributor
Posts: 10
Registered: ‎05-12-2012
0 Kudos

Re: Filtering routes from IS-IS

"DEFAULT-TO-ISIS" is simply another policy that I'm using to inject a default route into ISIS. For reference here is the policy:

 

[edit]
lab@mx104-edge# show policy-options policy-statement DEFAULT-TO-ISIS 
term 1 {
    from {
        protocol aggregate;
        route-filter 0.0.0.0/0 exact;
    }
    then accept;
}

We can see the default route is present on the downstream device:

 

lab@srx-vpn> show route protocol isis 

inet.0: 7 destinations, 7 routes (7 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

0.0.0.0/0          *[IS-IS/165] 2w0d 21:22:28, metric 30
                    > to 137.221.196.5 via ge-0/0/0.0
137.221.196.0/30   *[IS-IS/18] 2w0d 21:22:38, metric 20
                    > to 137.221.196.5 via ge-0/0/0.0

Let's now remove the policy leaving only the isis-filter policy we created previously:

 

[edit]
lab@mx104-edge# show protocols isis 
export isis-filter;
level 1 disable;
interface ge-0/0/1.0 {
    point-to-point;
}
interface lo0.0 {
    passive;
}

Checking on the downstream device we can now only see a single prefix is received:

 

lab@srx-vpn> show route protocol isis    

inet.0: 6 destinations, 6 routes (6 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

137.221.196.0/30   *[IS-IS/18] 2w0d 21:24:57, metric 20
                    > to 137.221.196.5 via ge-0/0/0.0

I hope this is now clear Smiley Happy 

New User
Posts: 3
Registered: ‎04-03-2017
0 Kudos

Re: Filtering routes from IS-IS

It is all clear now.  Thank you.

Contributor
Posts: 10
Registered: ‎05-12-2012
0 Kudos

Re: Filtering routes from IS-IS

No problem Smiley Happy