IS-IS protocol in FW CP.

Matlu

Hello, Mates.

I have a problem with a FW CP which is working in bridge mode with 2 of its interfaces. I currently have 2 Routers.

R1 - - -- - R2

These 2 Routers are working with IS-IS and BGP. The problem is that when you put the FW in the middle, something like this:

R1 - - - - FW CP L2 - - -- - R2

IS-IS and BGP adjacency is dropping as well. I have a free policy to avoid drops, but still the session of these protocols is not up, and everything indicates that it is the CP, because the only thing I can do is a Rollback to get it working again.

Is there any way to confirm if the CP is voting IS IS sessions? I have used TCPdump, FW Ctl Zdebug, but I can't see anything relevant. Is it possible to filter the IS-IS or related traffic in some traffic capture?

Maybe concentrating on the interfaces which are part of the flow like Eth1-1 and Eth1-2?

Thanks for your comments.

the_rock

Hm, thats a bit tricky, since IS-IS does not use specific port number/protocol, so might be little tough to do any captures to discover if fw is dropping it. If you check the logs when you are testing it, do you see anything at all?

Andy

Matlu

Buddy.

Unfortunately I have not been able to capture something ‘important’ at the moment when the CP is in the middle, for the same reason that the commands did not show me relevant data.

For example, the zdebug did not show me anything, the tcpdump did not show me anything either, something quite strange.

Now the SmartConsole logs do show me traffic but it is multicast traffic, and I don't understand that.

R1 has IP x.x.160.161 and R2 x.x.160.162

And the only thing you see in the logs is traffic from these IPs at that time of testing but the destination shows MULTICAST traffic and nothing relevant to IS-IS between both IPs.

I asked ChatGPT and he sent me to capture traffic in tcpdump for a layer 2 protocol that is '0x83'

I will have to try it.

the_rock

Hm, that is indeed odd. Let me do some tests tomorrow in my lab as well.

Andy

the_rock

See if you can run some of below commands in clish?

Andy

R82> show isis
database - Show the contents of the IS-IS link-state database
errors - Show IS-IS errors
export-routemap - Show all routemaps for IS-IS export policy
hostnames - Show the IS-IS dynamic hostname list
interface - Show an IS-IS interface
interfaces - Show all IS-IS interfaces
ipv6 - Show IS-IS IPv6 multi-topology information
neighbor - Show an IS-IS neighbor
neighbors - Show all IS-IS neighbors
packets - Show IS-IS packets sent / received
summary - Show a brief summary of IS-IS running state
topology - Show IS-IS paths to other intermediate systems

PhoneBoy

Unless you've enabled and configured IS-IS routing on the gateway, I doubt we're doing anything.

Matlu

We are only supposed to be working the CP as L2.
It has only 2 interfaces in bridge mode, 1 of them goes to R1 and the other to R2.
So, it does not make sense that when we put the device it is downloading the IS-IS session if it is acting as a L2.
It does not make sense to me.

the_rock

Hey bro,

So, if thats the case, fw itself would not be doing any IS-IS traffic, it would be more of a "pass-through", for the lack of better term. Just run those commands I sent before from clish and send them over.

Andy

Are you a member of CheckMates?

IS-IS protocol in FW CP.