ISIS is a link-state IGP protocol. It gathers routing information from adjacent neighbors and uses the SPF algorithm to determine the best paths to destinations.

I wouldn’t like to focus on the theory because you can find it in many sources.

Let’s configure ISIS protocol based on the following topology:

Configure IP addresses of physical and loopback interfaces on all routers (it is omitted here):

<1> dis ip interface brief 

Interface                         IP Address/Mask      Physical   Protocol  
Ethernet0/0/8                     10.0.0.1/30          up         up        
LoopBack0                         1.1.1.1/32           up         up(s)      

<2> dis ip interface brief 

Interface                         IP Address/Mask      Physical   Protocol  
Ethernet2/0/0                     10.0.0.2/30          up         up           
GigabitEthernet0/0/0              20.0.0.1/30          up         up        
GigabitEthernet0/0/1              10.0.2.2/30          up         up        
LoopBack0                         2.2.2.2/32           up         up(s)     

<3> dis ip interface brief 

Interface                         IP Address/Mask      Physical   Protocol  
GigabitEthernet0/0/0              10.0.2.1/30          up         up        
GigabitEthernet0/0/1              30.0.0.1/30          up         up          
LoopBack0                         3.3.3.3/32           up         up(s)      

<4> dis ip interface br

Interface                         IP Address/Mask      Physical   Protocol  
Ethernet4/0/0                     40.0.0.1/30          up         up            
GigabitEthernet0/0/0              20.0.0.2/30          up         up        
GigabitEthernet0/0/1              30.0.0.2/30          up         up           
LoopBack0                         4.4.4.4/32           up         up(s)        

<5> dis ip interface brief 

Interface                         IP Address/Mask      Physical   Protocol  
Ethernet0/0/8                     40.0.0.2/30          up         up        
LoopBack0                         5.5.5.5/32           up         up(s)

Configure ISIS globally, on loopback and physical interfaces (router 2 as an example):

[2]isis
[2-isis-1]network-entity 10.0020.0200.2002.00

[2]interface LoopBack 0
[2-LoopBack0]isis enable
[2]interface Ethernet2/0/0
[2-Ethernet2/0/0]isis enable
[2]interface GigabitEthernet0/0/0
[2-GigabitEthernet0/0/0]isis enable 
[2]interface GigabitEthernet0/0/1
[2-GigabitEthernet0/0/1]isis enable

It should be noted at this point that routers 1, 2 and 3 are in area 10 and routers 4 and 5 in area 20. Additionally you should remember about hierarchical structure of ISIS. In our case router 1 works as level-1, routers 2 and 3 work as level-1-2 (by default) and routers 4 and 5 as level-2. Level-1 is an equivalent of the stub area in OSPF. Level-1 routers have only a defult route to external destinations.

[1]isis
[1-isis-1]is-level level-1

[2]isis
[2-isis-1]is-level level-1-2

[3]isis
[3-isis-1]is-level level-1-2

[4]isis
[4-isis-1]is-level level-2

[5]isis
[5-isis-1]is-level level-2

Let’s verify this configuration:

[1]display isis lsdb 

                        Database information for ISIS(1)
                        --------------------------------

                          Level-1 Link State Database

LSPID                 Seq Num      Checksum      Holdtime      Length  ATT/P/OL
-------------------------------------------------------------------------------
0010.0100.1001.00-00* 0x0000000d   0x936         667           84      0/0/0   
0020.0200.2002.00-00  0x00000013   0x5d55        705           127     1/0/0   
0020.0200.2002.02-00  0x00000009   0xb1e5        705           55      0/0/0   
0020.0200.2002.03-00  0x00000009   0xd901        705           55      0/0/0   
0030.0300.3003.00-00  0x00000010   0x699b        596           100     1/0/0

0020.0200.2002.02-00
0020.0200.2002 - source ID
02 - pseudonode ID
00 - LSP number

ISIS Level-1 router:

• has the link state information of the local area
• finds the nearest level 1-2 router based on ATT bit of the LSP
• generates a default route through the nearest level-1-2 router to visit the destinations outside this area.

[2]display isis lsdb

                        Database information for ISIS(1)
                        --------------------------------

                          Level-1 Link State Database

LSPID                 Seq Num      Checksum      Holdtime      Length  ATT/P/OL
-------------------------------------------------------------------------------
0010.0100.1001.00-00  0x0000000e   0x737         1030          84      0/0/0   
0020.0200.2002.00-00* 0x00000014   0x5b56        1087          127     1/0/0   
0020.0200.2002.02-00* 0x0000000a   0xafe6        1087          55      0/0/0   
0020.0200.2002.03-00* 0x0000000a   0xd702        1087          55      0/0/0   
0030.0300.3003.00-00  0x00000011   0x679c        931           100     1/0/0   

                          Level-2 Link State Database

LSPID                 Seq Num      Checksum      Holdtime      Length  ATT/P/OL
-------------------------------------------------------------------------------
0020.0200.2002.00-00* 0x00000016   0xdb0         1087          163     0/0/0   
0020.0200.2002.01-00* 0x0000000a   0x1f56        1086          55      0/0/0   
0020.0200.2002.02-00* 0x0000000a   0xafe6        1086          55      0/0/0   
0030.0300.3003.00-00  0x00000014   0x6801        930           159     0/0/0   
0030.0300.3003.02-00  0x0000000a   0xa48b        930           55      0/0/0   
0040.0400.4004.00-00  0x00000010   0x5165        434           138     0/0/0   
0040.0400.4004.03-00  0x00000009   0x9435        434           55      0/0/0   
0050.0500.5005.00-00  0x0000000d   0xaa58        985           84      0/0/0

ISIS Level-1-2 router:

• forms adjacency with both level-1-2 and level-2 routers
• contains both level-1 and level-2 LSDBs
• sets ATT bit in the level-1 LSP originated by itself
• contains routing information of the whole network.

[4]display isis lsdb

                        Database information for ISIS(1)
                        --------------------------------

                          Level-2 Link State Database

LSPID                 Seq Num      Checksum      Holdtime      Length  ATT/P/OL
-------------------------------------------------------------------------------
0020.0200.2002.00-00  0x00000016   0xdb0         1034          163     0/0/0   
0020.0200.2002.01-00  0x0000000a   0x1f56        1034          55      0/0/0   
0020.0200.2002.02-00  0x0000000a   0xafe6        1034          55      0/0/0   
0030.0300.3003.00-00  0x00000014   0x6801        880           159     0/0/0   
0030.0300.3003.02-00  0x0000000a   0xa48b        880           55      0/0/0   
0040.0400.4004.00-00* 0x00000010   0x5165        385           138     0/0/0   
0040.0400.4004.03-00* 0x00000009   0x9435        385           55      0/0/0   
0050.0500.5005.00-00  0x0000000d   0xaa58        936           84      0/0/0

ISIS Level-2 router:

• forms adjacency with both level-2 and level-1-2 routers
• gathers LSPs of all routers in backbone area
• contains all routing information of the whole routing domain.

Let’s look at ISIS routing tables:

[1]dis isis route 

                         Route information for ISIS(1)
                         -----------------------------

                        ISIS(1) Level-1 Forwarding Table
                        --------------------------------

IPV4 Destination     IntCost    ExtCost ExitInterface   NextHop         Flags
-------------------------------------------------------------------------------
0.0.0.0/0            10         NULL    Eth0/0/8        10.0.0.2        A/-/-/-
10.0.0.0/30          10         NULL    Eth0/0/8        Direct          D/-/L/-
20.0.0.0/30          20         NULL    Eth0/0/8        10.0.0.2        A/-/-/-
30.0.0.0/30          30         NULL    Eth0/0/8        10.0.0.2        A/-/-/-
3.3.3.3/32           20         NULL    Eth0/0/8        10.0.0.2        A/-/-/-
2.2.2.2/32           10         NULL    Eth0/0/8        10.0.0.2        A/-/-/-
10.0.2.0/30          20         NULL    Eth0/0/8        10.0.0.2        A/-/-/-
1.1.1.1/32           0          NULL    Loop0           Direct          D/-/L/-
     Flags: D-Direct, A-Added to URT, L-Advertised in LSPs, S-IGP Shortcut,
                               U-Up/Down Bit Set

A default route must exist in the Level-1 routing table and the next hop is a Level-1-2 router.

[2]dis isis route 

                         Route information for ISIS(1)
                         -----------------------------

                        ISIS(1) Level-1 Forwarding Table
                        --------------------------------

IPV4 Destination     IntCost    ExtCost ExitInterface   NextHop         Flags
-------------------------------------------------------------------------------
0.0.0.0/0            10         NULL   
10.0.0.0/30          10         NULL    Eth2/0/0        Direct          D/-/L/-
20.0.0.0/30          10         NULL    GE0/0/0         Direct          D/-/L/-
30.0.0.0/30          20         NULL    GE0/0/1         10.0.2.1        A/-/L/-
3.3.3.3/32           10         NULL    GE0/0/1         10.0.2.1        A/-/L/-
2.2.2.2/32           0          NULL    Loop0           Direct          D/-/L/-
10.0.2.0/30          10         NULL    GE0/0/1         Direct          D/-/L/-
1.1.1.1/32           10         NULL    Eth2/0/0        10.0.0.1        A/-/L/-
     Flags: D-Direct, A-Added to URT, L-Advertised in LSPs, S-IGP Shortcut,
                               U-Up/Down Bit Set

                        ISIS(1) Level-2 Forwarding Table
                        --------------------------------

IPV4 Destination     IntCost    ExtCost ExitInterface   NextHop         Flags
-------------------------------------------------------------------------------
10.0.0.0/30          10         NULL    Eth2/0/0        Direct          D/-/L/-
20.0.0.0/30          10         NULL    GE0/0/0         Direct          D/-/L/-
30.0.0.0/30          20         NULL   
40.0.0.0/30          20         NULL    GE0/0/0         20.0.0.2        A/-/-/-
3.3.3.3/32           10         NULL   
2.2.2.2/32           0          NULL    Loop0           Direct          D/-/L/-
10.0.2.0/30          10         NULL    GE0/0/1         Direct          D/-/L/-
5.5.5.5/32           20         NULL    GE0/0/0         20.0.0.2        A/-/-/-
1.1.1.1/32           30         NULL   
4.4.4.4/32           10         NULL    GE0/0/0         20.0.0.2        A/-/-/-
     Flags: D-Direct, A-Added to URT, L-Advertised in LSPs, S-IGP Shortcut,
                               U-Up/Down Bit Set

Level-1-2 routers contain both level-1 and level-2 routing tables.

[5]dis isis route

                         Route information for ISIS(1)
                         -----------------------------

                        ISIS(1) Level-2 Forwarding Table
                        --------------------------------

IPV4 Destination     IntCost    ExtCost ExitInterface   NextHop         Flags
-------------------------------------------------------------------------------
10.0.0.0/30          30         NULL    Eth0/0/8        40.0.0.1        A/-/-/-
20.0.0.0/30          20         NULL    Eth0/0/8        40.0.0.1        A/-/-/-
30.0.0.0/30          20         NULL    Eth0/0/8        40.0.0.1        A/-/-/-
40.0.0.0/30          10         NULL    Eth0/0/8        Direct          D/-/L/-
3.3.3.3/32           20         NULL    Eth0/0/8        40.0.0.1        A/-/-/-
2.2.2.2/32           20         NULL    Eth0/0/8        40.0.0.1        A/-/-/-
10.0.2.0/30          30         NULL    Eth0/0/8        40.0.0.1        A/-/-/-
5.5.5.5/32           0          NULL    Loop0           Direct          D/-/L/-
1.1.1.1/32           30         NULL    Eth0/0/8        40.0.0.1        A/-/-/-
4.4.4.4/32           10         NULL    Eth0/0/8        40.0.0.1        A/-/-/-
     Flags: D-Direct, A-Added to URT, L-Advertised in LSPs, S-IGP Shortcut,
                               U-Up/Down Bit Set

A Level-2 router must have all Level-1 and Level-2 routes. We can see it better in IP routing tables:

[1]display ip routing-table 
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Tables: Public
         Destinations : 14       Routes : 14       

Destination/Mask    Proto   Pre  Cost      Flags NextHop         Interface

        0.0.0.0/0   ISIS-L1 15   10          D   10.0.0.2        Ethernet0/0/8
        1.1.1.1/32  Direct  0    0           D   127.0.0.1       LoopBack0
        2.2.2.2/32  ISIS-L1 15   10          D   10.0.0.2        Ethernet0/0/8
        3.3.3.3/32  ISIS-L1 15   20          D   10.0.0.2        Ethernet0/0/8
       10.0.0.0/30  Direct  0    0           D   10.0.0.1        Ethernet0/0/8
       10.0.0.1/32  Direct  0    0           D   127.0.0.1       Ethernet0/0/8
       10.0.0.3/32  Direct  0    0           D   127.0.0.1       Ethernet0/0/8
       10.0.2.0/30  ISIS-L1 15   20          D   10.0.0.2        Ethernet0/0/8
       20.0.0.0/30  ISIS-L1 15   20          D   10.0.0.2        Ethernet0/0/8
       30.0.0.0/30  ISIS-L1 15   30          D   10.0.0.2        Ethernet0/0/8
      127.0.0.0/8   Direct  0    0           D   127.0.0.1       InLoopBack0
      127.0.0.1/32  Direct  0    0           D   127.0.0.1       InLoopBack0
127.255.255.255/32  Direct  0    0           D   127.0.0.1       InLoopBack0
255.255.255.255/32  Direct  0    0           D   127.0.0.1       InLoopBack0

[2]dis ip routing-table 
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Tables: Public
         Destinations : 20       Routes : 20       

Destination/Mask    Proto   Pre  Cost      Flags NextHop         Interface

        1.1.1.1/32  ISIS-L1 15   10          D   10.0.0.1        Ethernet2/0/0
        2.2.2.2/32  Direct  0    0           D   127.0.0.1       LoopBack0
        3.3.3.3/32  ISIS-L1 15   10          D   10.0.2.1        GigabitEthernet0/0/1
        4.4.4.4/32  ISIS-L2 15   10          D   20.0.0.2        GigabitEthernet0/0/0
        5.5.5.5/32  ISIS-L2 15   20          D   20.0.0.2        GigabitEthernet0/0/0
       10.0.0.0/30  Direct  0    0           D   10.0.0.2        Ethernet2/0/0
       10.0.0.2/32  Direct  0    0           D   127.0.0.1       Ethernet2/0/0
       10.0.0.3/32  Direct  0    0           D   127.0.0.1       Ethernet2/0/0
       10.0.2.0/30  Direct  0    0           D   10.0.2.2        GigabitEthernet0/0/1
       10.0.2.2/32  Direct  0    0           D   127.0.0.1       GigabitEthernet0/0/1
       10.0.2.3/32  Direct  0    0           D   127.0.0.1       GigabitEthernet0/0/1
       20.0.0.0/30  Direct  0    0           D   20.0.0.1        GigabitEthernet0/0/0
       20.0.0.1/32  Direct  0    0           D   127.0.0.1       GigabitEthernet0/0/0
       20.0.0.3/32  Direct  0    0           D   127.0.0.1       GigabitEthernet0/0/0
       30.0.0.0/30  ISIS-L1 15   20          D   10.0.2.1        GigabitEthernet0/0/1
       40.0.0.0/30  ISIS-L2 15   20          D   20.0.0.2        GigabitEthernet0/0/0
      127.0.0.0/8   Direct  0    0           D   127.0.0.1       InLoopBack0
      127.0.0.1/32  Direct  0    0           D   127.0.0.1       InLoopBack0
127.255.255.255/32  Direct  0    0           D   127.0.0.1       InLoopBack0
255.255.255.255/32  Direct  0    0           D   127.0.0.1       InLoopBack0

[5]display ip routing-table 
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Tables: Public
         Destinations : 16       Routes : 16       

Destination/Mask    Proto   Pre  Cost      Flags NextHop         Interface

        1.1.1.1/32  ISIS-L2 15   30          D   40.0.0.1        Ethernet0/0/8
        2.2.2.2/32  ISIS-L2 15   20          D   40.0.0.1        Ethernet0/0/8
        3.3.3.3/32  ISIS-L2 15   20          D   40.0.0.1        Ethernet0/0/8
        4.4.4.4/32  ISIS-L2 15   10          D   40.0.0.1        Ethernet0/0/8
        5.5.5.5/32  Direct  0    0           D   127.0.0.1       LoopBack0
       10.0.0.0/30  ISIS-L2 15   30          D   40.0.0.1        Ethernet0/0/8
       10.0.2.0/30  ISIS-L2 15   30          D   40.0.0.1        Ethernet0/0/8
       20.0.0.0/30  ISIS-L2 15   20          D   40.0.0.1        Ethernet0/0/8
       30.0.0.0/30  ISIS-L2 15   20          D   40.0.0.1        Ethernet0/0/8
       40.0.0.0/30  Direct  0    0           D   40.0.0.2        Ethernet0/0/8
       40.0.0.2/32  Direct  0    0           D   127.0.0.1       Ethernet0/0/8
       40.0.0.3/32  Direct  0    0           D   127.0.0.1       Ethernet0/0/8
      127.0.0.0/8   Direct  0    0           D   127.0.0.1       InLoopBack0
      127.0.0.1/32  Direct  0    0           D   127.0.0.1       InLoopBack0
127.255.255.255/32  Direct  0    0           D   127.0.0.1       InLoopBack0
255.255.255.255/32  Direct  0    0           D   127.0.0.1       InLoopBack0

ISIS cost for all interfaces is 10 by default. It can be changed manually by isis cost command.

Some other usefull maintenance commands:

[1]dis isis peer verbose

                          Peer information for ISIS(1)

  System Id     Interface          Circuit Id       State HoldTime Type     PRI (priority for DIS election)
-------------------------------------------------------------------------------
0020.0200.2002  Eth0/0/8           0020.0200.2002.03 Up   9s       L1       64

  MT IDs supported     : 0(UP) 
  Local MT IDs         : 0 
  Area Address(es)     : 10 
  Peer IP Address(es)  : 10.0.0.2        
  Uptime               : 03:04:27
  Adj Protocol         : IPV4 
  Restart Capable      : YES
  Suppressed Adj       : NO
  Peer System Id       : 0020.0200.2002  

Total Peer(s): 1

[1]display isis interface verbose 

                       Interface information for ISIS(1)
                       ---------------------------------
 Interface       Id      IPV4.State          IPV6.State      MTU  Type  DIS 
 Eth0/0/8        001         Up                 Down         1497 L1/L2 No/No 
  Circuit MT State            : Standard 
  Description                 : HUAWEI, AR Series, Ethernet0/0/8 Interface
  SNPA Address                : 00e0-fc03-2b68
  IP Address                  : 10.0.0.1
  IPV6 Link Local Address     :
  IPV6 Global Address(es)     :
  Csnp Timer Value            :  L1    10  L2    10
  Hello Timer Value           :  L1    10  L2    10
  DIS Hello Timer Value       :  L1     3  L2     3
  Hello Multiplier Value      :  L1     3  L2     3
  LSP-Throttle Timer          :  L12    50
  Cost                        :  L1    10  L2    10
  Ipv6 Cost                   :  L1    10  L2    10
  Priority                    :  L1    64  L2    64
  Retransmit Timer Value      :  L12    5
  Bandwidth-Value             :  Low  100000000  High          0
  Static Bfd                  :  NO
  Dynamic Bfd                 :  NO
  Fast-Sense Rpr              :  NO

 Interface       Id      IPV4.State          IPV6.State      MTU  Type  DIS   
 Loop0           001         Up                 Down         1500 L1/L2 -- 
  Circuit MT State            : Standard 
  Circuit Parameters          : passive 
  Description                 : HUAWEI, AR Series, LoopBack0 Interface
  SNPA Address                : 0000-0000-0000
  IP Address                  : 1.1.1.1
  IPV6 Link Local Address     :
  IPV6 Global Address(es)     :
  Csnp Timer Value            :  L12   10
  Hello Timer Value           :        10
  DIS Hello Timer Value       :
  Hello Multiplier Value      :         3
  Cost                        :  L1     0  L2     0
  Ipv6 Cost                   :  L1     0  L2     0
  Retransmit Timer Value      :  L12    5
  LSP-Throttle Timer          :  L12   50
  Bandwidth-Value             :  Low          0  High          0
  Static Bfd                  :  NO
  Dynamic Bfd                 :  NO
  Fast-Sense Rpr              :  NO

[1]dis isis error 

                    Statistics of error packets for ISIS(1)
                    ---------------------------------------
LSP packet errors:
Longer LSP              : 0           Smaller LSP             : 0           
Mismatched Level        : 0           Invalid Sysid           : 0           
Zero Sequence Number    : 0           Illegal IS Type         : 0           
Zero Checksum           : 0           Incorrect Checksum      : 0           
Bad Authentication      : 0           Bad Auth Count          : 0           
More Protocol TLV       : 0           Bad Nbr TLV             : 0           
Bad Extended IS TLV     : 0           Bad IF Addr TLV         : 0           
Bad Reach TLV           : 0           Bad Inter Domain TLV    : 0           
Mismatched Area Id(L1)  : 0           Bad TLV Length          : 0          
Bad Alias TLV           : 0           Bad Area TLV            : 0           
Bad SRLG TLV            : 0           Unknown Adjacency       : 0           
Bad Protocol ID         : 0           Bad Version             : 0           
Zero Lifetime           : 0           Bad Ext Reach TLV       : 0           
Bad TE Router ID TLV    : 0           Bad TE Sub TLV          : 0           

Hello packet errors:
Bad Packet Length       : 0           Reserved CircType       : 0           
Repeated System ID      : 0           Bad Circuit Type        : 0           
Longer packet           : 0           More Area Addr          : 0           
Longer Area Addr        : 0           Bad Area Addr TLV       : 0           
More IF Addr            : 0           Bad Formatted IF TLV    : 0           
More Nbr SNPA(LAN)      : 0           Invalid Sysid           : 0           
Bad TLV Length          : 0           Zero HoldingTime        : 0           
Unusable IP Addr        : 0           Repeated IPv4 Addr      : 0           
Mismatched Area Addr(L1): 0           Mismatched Proto        : 0           
SNPA Conflicted(LAN)    : 0           Mismatched Level        : 0           
Mismatched Max Area Addr: 0           Bad Authentication      : 0           
More Auth TLV           : 0           3-Way Option Error(P2P) : 0           
No Area Addr TLV        : 0           Bad Protocol ID         : 0           
Bad Version             : 0           Invalid IPv6 Addr       : 0           
More IPv6 IF Addr       : 0           Duplicate IPv6 Addr     : 0           
More Optional Checksum  : 0           Bad Optional Checksum   : 0           
--------------------------------------------------------------------

<1> debugging isis adjacency 

May  7 2013 16:17:06.629.1-05:13 1 ISIS/6/ISIS:
 ISIS-1-ADJ: Use level-1 IIH enconde cache to send IIH, Eth0/0/8.(IS15_2679)

May  7 2013 16:17:06.629.2-05:13 1 ISIS/6/ISIS:
 ISIS-1-ADJ: Sending Lan L1 Hello on Eth0/0/8, to SNPA 0180.c200.0014.(IS15_6941)

May  7 2013 16:17:07.319.1-05:13 1 ISIS/6/ISIS:
 ISIS-1-IIH: Set L1 holdtime on Eth0/0/8 for NBR 0020.0200.2002 as 9(IS21_968)

In this post I focused only on basic ISIS configuration. This protocol is widely used among ISPs. I will spend more time in the future to show you more functions and ISIS configuration examples.

I have busy time now and a frequency of updating my blog is not such as I would expect. Sorry for that. I hope it should be better soon.

But today I would like to ask you a simple riddle.

Let’s assume that we have S9300 switch and a fragment of its configuration:

#
observe-port 1 interface Ethernet0/0/1
#
acl number 3000
rule 5 deny ip source 89.168.24.0 0.0.0.255
rule 10 deny ip source 91.10.10.0 0.0.0.255
rule 15 permit ip
#
traffic classifier riddle operator and
if-match acl 3000
#
traffic behavior riddle
mirroring to observe-port 1
statistic enable
#
traffic policy riddle
classifier riddle behavior riddle
#
interface Ethernet0/0/10
traffic-policy riddle inbound

Based on this configuration, what will happen with traffic classified by ACL 3000, and why?

Do not hesitate to send your answer in comments. If you need, you can do a simple test on Huawei eNSP.

Answer:

acl number 3000
rule 5 deny ip source 89.168.24.0 0.0.0.255 (will be dropped)
rule 10 deny ip source 91.10.10.0 0.0.0.255 (will be dropped)
rule 15 permit ip (will be mirrored to observe port)

What is the default action for traffic behavior?

The default action is to permit all.

What does it mean?

It means that traffic behavior in our case will look like:

traffic behavior riddle
mirroring to observe-port 1
permit (the default configuration is not displayed)

Remember that only traffic, that is classified as permit in ACL, can be used in traffic mirroring!!!

Traffic with deny action will be dropped because the default action in traffic behavior is to permit all.

I got a few answers. Thanks for them. Unfortunately none of them was written in an exhaustive manner.

Spanning Tree protocol is a loop prevention mechanism in a bridged LAN. Every STP topology has its own root bridge, which determines how STP topology is calculated. The role of the root bridge is to act as a reference point in the network, so that all other switches can determine, how far each of their ports is from the root bridge. The port, which has the lowest path cost, is placed into a forwarding state. All other ports, that can lead to the root bridge, are blocked. Ports in the switching topology, which lead away from the Root Bridge, remain forwarding. You can recall STP operations reading the following article: “Multiple Spanning Tree Protocol on Huawei switch“.

How does the root bridge election process work?

The root bridge for each STP instance is determined by the bridge ID. The bridge ID consists of a configurable bridge priority and the MAC address of the bridge:

[Huawei]display stp
-------[CIST Global Info][Mode MSTP]-------
CIST Bridge         :32768.4c1f-ccd4-1c03

In this example the bridge ID is 32768.4c1f-ccd4-1c03, where:

• 32768 is the bridge priority
• 4c1f-ccd4-1c03 is the MAC address of the bridge.

The bridge with the lowest bridge ID is elected as the root bridge. If the bridge priorities are equal, or if the bridge priority is not configured, the bridge with the lowest MAC address is elected the root bridge.

How to change the bridge priority on Huawei switch?

[Huawei]stp priority ?
  INTEGER  Bridge priority, in steps of 4096

A predefined macro can be also used to change bridge priority:

[Huawei]stp root ?
  primary    Primary root switch
  secondary  Secondary root switch

The same macro, when changing bridge priority in particular STP instance:

[Huawei]stp instance 1 root ?
  primary    Primary root switch
  secondary  Secondary root switch

The first option changes priority to 0, the second to 4096. Default bridge priority equals to 32768.

Any switch can be a root bridge in a network. But the most optimal forwarding topology places the root bridge at a specific predetermined location. Let’s take the following example:

Aggregation switch AGG-SW1 was elected as the root bridge and AGG-SW2 as the secondary root bridge, in case of AGG-SW1’s failure. STP topology was built as expected, fast speed links are used to forward traffic between devices.

Even if the root bridge was configured with priority 0, every switch in this network, with priority 0 and a lower MAC address, can be elected as a new root bridge. Let’s imagine a situation, where someone connects additional switch, or just a software-based bridge application lunched on a PC with dual NICs and lower bridge ID, like below:

Our PC was elected as a new root bridge for this VLAN. STP topology was changed and now, low-speed access links are used to forward traffic between aggregation switches. If more data flow via the aggregation link in that VLAN, than this link can accommodate, the drop of some frames occur. As a result, network performance can be affected.

To prevent this from happening, STP Root Protection can be used on interfaces, which should not receive superior BPDUs. These interfaces usually are located on an administrative boundary. In our case, Root Protection feature should be enabled on interfaces as in the picture below:

To enable Root Protection on Huawei switch, use command:

[Huawei]int GigabitEthernet 0/0/1	
[Huawei-GigabitEthernet0/0/1]stp root-protection

Remember, that root protection takes effect only on designated ports.

We have waited for a new version of Huawei eNSP simulator since February 1st, 2013.

And we have finally got it.

Quite new and fresh V100R002C00B110 version.

New look … new devices … new connections …

Possibility to add interface cards in a graphic way …

One button to open all command lines …

New features supported: NAT, firewall, IPSec, SSLVPN etc.

Just click on the first picture and download it.

Enjoy!

Today a few words about 2 simple but useful commands: lock and send.

LOCK – prevents unauthorized users from operating on the current terminal interface

SEND – enables the system to transfer messages between user interfaces

Let’s look how they work on Huawei S5700 switch.

LOCK

<labnario>lock
Enter Password:
Confirm Password:

 Info: The terminal is locked. 

Enter Password:

<labnario>

SEND

<labnario>send ?
  INTEGER  Specify a user terminal interface and configure it
  all            All user terminal interfaces
  console        Primary user terminal interface
  vty            The virtual user terminal interface

<labnario>send all

Enter message, end with CTRL+Z or Enter; abort with CTRL+C:
Give me your "LIKE" on Facebook!!!
Warning: Send the message? [Y/N]:y


<labnario>
Info: Receive a message from con0: Give me your "LIKE" on Facebook!!!
<labnario>