ISIS Accept Policy External


  • The ISIS metric type of external can be used instead of internal type
    • Prefix cost (external metric) with lowest cost will be preferred and if prefix cost is the same, the routes are considered ECMP routes
  •  A route-map can be used to specify metric type of none, internal or external; for example, a route-map can be used to selectively set specific routes as external
  • When deciding which routes to add to the route table, a SPB router
    • Internal type routes
      • Always preferred over External type routes
      • Will always prefer the routes with the shortest path internal metric to the BEB node advertising them
      • Will only use the route external cost (prefix-cost) as a tie breaker
      • For route to go into ECMP, both the internal and external metric must be the same
    • External type routes
      • Will only consider the external route metric (prefix-cost)
      • For route to go into ECMP, only the external metric must be the same
  • External metrics is supported as of release 5.0 for the VSP 4000, VSP 8000, and VSP 7200
    • Only IPv4 routes are supported in this release


ISIS Accept Policy

Beginning in software release 4.1 for the VSP 4000/8000, 4.2.1 for the VSP 7200, and release 4.0 for the VSP 9000, IS-IS accept policies for IPv4 is introduced. Prior to this release, the ISIS IPv4 routes received over the SPB cloud are installed directly into the routing table. There is no ability to filter those routes and apply incoming route policies to them. Hence, networks that are being migrated from other routing protocols to ISIS/SPB are vulnerable to routing loops. ISIS accept policy functionality provides a way to avoid such loops.

You can create an IS-IS accept policy for the Global Routing Table (GRT) or a Virtual Routing and Forwarding (VRF) instance. You can create an IS-IS accept policy on a switch that operates at a global default level or for a specific advertising BEB. You can also use the filter mechanism for ISIS accept policies to redistribute routes between different VRFs, or between a VRF and the GRT.

ISIS policies can also use either a service instance identifier (ISID) or an ISID list to filter incoming traffic. For inter-VRF route redistribution, an ISID value of 0 represents the GRT. For inter-VRF route redistribution between VRFs, the ISID is the source VRF (or remote VRF).

You can filter traffic with ISIS accept policies by:

  •  advertising BEB (nick-name)
  •  ISID or ISID list (ISID take precedence over an ISID list)
  •  route-map

You can use IS-IS accept policies to apply at a global default level for all advertising Backbone Edge Bridges (BEBs) or for a specific advertising BEB.

IS-IS accept policies also allow you to use either a service instance identifier (ISID) or an ISID list to filter routes. The switch uses ISIDs to define Virtual Services Networks (VSNs). ISIDs identify and transmit virtualized traffic in an encapsulated SPBM frame. IS-IS accept policies can use ISIDs or ISID lists to filter the incoming virtualized traffic.

IS-IS accept policies can also apply route policies to determine what incoming traffic to accept into the routing table. With route policies the device can determine which routes to accept into the routing table based on the criteria you configure, which can give precedence to advertised routes from a particular protocol, route-source, route-type, or through other criteria.


Note: The ERS 8800 does not support ISIS accept policies.

o There is no way to prevent one border router from accepting ISIS routes from the other border router

o The solution is to make OSPF preferred over ISIS by assigning ISIS a higher route preference over OSPF

We can now use OSPF accept policies to prevent one border router from accepting OSPF external routes from another



VOSS ISIS-OSPF Lab 5 (Route Preference)

In some situations a router may advertise routes into ISIS from OSPF and overwrite routes which are in OSPF. One option is to increase the IP route preference of ISIS from default value 7 to 130 which is higher than OSPF routes making OSPF more favourable.

ip route preference protocol spbm-level1 130

Alternatively, if the platform allows, use ISIS accept policy to control what is learnt. Increasing the ip route preference is required with ERS 8000 as it does not support ISIS accept policies. It can also be useful to change the route preference during migrations and set back to default when required.

Also, when using IP shortcuts and redistribution of ISIS and OSPF it is recommended to disable ip alternative-routes.

no ip alternative-route



It is sometimes necessary to suppress the IST subnet when redistributing direct into ISIS on the cluster routers.

ip prefix-list “ist” id 1 ge 30 le 30

route-map “suppress-ist” 1
no permit
match network “ist”
route-map “suppress-ist” 2

router isis
redistribute direct
redistribute direct route-map “suppress-ist”
redistribute direct enable

isis apply redistribute direct

VOSS ISIS-OSPF Lab 3 (Announce Nets)

It is sometimes necessary to control which routes are advertised from OSPF into ISIS. This can be achieved by using a route-map when redistributing OSPF into ISIS.

ip prefix-list “access-nets” id 2 ge 0 le 32
ip prefix-list “access-nets” id 2 ge 24 le 24
ip prefix-list “access-nets” id 2 ge 24 le 24

route-map “announce-access-nets” 1
match network “access-nets”
set injectlist “access-nets”
set metric-type type2

router isis
redistribute ospf
redistribute ospf route-map “announce-access-nets”
redistribute ospf enable

isis apply redistribute ospf

VOSS ISIS-OSPF Lab 2 (Reject Policy)

It is possible for the cluster routers to advertise an ISIS route into OSPF and overwrite the ISIS learnt routes on the peer router. To avoid this from occurring use a route map to reject routes from the peer OSPF router-ID.

R1 and R2:

route-map “reject” 1
no permit


router ospf
accept adv-rtr enable route-map “reject”

ip ospf apply accept adv-rtr


router ospf
accept adv-rtr enable route-map “reject”

ip ospf apply accept adv-rtr



Ever wondered why certain routes do not appear in the OSPF LSDB? The GRT shows routes but you do not see them when check the LSDB. In the example topology below R1 and R2 have learnt OSPF_INTRA (preference 20) and OSPF_E2 (preference 125) routes from R3. Checking the OSPF LSDB we see the ASExternal routes but not the OSPF_INTRA routes.


R3 has several loopback / CLIP addresses to simulate external networks. CLIP 2 and CLIP 4 have IP OSPF Enabled and CLIP 3 does not have IP OSPF Enabled. OSPF redistributes direct into OSPF.

This means we have some OSPF_INTRA routes and OSPF_E2 routes advertised by R3.

On R1 or R2 type show ip ospf lsdb adv-rtr detail to see Router Link LSAs and ASExternal LSAs.






SPB-PIM Gateway

Multicast over Fabric Connect cannot connect to a PIM router that is external to the SPB network.

When a receiver joins the SPB network for a specific group, the receiver must receive multicast streams in the neighboring multicast domains (PIM network). Similarly, a receiver in the neighboring multicast domain (PIM network) must receive multicast streams from sources in the SPB network. SPB-PIM Gateway (SPB-PIM GW) provides multicast inter-domain communication between an SPB network and a PIM network. SPB-PIM GW accomplishes this inter-domain communication across a special gateway VLAN. The gateway VLAN communicates with the PIM network through a subset of the full protocol messaging required for RFC 4601 compliance of a PIM interface, and translates the PIM network requirements into SPB language and vice versa.


Fabric Connect Videos (by Ed Koehler)

Video 1 – Setting up a Fabric Connect Service Node

Video 2 – Lab 2-Basic Fabric Connect show commands

 Video 3 – Lab3-An IS-IS Link State Database Tour

Video 4 – Lab4-Setting up L2 Virtual Service Networks

 Video 5 – Lab5-Setting up L3 Virtual Service Networks

 Video 6 – Lab6-Connectivity Fault Management

Stealth Networking