Implementing IS-IS

Integrated Intermediate System-to-Intermediate System (IS-IS), Internet Protocol Version 4 (IPv4), is a standards-based Interior Gateway Protocol (IGP). The Cisco software implements the IP routing capabilities described in International Organization for Standardization (ISO)/International Engineering Consortium (IEC) 10589 and RFC 1195, and adds the standard extensions for single topology and multitopology IS-IS for IP Version 6 (IPv6).

This module describes how to implement IS-IS (IPv4 and IPv6) on your Cisco IOS XR network.

Enable IS-IS and Configure Level 1 or Level 2 Routing

This task explains how to enable IS-IS and configure the routing level for an area.


Note

Configuring the routing level in Step 4 is optional, but is highly recommended to establish the proper level of adjacencies.



Note

Users can configure the no max-metric command only with levels 1 or 2, that is, no max-metric level {1|2} in order to view the result in the output of the show configuration command. Else, the maximum metric configuration is not displayed in the output. This behavior is observed before committing the configuration to the router.


Before you begin

Although you can configure IS-IS before you configure an IP address, no IS-IS routing occurs until at least one IP address is configured.

SUMMARY STEPS

  1. configure
  2. router isis instance-id
  3. net network-entity-title
  4. is-type { level-1 | level-1-2 | level-2-only }
  5. Use the commit or end command.
  6. show isis [ instance instance-id ] protocol

DETAILED STEPS


Step 1

configure

Example:


RP/0/RP0/CPU0:router# configure

Enters mode.

Step 2

router isis instance-id

Example:


RP/0/RP0/CPU0:router(config)# router isis isp

Enables IS-IS routing for the specified routing instance, and places the router in router configuration mode.

  • By default, all IS-IS instances are automatically Level 1 and Level 2. You can change the level of routing to be performed by a particular routing instance by using the is-type router configuration command.

Step 3

net network-entity-title

Example:


RP/0/RP0/CPU0:router(config-isis)# net 47.0004.004d.0001.0001.0c11.1110.00

Configures network entity titles (NETs) for the routing instance.

  • Specify a NET for each routing instance if you are configuring multi-instance IS-IS.

  • This example configures a router with area ID 47.0004.004d.0001 and system ID 0001.0c11.1110.00.

  • To specify more than one area address, specify additional NETs. Although the area address portion of the NET differs, the systemID portion of the NET must match exactly for all of the configured items.

Step 4

is-type { level-1 | level-1-2 | level-2-only }

Example:


RP/0/RP0/CPU0:router(config-isis)# is-type level-2-only

(Optional) Configures the system type (area or backbone router).

  • By default, every IS-IS instance acts as a level-1-2 router.

  • The level-1 keyword configures the software to perform Level 1 (intra-area) routing only. Only Level 1 adjacencies are established. The software learns about destinations inside its area only. Any packets containing destinations outside the area are sent to the nearest level-1-2 router in the area.

  • The level-2-only keyword configures the software to perform Level 2 (backbone) routing only, and the router establishes only Level 2 adjacencies, either with other Level 2-only routers or with level-1-2 routers.

  • The level-1-2 keyword configures the software to perform both Level 1 and Level 2 routing. Both Level 1 and Level 2 adjacencies are established. The router acts as a border router between the Level 2 backbone and its Level 1 area.

Step 5

Use the commit or end command.

commit —Saves the configuration changes and remains within the configuration session.

end —Prompts user to take one of these actions:
  • Yes — Saves configuration changes and exits the configuration session.

  • No —Exits the configuration session without committing the configuration changes.

  • Cancel —Remains in the configuration session, without committing the configuration changes.

Step 6

show isis [ instance instance-id ] protocol

Example:


RP/0/RP0/CPU0:router# show isis protocol

(Optional) Displays summary information about the IS-IS instance.


Customize Routes for IS-IS

This task explains how to perform route functions that include injecting default routes into your IS-IS routing domain and redistributing routes learned in another IS-IS instance. This task is optional.

SUMMARY STEPS

  1. configure
  2. router isis instance-id
  3. set-overload-bit [ on-startup { delay | wait-for-bgp }] [ level { 1 | 2 }]
  4. address-family { ipv4 | ipv6 } [ unicast ]
  5. default-information originate [ route-policy route-policy-name ]
  6. redistribute isis instance [ level-1 | level-2 | level-1-2 ] [ metric metric ] [ metric-type { internal | external }] [ policy policy-name ]
  7. Do one of the following:
    • summary-prefix address / prefix-length [ level { 1 | 2 }]
    • summary-prefix ipv6-prefix / prefix-length [ level { 1 | 2 }]
  8. maximum-paths route-number
  9. distance weight [ address / prefix-length [ route-list-name ]]
  10. set-attached-bit
  11. Use the commit or end command.

DETAILED STEPS


Step 1

configure

Example:


RP/0/RP0/CPU0:router# configure

Enters mode.

Step 2

router isis instance-id

Example:


RP/0/RP0/CPU0:router(config)# router isis isp

Enables IS-IS routing for the specified routing process, and places the router in router configuration mode.

  • By default, all IS-IS instances are automatically Level 1 and Level 2. You can change the level of routing to be performed by a particular routing instance by using the is-type command.

Step 3

set-overload-bit [ on-startup { delay | wait-for-bgp }] [ level { 1 | 2 }]

Example:


RP/0/RP0/CPU0:router(config-isis)# set-overload-bit

(Optional) Sets the overload bit.

Note 

The configured overload bit behavior does not apply to NSF restarts because the NSF restart does not set the overload bit during restart.

Step 4

address-family { ipv4 | ipv6 } [ unicast ]

Example:


RP/0/RP0/CPU0:router(config-isis)# address-family ipv4 unicast 

Specifies the IPv4 or IPv6 address family, and enters router address family configuration mode.

Step 5

default-information originate [ route-policy route-policy-name ]

Example:


RP/0/RP0/CPU0:router(config-isis-af)# default-information originate

(Optional) Injects a default IPv4 or IPv6 route into an IS-IS routing domain.

  • The route-policy keyword and route-policy-name argument specify the conditions under which the IPv4 or IPv6 default route is advertised.

  • If the route-policy keyword is omitted, then the IPv4 or IPv6 default route is unconditionally advertised at Level 2.

Step 6

redistribute isis instance [ level-1 | level-2 | level-1-2 ] [ metric metric ] [ metric-type { internal | external }] [ policy policy-name ]

Example:


RP/0/RP0/CPU0:router(config-isis-af)# redistribute isis 2 level-1

(Optional) Redistributes routes from one IS-IS instance into another instance.

  • In this example, an IS-IS instance redistributes Level 1 routes from another IS-IS instance.

Step 7

Do one of the following:

  • summary-prefix address / prefix-length [ level { 1 | 2 }]
  • summary-prefix ipv6-prefix / prefix-length [ level { 1 | 2 }]

Example:


RP/0/RP0/CPU0:router(config-isis-af)# summary-prefix 10.1.0.0/16 level 1

or


RP/0/RP0/CPU0:router(config-isis-af)# summary-prefix 3003:xxxx::/24 level 1

(Optional) Allows a Level 1-2 router to summarize Level 1 IPv4 and IPv6 prefixes at Level 2, instead of advertising the Level 1 prefixes directly when the router advertises the summary.

  • This example specifies an IPv4 address and mask.

or

  • This example specifies an IPv6 prefix, and the command must be in the form documented in RFC 2373 in which the address is specified in hexadecimal using 16-bit values between colons.

  • Note that IPv6 prefixes must be configured only in the IPv6 router address family configuration submode, and IPv4 prefixes in the IPv4 router address family configuration submode.

Step 8

maximum-paths route-number

Example:


RP/0/RP0/CPU0:router(config-isis-af)# maximum-paths 16

(Optional) Configures the maximum number of parallel paths allowed in a routing table.

Step 9

distance weight [ address / prefix-length [ route-list-name ]]

Example:


RP/0/RP0/CPU0:router(config-isis-af)# distance 90

(Optional) Defines the administrative distance assigned to routes discovered by the IS-IS protocol.

  • A different administrative distance may be applied for IPv4 and IPv6.

Step 10

set-attached-bit

Example:


RP/0/RP0/CPU0:router(config-isis-af)# set-attached-bit

(Optional) Configures an IS-IS instance with an attached bit in the Level 1 LSP.

Step 11

Use the commit or end command.

commit —Saves the configuration changes and remains within the configuration session.

end —Prompts user to take one of these actions:
  • Yes — Saves configuration changes and exits the configuration session.

  • No —Exits the configuration session without committing the configuration changes.

  • Cancel —Remains in the configuration session, without committing the configuration changes.


Redistributing IS-IS Routes Between Multiple Instances: Example

The following example shows usage of the set- attached-bit and redistribute commands. Two instances, instance “1” restricted to Level 1 and instance “2” restricted to Level 2, are configured.

The Level 1 instance is propagating routes to the Level 2 instance using redistribution. Note that the administrative distance is explicitly configured higher on the Level 2 instance to ensure that Level 1 routes are preferred.

Attached bit is being set for the Level 1 instance since it is redistributing routes into the Level 2 instance. Therefore, instance “1” is a suitable candidate to get from the area to the backbone.


  router isis 1
    is-type level-2-only
   net 49.0001.0001.0001.0001.00
   address-family ipv4 unicast
    distance 116
    redistribute isis 2 level 2
  !
  interface HundredGigE 0/3/0/0
   address-family ipv4 unicast
  !
  !
  router isis 2
   is-type level-1
   net 49.0002.0001.0001.0002.00
   address-family ipv4 unicast
    set
-attached-bit

  !
  interface HundredGigE 0/1/0/0
   address-family ipv4 unicast
  

Set Priority for Adding Prefixes to RIB

This optional task describes how to set the priority (order) for which specified prefixes are added to the RIB. The prefixes can be chosen using an access list (ACL), prefix list, or by matching a tag value.

SUMMARY STEPS

  1. configure
  2. router isis instance-id
  3. address-family { ipv4 | ipv6 } [ unicast ]
  4. metric-style wide [ transition ] [ level { 1 | 2 }]
  5. spf prefix-priority [ level { 1 | 2 }] { critical | high | medium } { access-list-name | tag tag }
  6. Use the commit or end command.

DETAILED STEPS


Step 1

configure

Example:


RP/0/RP0/CPU0:router# configure

Enters mode.

Step 2

router isis instance-id

Example:


RP/0/RP0/CPU0:router(config)# router isis isp

Enables IS-IS routing for the specified routing process, and places the router in router configuration mode. In this example, the IS-IS instance is called isp.

Step 3

address-family { ipv4 | ipv6 } [ unicast ]

Example:


RP/0/RP0/CPU0:router(config-isis)# address-family ipv4 unicast 

Specifies the IPv4 or IPv6 address family, and enters router address family configuration mode.

Step 4

metric-style wide [ transition ] [ level { 1 | 2 }]

Example:


RP/0/RP0/CPU0:router(config-isis-af)# metric-style wide level 1

Configures a router to generate and accept only wide-link metrics in the Level 1 area.

Step 5

spf prefix-priority [ level { 1 | 2 }] { critical | high | medium } { access-list-name | tag tag }

Example:


RP/0/RP0/CPU0:router(config-isis-af)# spf prefix-priority high tag 3

Installs all routes tagged with the value 3 first.

Step 6

Use the commit or end command.

commit —Saves the configuration changes and remains within the configuration session.

end —Prompts user to take one of these actions:
  • Yes — Saves configuration changes and exits the configuration session.

  • No —Exits the configuration session without committing the configuration changes.

  • Cancel —Remains in the configuration session, without committing the configuration changes.


IS-IS Interfaces

IS-IS interfaces can be configured as one of the following types:

  • Active—advertises connected prefixes and forms adjacencies. This is the default for interfaces.

  • Passive—advertises connected prefixes but does not form adjacencies. The passive command is used to configure interfaces as passive. Passive interfaces should be used sparingly for important prefixes such as loopback addresses that need to be injected into the IS-IS domain. If many connected prefixes need to be advertised then the redistribution of connected routes with the appropriate policy should be used instead.

  • Suppressed—does not advertise connected prefixes but forms adjacencies. The suppress command is used to configure interfaces as suppressed.

  • Shutdown—does not advertise connected prefixes and does not form adjacencies. The shutdown command is used to disable interfaces without removing the IS-IS configuration.

Tag IS-IS Interface Routes

This optional task describes how to associate a tag with a connected route of an IS-IS interface.

SUMMARY STEPS

  1. configure
  2. router isis instance-id
  3. address-family { ipv4 | ipv6 } [ unicast ]
  4. metric-style wide [ transition ] [ level { 1 | 2 }]
  5. exit
  6. interface type number
  7. address-family { ipv4 | ipv6 } [ unicast ]
  8. tag tag
  9. Use the commit or end command.
  10. show isis [ ipv4 | ipv6 | afi-all ] [ unicast | safi-all ] route [ detail ]

DETAILED STEPS


Step 1

configure

Example:


RP/0/RP0/CPU0:router# configure

Enters mode.

Step 2

router isis instance-id

Example:


RP/0/RP0/CPU0:router(config)# router isis isp

Enables IS-IS routing for the specified routing process, and places the router in router configuration mode. In this example, the IS-IS instance is called isp.

Step 3

address-family { ipv4 | ipv6 } [ unicast ]

Example:


RP/0/RP0/CPU0:router(config-isis)# address-family ipv4 unicast 

Specifies the IPv4 or IPv6 address family, and enters router address family configuration mode.

Step 4

metric-style wide [ transition ] [ level { 1 | 2 }]

Example:


RP/0/RP0/CPU0:router(config-isis-af)# metric-style wide level 1

Configures a router to generate and accept only wide link metrics in the Level 1 area.

Step 5

exit

Example:


RP/0/RP0/CPU0:router(config-isis-af)# exit

Exits router address family configuration mode, and returns the router to router configuration mode.

Step 6

interface type number

Example:


RP/0/RP0/CPU0:router(config-isis)# interface HundredGigE 0/1/0/3 

Enters interface configuration mode.

Step 7

address-family { ipv4 | ipv6 } [ unicast ]

Example:


RP/0/RP0/CPU0:router(config-isis-if)# address-family ipv4 unicast 

Specifies the IPv4 or IPv6 address family, and enters address family configuration mode.

Step 8

tag tag

Example:


RP/0/RP0/CPU0:router(config-isis-if-af)# tag 3 

Sets the value of the tag to associate with the advertised connected route.

Step 9

Use the commit or end command.

commit —Saves the configuration changes and remains within the configuration session.

end —Prompts user to take one of these actions:
  • Yes — Saves configuration changes and exits the configuration session.

  • No —Exits the configuration session without committing the configuration changes.

  • Cancel —Remains in the configuration session, without committing the configuration changes.

Step 10

show isis [ ipv4 | ipv6 | afi-all ] [ unicast | safi-all ] route [ detail ]

Example:


RP/0/RP0/CPU0:router(config-isis-if-af)# show isis ipv4 route detail

Displays tag information. Verify that all tags are present in the RIB.


Tagging Routes: Example

The following example shows how to tag routes.


  route-policy isis-tag-55
  end-policy
  !
  route-policy isis-tag-555
    if destination in (5.5.5.0/24 eq 24) then
      set tag 555
      pass
    else
      drop
    endif
  end-policy
  !
  router static
   address-family ipv4 unicast
    0.0.0.0/0 2.6.0.1
    5.5.5.0/24 Null0
   !
  !
  router isis uut
   net 00.0000.0000.12a5.00
   address-family ipv4 unicast
    metric-style wide
    redistribute static level-1 route-policy isis-tag-555
    spf prefix-priority critical tag 13
    spf prefix-priority high tag 444
    spf prefix-priority medium tag 777
  

Limit LSP Flooding

Limiting link-state packets (LSP) may be desirable in certain “meshy” network topologies. An example of such a network might be a highly redundant one such as a fully meshed set of point-to-point links over a nonbroadcast multiaccess (NBMA) transport. In such networks, full LSP flooding can limit network scalability. One way to restrict the size of the flooding domain is to introduce hierarchy by using multiple Level 1 areas and a Level 2 area. However, two other techniques can be used instead of or with hierarchy: Block flooding on specific interfaces and configure mesh groups.

Both techniques operate by restricting the flooding of LSPs in some fashion. A direct consequence is that although scalability of the network is improved, the reliability of the network (in the face of failures) is reduced because a series of failures may prevent LSPs from being flooded throughout the network, even though links exist that would allow flooding if blocking or mesh groups had not restricted their use. In such a case, the link-state databases of different routers in the network may no longer be synchronized. Consequences such as persistent forwarding loops can ensue. For this reason, we recommend that blocking or mesh groups be used only if specifically required, and then only after careful network design.

Control LSP Flooding for IS-IS

Flooding of LSPs can limit network scalability. You can control LSP flooding by tuning your LSP database parameters on the router globally or on the interface. This task is optional.

Many of the commands to control LSP flooding contain an option to specify the level to which they apply. Without the option, the command applies to both levels. If an option is configured for one level, the other level continues to use the default value. To configure options for both levels, use the command twice. For example:


  RP/0/RP0/CPU0:router(config-isis)# lsp-refresh-interval 1200 level 2
  RP/0/RP0/CPU0:router(config-isis)# lsp-refresh-interval 1100 level 1
  
         

SUMMARY STEPS

  1. configure
  2. router isis instance-id
  3. lsp-refresh-interval seconds [ level { 1 | 2 }]
  4. lsp-check-interval seconds [ level { 1 | 2 }]
  5. lsp-gen-interval { [ initial-wait initial | secondary-wait secondary | maximum-wait maximum ] ... } [ level { 1 | 2 }]
  6. lsp-mtu bytes [ level { 1 | 2 }]
  7. max-lsp-lifetime seconds [ level { 1 | 2 }]
  8. ignore-lsp-errors disable
  9. interface type interface-path-id
  10. lsp-interval milliseconds [ level { 1 | 2 }]
  11. csnp-interval seconds [ level { 1 | 2 }]
  12. retransmit-interval seconds [ level { 1 | 2 }]
  13. retransmit-throttle-interval milliseconds [ level { 1 | 2 }]
  14. mesh-group { number | blocked }
  15. Use the commit or end command.
  16. show isis interface [ type interface-path-id | level { 1 | 2 }] [ brief ]
  17. show isis [ instance instance-id ] database [ level { 1 | 2 }] [ detail | summary | verbose ] [ * | lsp-id ]
  18. show isis [ instance instance-id ] lsp-log [ level { 1 | 2 }]
  19. show isis database-log [ level { 1 | 2 }]

DETAILED STEPS


Step 1

configure

Example:


RP/0/RP0/CPU0:router# configure

Enters mode.

Step 2

router isis instance-id

Example:


RP/0/RP0/CPU0:router(config)# router isis isp

Enables IS-IS routing for the specified routing instance, and places the router in router configuration mode.

  • You can change the level of routing to be performed by a particular routing instance by using the is-type router configuration command.

Step 3

lsp-refresh-interval seconds [ level { 1 | 2 }]

Example:


RP/0/RP0/CPU0:router(config-isis)# lsp-refresh-interval 10800

(Optional) Sets the time between regeneration of LSPs that contain different sequence numbers

  • The refresh interval should always be set lower than the max-lsp-lifetime command.

Step 4

lsp-check-interval seconds [ level { 1 | 2 }]

Example:


RP/0/RP0/CPU0:router(config-isis)# lsp-check-interval 240

(Optional) Configures the time between periodic checks of the entire database to validate the checksums of the LSPs in the database.

  • This operation is costly in terms of CPU and so should be configured to occur infrequently.

Step 5

lsp-gen-interval { [ initial-wait initial | secondary-wait secondary | maximum-wait maximum ] ... } [ level { 1 | 2 }]

Example:


RP/0/RP0/CPU0:router(config-isis)# lsp-gen-interval maximum-wait 15 initial-wait 5 secondary-wait 5

(Optional) Reduces the rate of LSP generation during periods of instability in the network. Helps reduce the CPU load on the router and number of LSP transmissions to its IS-IS neighbors.

  • During prolonged periods of network instability, repeated recalculation of LSPs can cause an increased CPU load on the local router. Further, the flooding of these recalculated LSPs to the other Intermediate Systems in the network causes increased traffic and can result in other routers having to spend more time running route calculations.

Step 6

lsp-mtu bytes [ level { 1 | 2 }]

Example:


RP/0/RP0/CPU0:router(config-isis)# lsp-mtu 1300

(Optional) Sets the maximum transmission unit (MTU) size of LSPs.

Step 7

max-lsp-lifetime seconds [ level { 1 | 2 }]

Example:


RP/0/RP0/CPU0:router(config-isis)# max-lsp-lifetime 11000

(Optional) Sets the initial lifetime given to an LSP originated by the router.

  • This is the amount of time that the LSP persists in the database of a neighbor unless the LSP is regenerated or refreshed.

Step 8

ignore-lsp-errors disable

Example:


RP/0/RP0/CPU0:router(config-isis)# ignore-lsp-errors disable

(Optional) Sets the router to purge LSPs received with checksum errors.

Step 9

interface type interface-path-id

Example:


RP/0/RP0/CPU0:router(config-isis)# interface HundredGigE 0/1/0/3 

Enters interface configuration mode.

Step 10

lsp-interval milliseconds [ level { 1 | 2 }]

Example:


RP/0/RP0/CPU0:router(config-isis-if)# lsp-interval 100

(Optional) Configures the amount of time between each LSP sent on an interface.

Step 11

csnp-interval seconds [ level { 1 | 2 }]

Example:


RP/0/RP0/CPU0:router(config-isis-if)# csnp-interval 30 level 1

(Optional) Configures the interval at which periodic CSNP packets are sent on broadcast interfaces.

  • Sending more frequent CSNPs means that adjacent routers must work harder to receive them.

  • Sending less frequent CSNP means that differences in the adjacent routers may persist longer.

Step 12

retransmit-interval seconds [ level { 1 | 2 }]

Example:


RP/0/RP0/CPU0:router(config-isis-if)# retransmit-interval 60

(Optional) Configures the amount of time that the sending router waits for an acknowledgment before it considers that the LSP was not received and subsequently resends.


RP/0/RP0/CPU0:router(config-isis-if)# retransmit-interval 60
Step 13

retransmit-throttle-interval milliseconds [ level { 1 | 2 }]

Example:


RP/0/RP0/CPU0:router(config-isis-if)# retransmit-throttle-interval 1000

(Optional) Configures the amount of time between retransmissions on each LSP on a point-to-point interface.

  • This time is usually greater than or equal to the lsp-interval command time because the reason for lost LSPs may be that a neighboring router is busy. A longer interval gives the neighbor more time to receive transmissions.

Step 14

mesh-group { number | blocked }

Example:


RP/0/RP0/CPU0:router(config-isis-if)# mesh-group blocked

(Optional) Optimizes LSP flooding in NBMA networks with highly meshed, point-to-point topologies.

  • This command is appropriate only for an NBMA network with highly meshed, point-to-point topologies.

Step 15

Use the commit or end command.

commit —Saves the configuration changes and remains within the configuration session.

end —Prompts user to take one of these actions:
  • Yes — Saves configuration changes and exits the configuration session.

  • No —Exits the configuration session without committing the configuration changes.

  • Cancel —Remains in the configuration session, without committing the configuration changes.

Step 16

show isis interface [ type interface-path-id | level { 1 | 2 }] [ brief ]

Example:


RP/0/RP0/CPU0:router# show isis interface HundredGigE 0/1/0/1 brief

(Optional) Displays information about the IS-IS interface.

Step 17

show isis [ instance instance-id ] database [ level { 1 | 2 }] [ detail | summary | verbose ] [ * | lsp-id ]

Example:


RP/0/RP0/CPU0:router# show isis database level 1

(Optional) Displays the IS-IS LSP database.

Step 18

show isis [ instance instance-id ] lsp-log [ level { 1 | 2 }]

Example:


RP/0/RP0/CPU0:router# show isis lsp-log

(Optional) Displays LSP log information.

Step 19

show isis database-log [ level { 1 | 2 }]

Example:


RP/0/RP0/CPU0:router# show isis database-log level 1

(Optional) Display IS-IS database log information.


IS-IS Authentication

Authentication is available to limit the establishment of adjacencies by using the hello-password command, and to limit the exchange of LSPs by using the lsp-password command.

IS-IS supports plain-text authentication, which does not provide security against unauthorized users. Plain-text authentication allows you to configure a password to prevent unauthorized networking devices from forming adjacencies with the router. The password is exchanged as plain text and is potentially visible to an agent able to view the IS-IS packets.

When an HMAC-MD5 password is configured, the password is never sent over the network and is instead used to calculate a cryptographic checksum to ensure the integrity of the exchanged data.

IS-IS stores a configured password using simple encryption. However, the plain-text form of the password is used in LSPs, sequence number protocols (SNPs), and hello packets, which would be visible to a process that can view IS-IS packets. The passwords can be entered in plain text (clear) or encrypted form.

To set the domain password, configure the lsp-password command for Level 2; to set the area password, configure the lsp-password command for Level 1.

The keychain feature allows IS-IS to reference configured keychains. IS-IS key chains enable hello and LSP keychain authentication. Keychains can be configured at the router level (in the case of the lsp-password command) and at the interface level (in the case of the hello-password command) within IS-IS. These commands reference the global keychain configuration and instruct the IS-IS protocol to obtain security parameters from the global set of configured keychains.

IS-IS is able to use the keychain to implement hitless key rollover for authentication. ey rollover specification is time based, and in the event of clock skew between the peers, the rollover process is impacted. The configurable tolerance specification allows for the accept window to be extended (before and after) by that margin. This accept window facilitates a hitless key rollover for applications (for example, routing and management protocols). 

Configure Authentication for IS-IS

This task explains how to configure authentication for IS-IS. This task is optional.

SUMMARY STEPS

  1. configure
  2. router isis instance-id
  3. lsp-password { hmac-md5 | text } { clear | encrypted } password [ level { 1 | 2 }] [ send-only ] [ snp send-only ]
  4. interface type interface-path-id
  5. hello-password { hmac-md5 | text } { clear | encrypted } password [ level { 1 | 2 }] [ send-only ]
  6. Use the commit or end command.

DETAILED STEPS


Step 1

configure

Example:


RP/0/RP0/CPU0:router# configure

Enters mode.

Step 2

router isis instance-id

Example:


RP/0/RP0/CPU0:router(config)# router isis isp

Enables IS-IS routing for the specified routing instance, and places the router in router configuration mode.

  • You can change the level of routing to be performed by a particular routing instance by using the is-type command.

Step 3

lsp-password { hmac-md5 | text } { clear | encrypted } password [ level { 1 | 2 }] [ send-only ] [ snp send-only ]

Example:


RP/0/RP0/CPU0:router(config-isis)# lsp-password hmac-md5 clear password1 level 1

Configures the LSP authentication password.

  • The hmac-md5 keyword specifies that the password is used in HMAC-MD5 authentication.

  • The text keyword specifies that the password uses cleartext password authentication.

  • The clear keyword specifies that the password is unencrypted when entered.

  • The encrypted keyword specifies that the password is encrypted using a two-way algorithm when entered.

  • The level 1 keyword sets a password for authentication in the area (in Level 1 LSPs and Level SNPs).

  • The level 2 keywords set a password for authentication in the backbone (the Level 2 area).

  • The send-only keyword adds authentication to LSP and sequence number protocol data units (SNPs) when they are sent. It does not authenticate received LSPs or SNPs.

  • The snp send-only keyword adds authentication to SNPs when they are sent. It does not authenticate received SNPs.

Note 

To disable SNP password checking, the snp send-only keywords must be specified in the lsp-password command.

Step 4

interface type interface-path-id

Example:


RP/0/RP0/CPU0:router(config-isis)# interface GigabitEthernet 0/1/0/3 

Enters interface configuration mode.

Step 5

hello-password { hmac-md5 | text } { clear | encrypted } password [ level { 1 | 2 }] [ send-only ]

Example:


RP/0/RP0/CPU0:router(config-isis-if)#hello-password text clear mypassword

Configures the authentication password for an IS-IS interface.

Step 6

Use the commit or end command.

commit —Saves the configuration changes and remains within the configuration session.

end —Prompts user to take one of these actions:
  • Yes — Saves configuration changes and exits the configuration session.

  • No —Exits the configuration session without committing the configuration changes.

  • Cancel —Remains in the configuration session, without committing the configuration changes.


Configure Keychains for IS-IS

This task explains how to configure keychains for IS-IS. This task is optional.

Keychains can be configured at the router level ( lsp-password command) and at the interface level ( hello-password command) within IS-IS. These commands reference the global keychain configuration and instruct the IS-IS protocol to obtain security parameters from the global set of configured keychains. The router-level configuration (lsp-password command) sets the keychain to be used for all IS-IS LSPs generated by this router, as well as for all Sequence Number Protocol Data Units (SN PDUs). The keychain used for HELLO PDUs is set at the interface level, and may be set differently for each interface configured for IS-IS.

SUMMARY STEPS

  1. configure
  2. router isis instance-id
  3. l sp-password keychain keychain-name [ level { 1 | 2 }] [ send-only ] [ snp send-only ]
  4. interface type interface-path-id
  5. hello-password keychain keychain-name [ level { 1 | 2 }] [ send-only ]
  6. Use the commit or end command.

DETAILED STEPS


Step 1

configure

Example:


RP/0/RP0/CPU0:router# configure

Enters mode.

Step 2

router isis instance-id

Example:


RP/0/RP0/CPU0:router(config)# router isis isp

Enables IS-IS routing for the specified routing instance, and places the router in router configuration mode.

  • You can change the level of routing to be performed by a particular routing instance by using the is-type command.

Step 3

l sp-password keychain keychain-name [ level { 1 | 2 }] [ send-only ] [ snp send-only ]

Example:


RP/0/RP0/CPU0:router(config-isis)# lsp-password keychain isis_a level 1

Configures the keychain.

Step 4

interface type interface-path-id

Example:


RP/0/RP0/CPU0:router(config-isis)# interface HundredGigE 0/1/0/3 

Enters interface configuration mode.

Step 5

hello-password keychain keychain-name [ level { 1 | 2 }] [ send-only ]

Example:


RP/0/RP0/CPU0:router(config-isis-if)#hello-password keychain isis_b

Configures the authentication password for an IS-IS interface.

Step 6

Use the commit or end command.

commit —Saves the configuration changes and remains within the configuration session.

end —Prompts user to take one of these actions:
  • Yes — Saves configuration changes and exits the configuration session.

  • No —Exits the configuration session without committing the configuration changes.

  • Cancel —Remains in the configuration session, without committing the configuration changes.


ISIS NSR

Non Stop Routing (NSR) suppresses IS-IS routing changes for devices with redundant route processors during processor switchover events (RP failover or ISSU), reducing network instability and downtime. When Non Stop Routing is used, switching from the active to standby RP have no impact on the other IS-IS routers in the network. All information needed to continue the routing protocol peering state is transferred to the standby processor prior to the switchover, so it can continue immediately upon a switchover.

To preserve routing across process restarts, NSF must be configured in addition to NSR.

Configuring ISIS-NSR

Procedure


Step 1

configure

Example:


RP/0/RP0/CPU0:router# configure

Enters mode.

Step 2

router isis instance-id

Example:


RP/0/RP0/CPU0:router(config)# router isis 1

Enables IS-IS routing for the specified routing instance, and places the router in router configuration mode.

Step 3

nsr

Example:


RP/0/RP0/CPU0:router(config-isis)# nsr

Configures the NSR feature.

Step 4

Use the commit or end command.

commit —Saves the configuration changes and remains within the configuration session.

end —Prompts user to take one of these actions:
  • Yes — Saves configuration changes and exits the configuration session.

  • No —Exits the configuration session without committing the configuration changes.

  • Cancel —Remains in the configuration session, without committing the configuration changes.

Step 5

show isis nsr adjacency

Example:


RP/0/RP0/CPU0:router
# show isis nsr adjacency
System Id Interface SNPA State Hold Changed NSF IPv4 BFD IPv6 BFD 
  R1-v1S   Nii0     *PtoP* Up   83  00:00:33 Yes  None    None 

Displays adjacency information.

Step 6

show isis nsr status

Example:


RP/0/RP0/CPU0:router
router#show isis nsr status
IS-IS test NSR(v1a) STATUS (HA Ready):
                            V1 Standby V2 Active V2 Standby
SYNC STATUS:                   TRUE      FALSE(0) FALSE(0)
PEER CHG COUNT:                 1           0        0
UP TIME:                     00:03:12     not up    not up

Displays the NSR status information.

Step 7

show isis nsr statistics

Example:


RP/0/RP0/CPU0:router
router#show isis nsr statistics
IS-IS test NSR(v1a) MANDATORY STATS :
                                 V1 Active                V1 Standby         V2 Active           V2 Standby
L1 ADJ:                               0                     0                   0                     0
L2 ADJ:                               2                     2                   0                     0
LIVE INTERFACE:                       4                     4                   0                     0
PTP INTERFACE:                        1                     1                   0                     0
LAN INTERFACE:                        2                     2                   0                     0
LOOPBACK INTERFACE:                   1                     1                   0                     0
TE Tunnel:                            1                     1                   0                     0
TE LINK:                              2                     2                   0                     0
NSR OPTIONAL STATS :
L1 LSP:                               0                     0                   0                     0
L2 LSP:                               4                     4                   0                     0
IPV4 ROUTES:                          3                     3                   0                     0
IPV6 ROUTES:                          4                     4                   0                     0

Shows number of ISIS adjacencies, lsps, routes, tunnels, Te links on active and standby routers.


Configuring IS-IS Adjacency Stagger

Certain events like process restart or reload can involve a significant processing overhead. Updating routing tables with all adjacencies, maintaining them, and synchronizing the database with each adjacent router requires a lot of bandwidth. These processes may require large number of packets being sent and/or received, depending on the state of the database on the routers. If packets are dropped in any direction, it can lead to an unstable state.

We cannot prevent events like process restart or reload, but we can handle such events better by limiting the number of adjacencies that area being established simultaneously. To limit the number of adjacencies from getting established simultaneously, you can configure adjacency stagger. By configuring IS-IS adjacency stagger, you can specify the initial number neighbourhood routers from which adjacencies can fully form after a process restart or reload. If you configure IS-IS adjacency stagger, you can also specify the subsequent number of simultaneous neighbors that are allowed to form adjacency.

Restrictions

  • IS-IS adjacency stagger is only supported on point-to-point interfaces and not on LAN interfaces.

  • IS-IS adjacency stagger is not supported with NSF (non-stop forwarding) mechanisms.

Configuration Example

To configure IS-IS adjacency stagger on a point-to-point interface, you must use the following configuration steps:

  1. Configure IS-IS.

  2. Configure adjacency stagger.

Configuration

/* Enter the global configuration mode and configure IS-IS */
Router# config
Router(config)# router isis 1

/* Configure IS-IS adjacency stagger */
Router(config-isis)# adjacency stagger 2 3
Router(config-isis)# commit

IS-IS Overload Bit Avoidance

The IS-IS overload bit avoidance feature allows network administrators to prevent label switched paths (LSPs) from being disabled when a router in that path has its Intermediate System-to-Intermediate System (IS-IS) overload bit set.

When the IS-IS overload bit avoidance feature is activated, all nodes with the overload bit set, including head nodes, mid nodes, and tail nodes, are ignored, which means that they are still available for use with label switched paths (LSPs).


Note

The IS-IS overload bit avoidance feature does not change the default behavior on nodes that have their overload bit set if those nodes are not included in the path calculation (PCALC).


The IS-IS overload bit avoidance feature is activated using the following command:

mpls traffic-eng path-selection ignore overload

The IS-IS overload bit avoidance feature is deactivated using the no form of this command:

no mpls traffic-eng path-selection ignore overload

When the IS-IS overload bit avoidance feature is deactivated, nodes with the overload bit set cannot be used as nodes of last resort.

Configure IS-IS Overload Bit Avoidance

This task describes how to activate IS-IS overload bit avoidance.

Before you begin

The IS-IS overload bit avoidance feature is valid only on networks that support the following features:

  • MPLS

  • IS-IS

SUMMARY STEPS

  1. configure
  2. mpls traffic-eng path-selection ignore overload

DETAILED STEPS


Step 1

configure

Example:


RP/0/RP0/CPU0:router# configure

Enters mode.

Step 2

mpls traffic-eng path-selection ignore overload

Example:


RP/0/RP0/CPU0:router(config)# mpls traffic-eng path-selection ignore overload

Activates IS-IS overload bit avoidance.


Configuring IS-IS Overload Bit Avoidance: Example

The following example shows how to activate IS-IS overload bit avoidance:


  config
   mpls traffic-eng path-selection ignore overload

The following example shows how to deactivate IS-IS overload bit avoidance:


  config
   no mpls traffic-eng path-selection ignore overload

References for IS-IS

This section provides additional conceptual information on IS-IS. It includes the following topics:

IS-IS Functional Overview

Small IS-IS networks are typically built as a single area that includes all routers in the network. As the network grows larger, it may be reorganized into a backbone area made up of the connected set of all Level 2 routers from all areas, which is in turn connected to local areas. Within a local area, routers know how to reach all system IDs. Between areas, routers know how to reach the backbone, and the backbone routers know how to reach other areas.

The IS-IS routing protocol supports the configuration of backbone Level 2 and Level 1 areas and the necessary support for moving routing information between the areas. Routers establish Level 1 adjacencies to perform routing within a local area (intra-area routing). Routers establish Level 2 adjacencies to perform routing between Level 1 areas (interarea routing).

Each IS-IS instance can support either a single Level 1 or Level 2 area, or one of each. By default, all IS-IS instances automatically support Level 1 and Level 2 routing. You can change the level of routing to be performed by a particular routing instance using the is-type command.

Multiple IS-IS instances can exist on the same physical interface. However, you must configure different instance-id for every instance that shares the same physical interface.

Alternatively, you can also create dot1q sub-interfaces and configure each dot1q sub-interface to different IS-IS instances.

Default Routes

You can force a default route into an IS-IS routing domain. Whenever you specifically configure redistribution of routes into an IS-IS routing domain, the software does not, by default, redistribute the default route into the IS-IS routing domain. The default-information originate command generates a default route into IS-IS, which can be controlled by a route policy. You can use the route policy to identify the level into which the default route is to be announced, and you can specify other filtering options configurable under a route policy. You can use a route policy to conditionally advertise the default route, depending on the existence of another route in the routing table of the router.

Overload Bit on Router

The overload bit is a special bit of state information that is included in an LSP of the router. If the bit is set on the router, it notifies routers in the area that the router is not available for transit traffic. This capability is useful in four situations:

  1. During a serious but nonfatal error, such as limited memory.

  2. During the startup and restart of the process. The overload bit can be set until the routing protocol has converged. However, it is not employed during a normal NSF restart or failover because doing so causes a routing flap.

  3. During a trial deployment of a new router. The overload bit can be set until deployment is verified, then cleared.

  4. During the shutdown of a router. The overload bit can be set to remove the router from the topology before the router is removed from service.

Overload Bit Configuration During Multitopology Operation

Because the overload bit applies to forwarding for a single topology, it may be configured and cleared independently for IPv4 and IPv6 during multitopology operation. For this reason, the overload is set from the router address family configuration mode. If the IPv4 overload bit is set, all routers in the area do not use the router for IPv4 transit traffic. However, they can still use the router for IPv6 transit traffic.

Attached Bit on an IS-IS Instance

The attached bit is set in a router that is configured with the is-type command and level-1-2 keyword. The attached bit indicates that the router is connected to other areas (typically through the backbone). This functionality means that the router can be used by Level 1 routers in the area as the default route to the backbone. The attached bit is usually set automatically as the router discovers other areas while computing its Level 2 SPF route. The bit is automatically cleared when the router becomes detached from the backbone.


Note

If the connectivity for the Level 2 instance is lost, the attached bit in the Level 1 instance LSP would continue sending traffic to the Level 2 instance and cause the traffic to be dropped.


To simulate this behavior when using multiple processes to represent the level-1-2 keyword functionality, you would manually configure the attached bit on the Level 1 process.

IS-IS Support for Route Tags

The IS-IS Support for route tags feature provides the capability to associate and advertise a tag with an IS-IS route prefix. Additionally, the feature allows you to prioritize the order of installation of route prefixes in the RIB based on a tag of a route. Route tags may also be used in route policy to match route prefixes (for example, to select certain route prefixes for redistribution).

Flood Blocking on Specific Interfaces

With this technique, certain interfaces are blocked from being used for flooding LSPs, but the remaining interfaces operate normally for flooding. This technique is simple to understand and configure, but may be more difficult to maintain and more error prone than mesh groups in the long run. The flooding topology that IS-IS uses is fine-tuned rather than restricted. Restricting the topology too much (blocking too many interfaces) makes the network unreliable in the face of failures. Restricting the topology too little (blocking too few interfaces) may fail to achieve the desired scalability.

To improve the robustness of the network in the event that all nonblocked interfaces drop, use the csnp-interval command in interface configuration mode to force periodic complete sequence number PDUs (CSNPs) packets to be used on blocked point-to-point links. The use of periodic CSNPs enables the network to become synchronized.

Maximum LSP Lifetime and Refresh Interval

By default, the router sends a periodic LSP refresh every 15 minutes. LSPs remain in a database for 20 minutes by default. If they are not refreshed by that time, they are deleted. You can change the LSP refresh interval or maximum LSP lifetime. The LSP interval should be less than the LSP lifetime or else LSPs time out before they are refreshed. In the absence of a configured refresh interval, the software adjusts the LSP refresh interval, if necessary, to prevent the LSPs from timing out.

Mesh Group Configuration

Configuring mesh groups (a set of interfaces on a router) can help to limit flooding. All routers reachable over the interfaces in a particular mesh group are assumed to be densely connected with each router having at least one link to every other router. Many links can fail without isolating one or more routers from the network.

In normal flooding, a new LSP is received on an interface and is flooded out over all other interfaces on the router. With mesh groups, when a new LSP is received over an interface that is part of a mesh group, the new LSP is not flooded over the other interfaces that are part of that mesh group.

Multi-Instance IS-IS

You can configure up to five IS-IS instances. MPLS can run on multiple IS-IS processes as long as the processes run on different sets of interfaces. Each interface may be associated with only a single IS-IS instance. The software prevents the double-booking of an interface by two instances at configuration time—two instances of MPLS configuration causes an error.

Because the Routing Information Base (RIB) treats each of the IS-IS instances as equal routing clients, you must be careful when redistributing routes between IS-IS instances. The RIB does not know to prefer Level 1 routes over Level 2 routes. For this reason, if you are running Level 1 and Level 2 instances, you must enforce the preference by configuring different administrative distances for the two instances.