IS-IS — The Quiet Backbone Protocol
Most enterprise networks run OSPF or EIGRP for their interior gateway protocol. ISPs and service providers, almost universally, run IS-IS. The protocol’s strengths — clean separation of routing from IP, fewer LSA types, faster convergence under churn, and the ability to extend without changing the core protocol — make it the right choice for very large carrier backbones.
This article covers IS-IS on Cisco IOS: the strange NET addressing, levels (the IS-IS equivalent of OSPF areas), basic configuration, and how it compares to OSPF.
What’s Different About IS-IS
IS-IS was designed in the OSI world, not the IP world. It runs directly over Layer 2 (it doesn’t use IP at all for its own protocol packets), which gives it a few interesting properties:
- Doesn’t need IP addresses on participating links — the routing protocol is independent of the protocol it routes
- Carries multiple address families — same protocol, IPv4 + IPv6 + (originally) CLNS
- Uses NSAP-style addressing for routers (the “NET” address)
- Two levels instead of OSPF’s many area types
- Can’t be ACL’d at L3 because it’s L2 — either physical isolation or IS-IS authentication for security
The NET Address
Every IS-IS router has a Network Entity Title (NET). It looks like this:
49.0001.1921.6800.0001.00Decomposed:
49— AFI (Authority and Format Identifier).49is the private/local AFI; equivalent to RFC1918 for OSI.0001— Area number (2 bytes shown as 4 hex digits with a dot separator).1921.6800.0001— System ID (6 bytes / 12 hex digits, often derived from a loopback IP). 192.168.0.1 =1921.6800.0001with dotted-hex padding.00— SEL (NSAP selector). Always00for routers.
Convention: derive the System ID from a loopback IP for traceability. Routers in the same area share the same area number; the System ID must be unique per router.
Levels — L1 vs L2
IS-IS has two levels, like OSPF’s normal area + Area 0:
- Level 1 (L1) — intra-area. Routers within the same area, learn only their area’s topology, default-route to L1/L2 router for everything else.
- Level 2 (L2) — backbone. Connects L1 areas together. The L2 backbone must be contiguous (like OSPF’s Area 0).
- L1/L2 — routers that participate in both, equivalent to OSPF’s ABR.
By default, every IS-IS interface runs L1 + L2. Specify per-interface for control:
R1(config-if)# isis circuit-type level-1
R1(config-if)# isis circuit-type level-2-only
R1(config-if)# isis circuit-type level-1-2Basic Configuration
R1(config)# router isis
R1(config-router)# net 49.0001.1921.6800.0001.00
R1(config-router)# is-type level-2
R1(config)# interface GigabitEthernet0/1
R1(config-if)# ip router isis
R1(config-if)# isis circuit-type level-2-onlyThree things to call out:
net— assigned at the router process level, not per-interface like OSPF’s router-id.is-type— controls which levels this router participates in. Default islevel-1-2; explicitlevel-2for backbone routers in flat designs is cleaner.ip router isison the interface enables IPv4 IS-IS. The interface command IS what activates IS-IS, not anetworkstatement.
Loopback Configuration
Always include the loopback in IS-IS so its address propagates as a /32:
R1(config)# interface Loopback0
R1(config-if)# ip address 192.168.0.1 255.255.255.255
R1(config-if)# ip router isisCost Metric
IS-IS uses a default cost of 10 on every interface unless you override:
R1(config-if)# isis metric 5Or globally use wide metrics (recommended; the default narrow metric tops out at 63):
R1(config-router)# metric-style wideWide metrics use a 24-bit interface metric and 32-bit path metric — far more headroom for diverse link costs.
Authentication
IS-IS authentication can be applied at the interface level (per-link) or area level (per-LSP):
! Per-interface
R1(config-if)# isis authentication mode md5
R1(config-if)# isis authentication key-chain ISIS-KEYS
! Per-area (in router config)
R1(config-router)# authentication mode md5
R1(config-router)# authentication key-chain ISIS-KEYSVerifying IS-IS
R1# show isis neighbors
R1# show isis topology
R1# show isis database
R1# show ip route isis
R1# show clns interface
R1# show clns neighborsNote the show clns commands — CLNS is the protocol IS-IS runs on, not IP. show clns neighbors shows IS-IS adjacencies in their native form.
IS-IS vs OSPF
| Aspect | OSPF | IS-IS |
|---|---|---|
| Layer | L3 (uses IP, protocol 89) | L2 (CLNS, no IP needed) |
| Area model | Many area types (Stub, NSSA, TSA, etc.) | Two levels (L1, L2) |
| Multi-AF | OSPFv2 (IPv4) and OSPFv3 (IPv6) are separate processes | One process carries all AFs |
| Convergence | Fast | Faster under churn (fewer LSP changes) |
| Where used | Enterprise | ISP / SP backbones |
| Complexity | Many features, many gotchas | Cleaner, fewer levers |
Common Pitfalls
- Wrong NET address. Routers in the same area must share the same area number; System ID must be unique. Mistype either, and adjacencies don’t form.
- Mismatched circuit-type. An L1-only and L2-only router on the same link won’t form a neighbor (one’s sending L1 hellos, the other expects L2). Use L1-2 by default unless you have a specific reason.
- Narrow metric overflow. Default narrow metrics cap at 63. Standardize
metric-style wideon day one. - Forgetting
ip router isis. The interface command activates the protocol; without it, IS-IS doesn’t run on that interface even if the network is reachable. - L2 backbone discontiguous. Like OSPF Area 0, the L2 backbone must be a contiguous topology. Bridge gaps with virtual links (rare in IS-IS).
Conclusion
IS-IS is the quiet alternative to OSPF: smaller blueprint, simpler deployment, and dominant in service-provider backbones. For enterprise IT, OSPF and EIGRP cover the same ground with more familiar tooling. But knowing IS-IS — even at the level of “here’s a NET, here’s how levels work, here’s the basic config” — rounds out a routing engineer’s toolkit and makes the CCNP service-provider track approachable.