Intermediate System to Intermediate System (IS-IS) is an Interior Gateway Protocol (IGP) based on Standardization (ISO)/International Engineering Consortium (IEC) 10589 that

• supports Internet Protocol version 4 (IPv4) and IPv6

• is a dynamic link-state routing protocol, and

• can detect changes in the network topology and calculate loop-free routes to other nodes in the network.

Each router running IS-IS maintains a link-state database that describes the state of the network and sends packets on every configured link to discover neighbors. IS-IS floods the link-state information across the network to each neighbor. The router also sends advertisements and updates on the link-state database through all the existing neighbors.

IS-IS authentication helps you to configure authentication to control adjacencies and the exchange of LSPs.

Routers that want to become neighbors must exchange the same password for their configured level of authentication. IS-IS blocks a router that does not have the correct password. You can configure IS-IS authentication globally or for an individual interface for Level 1, Level 2, or both Level 1/Level 2 routing.

IS-IS supports these authentication methods:

• Clear text: All packets exchanged carry a cleartext 128-bit password.

• MD5 digest: All packets exchanged carry a message digest that is based on a 128-bit key.

To provide protection against passive attacks, IS-IS never sends the MD5 secret key as cleartext through the network. In addition, IS-IS includes a sequence number in each packet to protect against replay attacks.

You can use also keychains for hello and LSP authentication. See the Cisco Nexus 9000 Series NX-OS Security Configuration Guide for information on keychain management.

A mesh group is a set of interfaces in which all routers reachable over the interfaces have at least one link to every other router. Many links can fail without isolating one or more routers from the network.

In normal flooding, an interface receives a new LSP and floods the LSP out over all other interfaces on the router. With mesh groups, when an interface that is part of a mesh group receives a new LSP, the interface does not flood the new LSP over the other interfaces that are part of that mesh group.

Note

You may want to limit LSPs in certain mesh network topologies to improve network scalability. Limiting LSP floods might also reduce the reliability of the network (in case of failures). For this reason, we recommend that you use mesh groups only if specifically required, and then only after you make a careful network design.

You can also configure mesh groups in block mode for parallel links between routers. In this mode, all LSPs are blocked on that interface in a mesh group after the routers initially exchange their link-state information.

IS-IS uses the overload bit to tell other routers not to use the local router to forward traffic but to continue routing traffic destined for that local router.

You can use overload bit in these situations:

• The router is in a critical condition.

• Graceful introduction and removal of the router to/from the network.

• Other (administrative or traffic engineering) reasons such as waiting for BGP convergence.

Route summarization simplifies route tables by replacing more-specific addresses with an address that represents all the specific addresses. For example, you can replace 10.1.1.0/24, 10.1.2.0/24, and 10.1.3.0/24 with one summary address, 10.1.0.0/16.

If more specific routes are in the routing table, IS-IS advertises the summary address with a metric equal to the minimum metric of the more specific routes.

Note	Cisco NX-OS does not support automatic route summarization.

Route redistribution is a processes that allows IS-IS to learn routes from other routing protocols. You can configure IS-IS to assign a specific link cost to these redistributed routes or apply a default link cost to all of them.

You must configure a route map with the redistribution to control which routes are passed into IS-IS. A route map allows you to filter routes based on attributes such as the destination, origination protocol, route type, route tag, and so on. For more information, see Configuring Route Policy Manager.

Whenever you redistribute routes into an IS-IS routing domain, Cisco NX-OS does not, by default, redistribute the default route into the IS-IS routing domain. You can generate a default route into IS-IS, which can be controlled by a route policy.

You also configure the default metric that is used for all imported routes into IS-IS.

By default, IS-IS advertises the addresses of connected interfaces in the system LSP. By suppressing the advertisement of unwanted interface addresses, you can reduce the size of LSPs and reduce the number of routes that IS-IS maintains, improving convergence times.

Two prefix suppression methods are provided for reducing the number of routes in the LSP:

• At the global level, you can choose to advertise only those prefixes that belong to passive interfaces, excluding other connected prefixes. See Advertise Only Passive Interface Prefixes.

• At the interface level, you can disable the advertisement of connected prefixes. See Suppress Prefixes on an Interface.

Load balancing is a feature that allows a router to distribute traffic over all the router network ports that are the same distance from the destination address. Load balancing increases the utilization of network segments and increases the effective network bandwidth.

Cisco NX-OS supports the Equal Cost Multiple Paths (ECMP) feature with up to 16 equal-cost paths in the IS-IS route table and the unicast RIB. You can configure IS-IS to load balance traffic across some or all of those paths.

Bidirectional forwarding detection (BFD) is a detection protocol designed to provide fast forwarding-path failure detection times. IS-IS supports BFD for IPv4 and IPv6.

BFD provides subsecond failure detection between two adjacent devices and can be less CPU-intensive than protocol hello messages because some of the BFD load can be distributed onto the data plane on supported modules. See the Cisco Nexus 9000 Series NX-OS Interfaces Configuration Guide for more information.

Cisco NX-OS supports multiple process instances for IS-IS. Each IS-IS instance can support multiple virtual routing and forwarding (VRF) instances, up to the system limit. For the number of supported IS-IS instances, see the Cisco Nexus 9000 Series NX-OS Verified Scalability Guide.

High availabilities in Cisco NX-OS provide a multilevel architecture that ensures continuous network operation and minimal downtime. IS-IS supports high availability.

IS-IS supports stateful restart, which is also referred to as non-stop routing (NSR). If IS-IS experiences problems, it attempts to restart from its previous run-time state. The neighbors would not register any neighbor event in this case. If the first restart is not successful and another problem occurs, IS-IS attempts a graceful restart as per RFC 3847. A graceful restart, or non-stop forwarding (NSF), allows IS-IS to remain in the data forwarding path through a process restart. When the restarting IS-IS interface is operational again, it rediscovers its neighbors, establishes adjacency, and starts sending its updates again. At this point, the NSF helpers recognize that the graceful restart has finished.

A stateful restart is used in these scenarios:

• First recovery attempt after process experiences problems

• User-initiated switchover using the system switchover command

A graceful restart is used in these scenarios:

• Second recovery attempt after the process experiences problems within a 4-minute interval

• Manual restart of the process using the restart isis command

• Active supervisor removal

• Active supervisor reload using the reload module active-sup command

Note	Graceful restart is on by default, and we strongly recommend that you do not disable it.

Cisco NX-OS supports multiple instances of the IS-IS protocol that run on the same node. You cannot configure multiple instances over the same interface. Every instance uses the same system router ID. For the number of supported IS-IS instances, see the Cisco Nexus 9000 Series NX-OS Verified Scalability Guide.

These are the prerequisites of IS-IS:

• You must enable IS-IS. See the Enabling the IS-IS Feature.

IS-IS has these configuration guidelines and limitations:

• IS-IS Level-1 routes do not populate on the connecting Level-2-only switch if an explicit configuration is not added to the Level-1/Level-2 Cisco Nexus switch.

• Because the default reference bandwidth is different for Cisco NX-OS and Cisco IOS, the advertised tunnel IS-IS metric is different for these two operating systems.

• You can configure IS-IS over segment routing for all Cisco Nexus 9000 Series switches and the Cisco Nexus 3164Q and 31128PQ switches. For information, see the Cisco Nexus 9000 Series NX-OS Label Switching Configuration Guide.

To configure IS-IS, follow these steps:

1. Enable the IS-IS feature (see the Enabling the IS-IS Feature section).

2. Create an IS-IS instance (see the Creating an IS-IS Instance section).

3. Add an interface to the IS-IS instance (see the Configuring IS-IS on an Interface section).

4. Configure optional features, such as authentication, mesh groups, and dynamic host exchange.

Note	If you are familiar with the Cisco IOS CLI, be aware that the Cisco NX-OS commands for this feature might differ from the Cisco IOS commands that you would use.

See the Configuring Route Policy Manager for more information on route maps.