IS-IS Design Principles

Foundation for Success

Successful IS-IS deployments start with solid design principles. These guidelines ensure networks are scalable, maintainable, and perform optimally while providing the flexibility to accommodate future growth and changes.

Core Design Principles

Hierarchical Design

Concept: Implement a clear hierarchical structure using IS-IS levels and areas to provide scalability and stability.

Benefits:
  • Reduced routing table size
  • Faster convergence
  • Fault isolation
  • Simplified troubleshooting
Implementation:
  • Use Level-1 for access areas
  • Use Level-2 for backbone
  • Level-1-2 routers at boundaries
  • Logical area organization
Redundancy and Resilience

Concept: Design networks with appropriate redundancy to maintain connectivity during failures while avoiding unnecessary complexity.

Redundancy Best Practices
# Multiple area border routers
router isis
 is-type level-1-2
 
# Diverse path metrics
interface GigabitEthernet0/0
 isis metric 100
interface GigabitEthernet0/1
 isis metric 150  # Backup path

# BFD for fast failure detection
interface GigabitEthernet0/0
 isis bfd
 bfd interval 50 min_rx 50 multiplier 3
Summarization Strategy

Concept: Implement route summarization at appropriate boundaries to reduce routing overhead and improve stability.

Where to Summarize:
  • Area boundaries
  • Network layer boundaries
  • Redistribution points
  • Regional aggregation points
What to Summarize:
  • Contiguous address blocks
  • Customer networks
  • Infrastructure networks
  • Service networks
Addressing Plan

Concept: Develop a comprehensive addressing plan that supports summarization, troubleshooting, and network growth.

Component Recommendation Example Benefit
Area IDs Geographic or functional 49.0001 (NYC), 49.0002 (LA) Easy identification
System IDs Based on loopback IP 1921.6800.0001 (192.168.0.1) Correlation with management
Loopbacks Contiguous blocks 192.168.0.0/24 for infrastructure Easy summarization
P2P Links Dedicated ranges 10.0.0.0/16 for WAN links Clear separation

Design Decision Framework

1. Requirements Analysis
  • Network size and growth projections
  • Performance requirements
  • Availability targets
  • Security requirements
2. Topology Design
  • Area layout and boundaries
  • Router level assignments
  • Redundancy planning
  • Traffic flow analysis
3. Implementation Planning
  • Migration strategy
  • Testing procedures
  • Rollback plans
  • Documentation requirements

Scalability Guidelines

IS-IS Scalability Factors

IS-IS scalability depends on several factors including network size, topology complexity, and resource availability. Understanding these factors helps design networks that can grow efficiently.

Key Scalability Metrics

Factor Recommended Limit Impact Optimization
Routers per Area 50-100 LSP database size Area subdivision
Areas per Domain 100-200 Level-2 database size Route summarization
LSPs per Router 1000-5000 Memory and CPU usage LSP fragmentation
Neighbors per Router 50-100 Hello overhead Network design
Routes per LSP 200-500 Flooding efficiency Route aggregation

Scalability Optimization Techniques

Hierarchical Design

Use IS-IS's natural hierarchy to limit flooding scope and reduce database sizes.

# Proper level assignment
router isis CORE
 is-type level-2-only
 net 49.0001.1921.6800.0001.00

router isis ACCESS
 is-type level-1
 net 49.0010.1921.6800.0010.00

router isis BORDER
 is-type level-1-2
 net 49.0010.1921.6800.0020.00
Route Summarization

Implement aggressive summarization to reduce routing table sizes and improve convergence.

# Summarization at area boundaries
router isis
 summary-address 192.168.0.0 255.255.0.0 level-2
 summary-address 172.16.0.0 255.240.0.0 level-1
 summary-address 10.0.0.0 255.0.0.0 external
Route Filtering

Use route filtering to control information propagation and reduce unnecessary routes.

# Filter unnecessary routes
ip prefix-list FILTER-MGMT seq 10 deny 192.168.255.0/24
ip prefix-list FILTER-MGMT seq 20 permit 0.0.0.0/0 le 32

router isis
 distribute-list prefix FILTER-MGMT out level-2
Mesh Groups

Use mesh groups in full-mesh topologies to reduce LSP flooding overhead.

# Optimize flooding in mesh networks
interface Serial0/0
 isis mesh-group 100  # Primary path
interface Serial0/1
 isis mesh-group blocked  # Backup path

Resource Planning

Memory Planning
Memory Usage Factors:
  • ~1KB per LSP in database
  • ~500 bytes per route
  • ~200 bytes per neighbor
  • Buffer allocation for flooding
Optimization:
  • Limit LSP database size
  • Use route summarization
  • Configure appropriate buffers
CPU Planning
CPU Usage Factors:
  • SPF calculations
  • LSP processing
  • Hello packet handling
  • Route table updates
Optimization:
  • Tune SPF timers
  • Limit topology changes
  • Use incremental SPF

Growth Planning

Phase 1: Current State Analysis
  • Document current network size
  • Measure resource utilization
  • Identify bottlenecks
  • Assess performance metrics
Phase 2: Growth Modeling
  • Project network expansion
  • Model resource requirements
  • Identify scaling limits
  • Plan optimization points
Phase 3: Implementation Strategy
  • Design scalable architecture
  • Implement growth accommodations
  • Establish monitoring
  • Plan regular reviews

Security Best Practices

IS-IS Security Framework

IS-IS security involves multiple layers of protection, from basic authentication to comprehensive access control. A defense-in-depth approach provides the best protection against various threats.

Security Layers

Authentication Layer

Implement strong authentication to prevent unauthorized routers from joining the IS-IS domain.

Authentication Best Practices
# Use HMAC-MD5 authentication
router isis
 area-password SecureArea2024 authenticate hmac-md5
 domain-password SecureDomain2024 authenticate hmac-md5

# Interface-specific authentication
interface GigabitEthernet0/0
 isis password InterfaceKey2024 level-1 authenticate hmac-md5
 isis password InterfaceKey2024 level-2 authenticate hmac-md5

# Key chain for rotation
key chain ISIS-AUTH
 key 1
  key-string CurrentKey2024
  accept-lifetime 00:00:00 Jan 1 2024 23:59:59 Dec 31 2024
  send-lifetime 00:00:00 Jan 1 2024 23:59:59 Nov 30 2024
 key 2
  key-string NextKey2025
  accept-lifetime 00:00:00 Nov 1 2024 infinite
  send-lifetime 00:00:00 Jan 1 2025 infinite

router isis
 authentication key-chain ISIS-AUTH level-1
 authentication mode hmac-md5 level-1
Access Control Layer

Control which routes are advertised and accepted to prevent routing attacks.

Route Filtering for Security
# Prevent private address advertisement
ip prefix-list DENY-PRIVATE seq 5 deny 10.0.0.0/8
ip prefix-list DENY-PRIVATE seq 10 deny 172.16.0.0/12
ip prefix-list DENY-PRIVATE seq 15 deny 192.168.0.0/16
ip prefix-list DENY-PRIVATE seq 20 deny 0.0.0.0/0
ip prefix-list DENY-PRIVATE seq 100 permit 0.0.0.0/0 le 32

# Apply security filters
router isis
 distribute-list prefix DENY-PRIVATE out
 
# Limit redistribution
route-map SECURE-REDIS permit 10
 match ip address prefix-list AUTHORIZED-NETWORKS
 set tag 65001

router isis
 redistribute connected route-map SECURE-REDIS
Monitoring Layer

Implement comprehensive monitoring to detect security events and anomalies.

What to Monitor:
  • Authentication failures
  • Unexpected adjacencies
  • Route table changes
  • LSP database modifications
  • Traffic anomalies
Monitoring Tools:
  • SNMP monitoring
  • Syslog analysis
  • Network management systems
  • Custom scripts
  • Flow analysis

Security Threats and Mitigations

Unauthorized Router Insertion

Threat: Attacker inserts rogue router into IS-IS domain

Impact: Route manipulation, traffic interception, network disruption

Mitigation:

  • Strong authentication on all levels
  • Physical security of network infrastructure
  • Regular adjacency monitoring
  • Network access control
Route Hijacking

Threat: Unauthorized advertisement of routes

Impact: Traffic redirection, service disruption, data interception

Mitigation:

  • Route filtering and validation
  • Route origin authentication
  • Network monitoring and alerting
  • Baseline route table monitoring
Denial of Service

Threat: Flooding attacks or resource exhaustion

Impact: Network instability, service outages, performance degradation

Mitigation:

  • Rate limiting and throttling
  • Resource monitoring and limits
  • Redundant network design
  • Traffic filtering and shaping

Security Hardening Checklist

Authentication
Access Control
Monitoring

Performance Optimization

IS-IS Performance Tuning

Optimizing IS-IS performance involves tuning various timers, controlling resource usage, and implementing features that improve convergence time and reduce overhead.

Key Performance Areas

Convergence Optimization

Reduce convergence time through timer optimization and fast failure detection.

Convergence Tuning
# SPF timer optimization
router isis
 spf-interval 5 50 200  # initial, min, max delays (seconds)
 max-lsp-lifetime 900   # Reduce LSP lifetime
 lsp-refresh-interval 600  # Reduce refresh interval

# Fast Hello timers for critical links
interface GigabitEthernet0/0
 isis hello-interval 3
 isis hello-multiplier 3  # 9 second hold time

# BFD for subsecond failure detection
interface GigabitEthernet0/0
 isis bfd
 bfd interval 150 min_rx 150 multiplier 3

# LSP generation throttling
router isis
 lsp-gen-interval 5 50 200  # initial, min, max delays (ms)
Memory Optimization

Optimize memory usage through database management and route control.

Memory Management
# Limit maximum LSPs
router isis
 max-lsp-lifetime 1200
 
# Route summarization to reduce table size
router isis
 summary-address 192.168.0.0 255.255.0.0
 summary-address 172.16.0.0 255.240.0.0

# Limit redistribution
route-map LIMIT-ROUTES permit 10
 match ip address prefix-list ESSENTIAL-ROUTES
 set metric 100

router isis
 redistribute connected route-map LIMIT-ROUTES
CPU Optimization

Reduce CPU utilization through efficient processing and calculation limits.

CPU Management
# SPF calculation limits
router isis
 spf-interval 10 100 500  # Increase intervals for stability
 ispf  # Enable incremental SPF

# Hello padding reduction (on P2P links)
interface Serial0/0
 isis network point-to-point
 no isis hello padding

# LSP pacing
router isis
 lsp-refresh-interval 900  # Spread refresh load
Bandwidth Optimization

Minimize protocol overhead through efficient packet handling and mesh groups.

Bandwidth Efficiency
# Mesh groups for full-mesh networks
interface Serial0/0
 isis mesh-group 100
interface Serial0/1
 isis mesh-group blocked

# Adjust CSNP intervals on LANs
interface GigabitEthernet0/0
 isis csnp-interval 30  # Reduce frequency

# LSP MTU optimization
router isis
 lsp-mtu 1497  # Optimize for interface MTU

Performance Monitoring

Key Metrics
# Monitor SPF performance
show isis spf-log
show isis spf-log detail

# Check memory usage
show isis database summary
show processes memory | include ISIS

# Monitor CPU utilization
show processes cpu | include ISIS
show processes cpu history

# Check neighbor stability
show isis neighbors detail
show isis interface detail
Performance Thresholds
Metric Good Warning Critical Action
SPF Runtime < 100ms 100-500ms > 500ms Optimize topology/summarization
LSP Database Size < 1000 LSPs 1000-5000 LSPs > 5000 LSPs Implement summarization
Convergence Time < 10s 10-30s > 30s Tune timers, add BFD
Memory Usage < 50MB 50-100MB > 100MB Reduce database size

Performance Troubleshooting

Slow Convergence

Symptoms: Routes take long time to appear after topology changes

Diagnosis Steps:

  1. Check SPF calculation times
  2. Verify timer configurations
  3. Examine LSP flooding efficiency
  4. Review network topology complexity

Solutions:

  • Tune SPF and LSP generation timers
  • Implement BFD for fast failure detection
  • Optimize network hierarchy
  • Use incremental SPF (iSPF)
High Memory Usage

Symptoms: Router memory consumption increasing over time

Diagnosis Steps:

  1. Monitor LSP database size growth
  2. Check route table size
  3. Examine redistribution sources
  4. Review summarization effectiveness

Solutions:

  • Implement route summarization
  • Limit redistribution scope
  • Use route filtering
  • Optimize area boundaries

Performance Best Practices Summary

  • Plan for Scale: Design network hierarchy to support growth
  • Monitor Regularly: Establish baseline metrics and track changes
  • Tune Gradually: Make incremental changes and measure impact
  • Test Thoroughly: Validate performance improvements in test environment
  • Document Changes: Maintain records of optimization configurations
Previous: Chapter 7 - IS-IS Troubleshooting Next: Interactive Tools