IS-IS Protocol Analysis
Protocol-reasoning-driven analysis skill for IS-IS adjacency formation, LSPDB
integrity, level 1/2 routing, and NET address validation. Unlike device health
checks that compare counters against thresholds, IS-IS analysis requires
interpreting adjacency state machines, validating NET addressing, verifying DIS
election, and assessing LSP flooding across the link-state domain.
Commands are labeled [Cisco], [JunOS], or [EOS] where syntax
diverges. Unlabeled statements apply to all three vendors.
When to Use
- - IS-IS adjacency not forming or stuck in Init state
- Unexpected route changes or missing routes in the IS-IS domain
- Level 1/2 boundary issues — suboptimal routing, missing L1 default, route
leaking not working as intended
- - LSPDB inconsistency — LSP count mismatch between neighbors, unexpected purges,
sequence number anomalies
- - NET address conflict or system ID duplication causing LSP wars
- Post-change verification of IS-IS configuration (new interfaces, area changes,
metric style migration, authentication rollout)
- - DIS election not converging on broadcast segments
Prerequisites
- - SSH or console access to the router (read-only privilege sufficient)
- IS-IS process running on the device with at least one active interface
- Knowledge of expected level topology: which routers are L1-only, L2-only, or
L1/L2, and which areas (area addresses) are in use
- - System IDs and NETs known or documented — NET format is
AFI.areaID.systemID.NSEL (e.g.,
49.0001.1921.6800.1001.00)
- - Awareness of configured authentication per level and interface (none, MD5,
HMAC-SHA)
Procedure
Follow this diagnostic flow sequentially. Each step builds on data from
prior steps, moving from broad inventory to targeted diagnosis.
Step 1: IS-IS Instance and Interface Inventory
Verify IS-IS is running and confirm which interfaces participate at each level.
[Cisco]
�CODEBLOCK0
[JunOS]
�CODEBLOCK1
[EOS]
�CODEBLOCK2
Record each interface: level enablement (L1, L2, or L1/L2), circuit type
(point-to-point or broadcast), metric, hello interval, and hold time. Compare
against expected design — every interface that should participate must appear.
An interface missing from output means IS-IS is not enabled on it (missing
under the IS-IS router config or interface config). Verify the NET address with
show isis protocol (Cisco), show isis overview (JunOS), or
show isis summary (EOS) — the NET must be correctly formed and unique.
Step 2: Adjacency Assessment
List all IS-IS adjacencies and interpret their state.
[Cisco]
�CODEBLOCK3
[JunOS]
�CODEBLOCK4
[EOS]
�CODEBLOCK5
Compare the neighbor list against expected topology. For each adjacency, verify:
- - State: Up is healthy; Init means one-way (hellos received but this
router's SNPA/system ID not in the neighbor's hello). Down means no hellos
received.
- - Level match: L1 neighbors must share at least one area address. L2
neighbors can be in different areas — only system ID uniqueness is required.
An L1-only router will not form L2 adjacency with an L2-only router.
- - Circuit type: On broadcast segments, check DIS (Designated Intermediate
System) election. Unlike OSPF DR/BDR, IS-IS DIS election is preemptive — a
new router with higher priority takes over immediately.
- - DIS status: On broadcast segments, identify which router is DIS for each
level. DIS sends CSNPs every 10 seconds and creates the pseudonode LSP.
Step 3: NET Address Validation
Verify NET format and system ID uniqueness across the domain.
[Cisco]
�CODEBLOCK6
[JunOS]
�CODEBLOCK7
[EOS]
�CODEBLOCK8
Validate NET structure:
- - AFI (Authority and Format Identifier): Typically
49 for private IS-IS
domains. Must be consistent within the domain.
- - Area ID: Variable length. All L1 neighbors must share at least one area
address to form L1 adjacency. L1/L2 and L2-only routers can have different
area addresses and still form L2 adjacency.
- - System ID: 6 bytes, must be globally unique within the IS-IS domain.
Duplicate system IDs cause LSP wars — both routers originate LSPs with the
same system ID but different content, causing continuous purge/regenerate
cycles.
- - NSEL (N-Selector): Must be
00 for the router itself. A non-zero NSEL
identifies an upper-layer protocol endpoint, not the router.
Step 4: LSPDB Analysis
Examine the Link-State Protocol Data Unit database for integrity.
[Cisco]
�CODEBLOCK9
[JunOS]
�CODEBLOCK10
[EOS]
�CODEBLOCK11
Assess LSPDB health:
- - LSP count: Compare across neighbors in the same level — counts must match
(LSPDB synchronization invariant). A mismatch indicates flooding failure or
partition.
- - Remaining lifetime: Default maximum is 1200 seconds. Originating routers
refresh at 900 seconds (default). An LSP with lifetime near 0 that is not
refreshed indicates the originator is unreachable. Lifetime at 0 means the
LSP is being purged.
- - Sequence numbers: Must increase monotonically. If the same system ID's
LSP sequence number jumps backward, a router has restarted and is re-
originating from a lower sequence number — or there is a system ID conflict.
- - LSP purges: An LSP with remaining lifetime of 0 and empty TLV content is
a purge. Frequent purges for the same system ID indicate instability — either
the originator is flapping or two routers share the system ID (LSP war).
- - Overload bit (OL): If set, SPF will not use this router for transit
traffic. Check whether OL is intentional (maintenance, startup delay) or
indicates a problem (memory exhaustion).
Step 5: Level 1/2 Routing and Route Leaking
Verify inter-level routing behavior at L1/L2 boundaries.
[Cisco]
�CODEBLOCK12
[JunOS]
�CODEBLOCK13
[EOS]
�CODEBLOCK14
Validate inter-level behavior:
- - L1→L2 redistribution: L1/L2 routers automatically redistribute L1 routes
into L2 by default. Verify L1 prefixes appear in the L2 LSPDB. If missing,
check for redistribution filters or route policies on the L1/L2 router.
- - L2→L1 route leaking: Not automatic — requires explicit configuration.
If configured, verify leaked L2 routes appear in the L1 RIB. Missing leaked
routes indicate policy misconfiguration or the leak filter is too restrictive.
- - Attached bit: L1/L2 routers set the Attached bit in their L1 LSP. L1-only
routers use this to install a default route toward the nearest L1/L2 router.
If no L1/L2 router has the Attached bit set, L1-only routers have no path
out of the area. Verify with LSPDB detail — check the ATT flag on L1/L2
router LSPs.
- - Suboptimal routing: L1-only routers always route toward the nearest
L1/L2 router (default route). If there are multiple L1/L2 exit points,
traffic may take a suboptimal path. Route leaking L2→L1 with specific
prefixes fixes this by giving L1 routers more specific routing information.
Threshold Tables
Operational parameter norms for IS-IS — protocol-level expectations by network
type and deployment scale.
Hello and Hold Timer Defaults:
| Parameter | Cisco Default | JunOS Default | EOS Default | Notes |
|---|
| Hello (broadcast) | 10s | 9s | 10s | Per-level configurable |
| Hello (P2P) |
10s | 9s | 10s | Per-level configurable |
| Hold multiplier | 3× hello | 3× hello | 3× hello | Dead = hello × multiplier |
| CSNP interval (DIS) | 10s | 10s | 10s | Only DIS sends CSNPs |
| PSNP interval | 2s | 2s | 2s | Request missing LSPs |
LSPDB Norms:
| Parameter | Normal | Warning | Critical |
|---|
| LSP max lifetime | 1200s | — | — |
| LSP refresh |
900s | Missed refresh | Lifetime < 300s |
| LSP remaining lifetime | 300–1200s | 60–300s | < 60s (near purge) |
| LSP purge rate | 0/hour | 1–5/hour | > 5/hour |
| LSPDB mismatch (neighbors) | 0 LSP diff | 1–3 diff | > 3 diff |
| Overload bit | Clear | Set (intentional) | Set (unintentional) |
SPF Norms:
| Parameter | Normal | Warning | Critical |
|---|
| SPF runs (per hour) | 1–5 | 6–20 | > 20 |
| SPF initial delay |
50–200ms | < 50ms | > 5000ms |
| SPF max hold | 5000–10000ms | < 2000ms | > 50000ms |
| Convergence (single link) | < 1s | 1–5s | > 10s |
Metric Norms:
| Metric Style | Range | Notes |
|---|
| Narrow (original) | 1–63 per link | 10-bit path metric max (1023) |
| Wide (extended) |
1–16777215 per link | 32-bit path metric — preferred |
| Transition | Both | During narrow→wide migration |
Decision Trees
Adjacency Not Forming
CODEBLOCK15
LSPDB Inconsistency
CODEBLOCK16
Report Template
CODEBLOCK17
Troubleshooting
System ID Conflict (LSP War)
Two routers with the same system ID cause an LSP war — each router originates
an LSP with the same system ID but different content. Each purges the other's
LSP and regenerates its own, creating continuous churn. Symptoms: rapidly
incrementing sequence numbers, frequent purge events, unstable routing.
Detect by checking for the same system ID with two different SNPAs or source
addresses in adjacency tables. Fix: assign unique system IDs.
Area Mismatch Preventing L1 Adjacency
L1 adjacency requires at least one matching area address in the NET. If two
routers have different area addresses and are both L1-only, no adjacency forms.
L1/L2 routers with different areas can still form L2 adjacency but not L1.
Verify area addresses on both sides. Fix: correct the area address or change
one router to L2-only if inter-area routing is the goal.
Metric Style Mismatch (Narrow vs Wide)
A router using narrow metrics (1–63) and a neighbor using wide metrics
(1–16777215) may form adjacency but routes may not compute correctly if one
side cannot interpret the other's TLVs. During migration, configure both sides
for transition mode (advertise both narrow and wide TLVs). Verify with LSPDB
detail — check for both old-style and extended IP reachability TLVs.
Authentication Mismatch
IS-IS supports per-level and per-interface authentication. A mismatch prevents
adjacency formation (hellos rejected) or LSP flooding (LSPs rejected). Unlike
OSPF where auth mismatch stops hellos, IS-IS can have adjacency up but LSP
flooding blocked if hello auth succeeds but LSP auth fails. Check auth config
at both hello and LSP levels independently.
LSPDB Overload from Excessive Redistribution
Redistributing large external route tables into IS-IS generates many LSPs,
increasing LSPDB size, SPF computation time, and flooding overhead. Use route
policies to limit redistribution scope. Consider setting the overload bit on
non-transit routers that cannot handle the full LSPDB. Monitor LSP fragment
count — each router can originate up to 256 LSP fragments (0–255).
IS-IS协议分析
基于协议推理的IS-IS邻接建立、LSPDB完整性、Level 1/2路由和NET地址验证分析技能。与通过阈值比较计数器进行设备健康检查不同,IS-IS分析需要解读邻接状态机、验证NET地址、确认DIS选举以及评估链路状态域中的LSP泛洪。
命令在语法差异处标注为[Cisco]、[JunOS]或[EOS]。未标注的语句适用于所有三家厂商。
使用场景
- - IS-IS邻接无法建立或卡在Init状态
- IS-IS域中出现意外路由变更或路由缺失
- Level 1/2边界问题——次优路由、缺少L1默认路由、路由泄露未按预期工作
- LSPDB不一致——邻居间LSP计数不匹配、意外清除、序列号异常
- NET地址冲突或系统ID重复导致LSP战争
- IS-IS配置变更后验证(新接口、区域变更、度量样式迁移、认证部署)
- 广播网段上DIS选举无法收敛
前置条件
- - 路由器的SSH或控制台访问权限(只读权限足够)
- 设备上运行IS-IS进程且至少有一个活跃接口
- 了解预期的层级拓扑:哪些路由器是L1-only、L2-only或L1/L2,以及使用哪些区域(区域地址)
- 已知或已记录的系统ID和NET——NET格式为AFI.areaID.systemID.NSEL(例如49.0001.1921.6800.1001.00)
- 了解每个层级和接口配置的认证方式(无、MD5、HMAC-SHA)
操作步骤
按顺序执行以下诊断流程。每一步都基于前一步的数据,从广泛清单逐步过渡到针对性诊断。
步骤1:IS-IS实例和接口清单
验证IS-IS正在运行,并确认哪些接口参与每个层级。
[Cisco]
show isis interface brief
[JunOS]
show isis interface
[EOS]
show isis interface brief
记录每个接口:层级启用状态(L1、L2或L1/L2)、电路类型(点对点或广播)、度量、Hello间隔和保持时间。与预期设计对比——每个应参与的接口都必须出现。输出中缺少接口意味着IS-IS未在该接口上启用(IS-IS路由器配置或接口配置中缺失)。使用show isis protocol(Cisco)、show isis overview(JunOS)或show isis summary(EOS)验证NET地址——NET必须格式正确且唯一。
步骤2:邻接评估
列出所有IS-IS邻接并解读其状态。
[Cisco]
show isis neighbors
[JunOS]
show isis adjacency
[EOS]
show isis neighbors
将邻居列表与预期拓扑对比。对于每个邻接,验证:
- - 状态: Up表示健康;Init表示单向(收到Hello但本路由器的SNPA/系统ID不在邻居的Hello中)。Down表示未收到Hello。
- 层级匹配: L1邻居必须共享至少一个区域地址。L2邻居可以位于不同区域——仅需系统ID唯一。L1-only路由器不会与L2-only路由器形成L2邻接。
- 电路类型: 在广播网段上,检查DIS(指定中间系统)选举。与OSPF的DR/BDR不同,IS-IS的DIS选举是抢占式的——具有更高优先级的新路由器会立即接管。
- DIS状态: 在广播网段上,识别每个层级的DIS路由器。DIS每10秒发送CSNP并创建伪节点LSP。
步骤3:NET地址验证
验证NET格式和系统ID在整个域中的唯一性。
[Cisco]
show isis protocol | include NET|System
[JunOS]
show isis overview | match NET|System
[EOS]
show isis summary | include NET|System
验证NET结构:
- - AFI(权限和格式标识符): 私有IS-IS域通常为49。必须在域内保持一致。
- 区域ID: 可变长度。所有L1邻居必须共享至少一个区域地址才能形成L1邻接。L1/L2和L2-only路由器可以有不同的区域地址,仍能形成L2邻接。
- 系统ID: 6字节,必须在IS-IS域内全局唯一。重复的系统ID会导致LSP战争——两台路由器以相同系统ID但不同内容发起LSP,导致持续清除/重新生成循环。
- NSEL(N选择器): 路由器本身必须为00。非零NSEL标识上层协议端点,而非路由器。
步骤4:LSPDB分析
检查链路状态协议数据单元数据库的完整性。
[Cisco]
show isis database detail | include LSP|Lifetime|Sequence
[JunOS]
show isis database extensive | match LSP|Lifetime|Sequence
[EOS]
show isis database detail | include LSP|Lifetime|Sequence
评估LSPDB健康状态:
- - LSP计数: 与同一层级的邻居对比——计数必须匹配(LSPDB同步不变性)。不匹配表明泛洪失败或分区。
- 剩余生存时间: 默认最大值为1200秒。发起路由器在900秒(默认)时刷新。生存时间接近0且未刷新的LSP表明发起者不可达。生存时间为0表示LSP正在被清除。
- 序列号: 必须单调递增。如果同一系统ID的LSP序列号向后跳变,说明路由器已重启并从较低序列号重新发起——或者存在系统ID冲突。
- LSP清除: 剩余生存时间为0且TLV内容为空的LSP是清除操作。同一系统ID频繁清除表明不稳定——要么发起者震荡,要么两台路由器共享系统ID(LSP战争)。
- 过载位(OL): 如果设置,SPF将不使用此路由器进行中转流量。检查OL是故意的(维护、启动延迟)还是表明存在问题(内存耗尽)。
步骤5:Level 1/2路由和路由泄露
验证L1/L2边界处的层级间路由行为。
[Cisco]
show isis rib | include L1|L2|leak
[JunOS]
show isis route | match L1|L2|leak
[EOS]
show isis route | include L1|L2|leak
验证层级间行为:
- - L1→L2重分发: L1/L2路由器默认自动将L1路由重分发到L2。验证L1前缀出现在L2 LSPDB中。如果缺失,检查L1/L2路由器上的重分发过滤或路由策略。
- L2→L1路由泄露: 非自动——需要显式配置。如果已配置,验证泄露的L2路由出现在L1 RIB中。泄露路由缺失表明策略配置错误或泄露过滤器过于严格。
- 附加位: L1/L2路由器在其L1 LSP中设置附加位。L1-only路由器使用此位向最近的L1/L2路由器安装默认路由。如果没有L1/L2路由器设置附加位,L1-only路由器将没有离开区域的路径。使用LSPDB详细信息验证——检查L1/L2路由器LSP上的ATT标志。
- 次优路由: L1-only路由器始终向最近的L1/L2路由器路由(默认路由)。如果有多个L1/L2出口点,流量可能走次优路径。通过使用特定前缀进行L2→L1路由泄露,为L1路由器提供更具体的路由信息来解决此问题。
阈值表
IS-IS的操作参数规范——按网络类型和部署规模的协议级预期。
Hello和保持计时器默认值:
| 参数 | Cisco默认值 | JunOS默认值 | EOS默认值 | 备注 |
|---|
| Hello(广播) | 10秒 | 9秒 | 10秒 | 按层级可配置 |
| Hello(P2P) |
10秒 | 9秒 | 10秒 | 按层级可配置 |
| 保持乘数 | 3×Hello | 3×Hello | 3×Hello | 死亡时间 = Hello × 乘数 |
| CSNP间隔(DIS) | 10秒 | 10秒 | 10秒 | 仅DIS发送CSNP |
| PSNP间隔 | 2秒 | 2秒 | 2秒 | 请求缺失的LSP |
LSPDB规范:
| 参数 | 正常 | 警告 | 严重 |
|---|
| LSP最大生存时间 | 1200秒 | — | — |
| LSP刷新 |
900秒 | 错过刷新 | 生存时间 < 300秒 |
| LSP剩余生存时间 | 300–1200秒 | 60–300秒 | < 60秒(接近
