How IS-IS Works: The Link-State IGP Behind ISP Backbones

Intermediate System to Intermediate System (IS-IS) is a link-state interior gateway protocol that routes IP traffic within a single autonomous system. Originally designed in the 1980s for the OSI protocol stack (CLNS/CLNP), IS-IS was extended to carry IP reachability information (RFC 1195, "Integrated IS-IS") and has become the IGP of choice for most large ISP backbones and hyperscaler networks. Unlike OSPF, which runs on top of IP, IS-IS runs directly on Layer 2 — it encapsulates its protocol data units (PDUs) in the Layer 2 frame, independent of the network layer. This architectural decision has made IS-IS easier to extend to new address families (IPv4, IPv6, MPLS Segment Routing) without protocol redesign.

IS-IS matters to BGP operators because it is the IGP that provides next-hop resolution and loopback reachability for iBGP sessions in most tier-1 and tier-2 ISP networks. When IS-IS converges after a link failure, BGP reconverges with it — the speed of IS-IS directly determines how quickly BGP routes re-resolve and traffic reroutes. IS-IS also carries the Segment Routing extensions that are increasingly replacing traditional MPLS signaling protocols.

CLNS Heritage and Protocol Architecture

IS-IS was standardized by ISO (ISO 10589) for routing CLNP (Connectionless Network Protocol) traffic in OSI networks. When the internet adopted IP in the 1990s, IS-IS was extended to carry IPv4 reachability information via Integrated IS-IS (RFC 1195), and later IPv6 reachability (RFC 5308). This CLNS heritage is still visible in several aspects of the protocol:

NET (Network Entity Title): Every IS-IS router is identified by a NET, an OSI NSAP address that looks like 49.0001.1921.6800.1001.00. The format is: Area ID (variable length, e.g., 49.0001), System ID (6 bytes, often derived from a loopback IP like 192.168.1.1 → 1921.6800.1001), and NSEL (always 00 to indicate the router itself rather than a transport layer endpoint).
Layer 2 operation: IS-IS PDUs are encapsulated directly in Layer 2 frames (e.g., IEEE 802.3 with DSAP/SSAP 0xFE FE) rather than in IP packets. This means IS-IS does not need IP connectivity to form adjacencies — it works even before any IP addresses are configured, which simplifies bootstrapping.
System ID: The 6-byte System ID uniquely identifies each router within the IS-IS domain. It is analogous to the OSPF router ID but fixed-length, which simplifies PDU parsing.

Despite its OSI origins, modern IS-IS is used exclusively for IP routing. The CLNP routing capability is still present in the protocol specification but is effectively unused in production networks.

TLV-Based Extensibility

One of IS-IS's greatest architectural strengths is its Type-Length-Value (TLV) structure. Every piece of information carried in an IS-IS PDU — IP reachability, IPv6 prefixes, IS neighbor adjacencies, TE metrics, Segment Routing SIDs, Flexible Algorithm definitions — is encoded as a TLV. Each TLV has:

Type: 1 byte identifying the information kind (e.g., Type 135 = Extended IP Reachability, Type 22 = Extended IS Reachability)
Length: 1 byte specifying the value length (max 255 bytes per TLV, but TLVs can repeat)
Value: Variable-length data

TLVs can contain sub-TLVs, enabling nested extensibility. For example, the Extended IS Reachability TLV (Type 22) carries sub-TLVs for TE metrics, administrative groups, available bandwidth, SRLGs, and Segment Routing adjacency SIDs.

This TLV architecture is the reason IS-IS has been extended so successfully over the past three decades. Adding support for a new feature (like Segment Routing or Flexible Algorithm) requires only defining a new TLV type and sub-TLV codes. Routers that do not understand a TLV simply ignore it and continue to flood the containing LSP, which enables incremental deployment. Compare this with OSPF, which required defining entirely new LSA types (and hence new flooding scopes) for each major extension.

IS-IS PDU Types

IS-IS uses three main PDU types, each serving a distinct role in the protocol's operation:

IS-IS Hello (IIH): Discovers and maintains neighbor adjacencies. IIHs are sent periodically (default 10 seconds) on each IS-IS enabled interface. There are three subtypes: Level 1 LAN Hello, Level 2 LAN Hello (both sent on broadcast segments), and Point-to-Point Hello (sent on point-to-point links). IIHs carry the system ID, area address(es), supported protocols, interface metrics, and the list of neighbors seen on the segment.
Link-State PDU (LSP): The core of the link-state database. Each router originates one or more LSPs (identified by LSP-ID: SystemID.PseudonodeID-FragmentNumber) containing TLVs that describe its links, IP reachability, and other attributes. LSPs are reliably flooded throughout the routing domain (within the appropriate level). Each LSP has a sequence number (32-bit, monotonically increasing), a remaining lifetime (default 1200 seconds, refreshed every 900 seconds), and a checksum for integrity.
Sequence Number PDU (SNP): Used for LSDB synchronization. Complete SNPs (CSNPs) contain a summary of the entire LSDB and are sent periodically on broadcast segments by the DIS to keep all routers synchronized. Partial SNPs (PSNPs) request specific LSPs or acknowledge receipt of LSPs on point-to-point links.

Level 1 and Level 2 Routing

IS-IS uses a two-level hierarchy that is superficially similar to OSPF's area structure but differs in important ways:

Level 1 (L1): Intra-area routing. L1 routers maintain a link-state database containing topology information for their local area only. For destinations outside the area, L1 routers use a default route pointing to the nearest L1/L2 router.
Level 2 (L2): Inter-area (backbone) routing. L2 routers maintain a link-state database of the entire L2 backbone topology. All L2 routers form a contiguous backbone, analogous to OSPF Area 0.
Level 1/2 (L1/L2): Routers at area boundaries participate in both L1 and L2. They maintain separate LSDBs for each level and perform route leaking between them. L1/L2 routers advertise a default route (via the Attached bit in their L1 LSP) to L1-only routers, directing inter-area traffic toward the backbone.

A critical difference from OSPF: IS-IS areas are defined per-link, not per-interface. Every link in IS-IS belongs to exactly one area, and area boundaries fall on the links between L1/L2 routers, not on the L1/L2 routers themselves. In OSPF, an ABR has interfaces in multiple areas and maintains separate LSDBs per area. In IS-IS, an L1/L2 router belongs to a single area but participates in both the L1 topology of its area and the L2 backbone topology. This subtle difference simplifies area design because moving a router between areas requires only changing its area address, not re-configuring its interfaces.

Route Leaking

By default, L1 routers reach destinations outside their area via a default route to the nearest L1/L2 router. This can lead to suboptimal routing when multiple L1/L2 exits exist and the L1 router cannot distinguish between them. Route leaking (also called route redistribution between levels) addresses this by selectively advertising L2 routes into the L1 LSDB. This gives L1 routers visibility into inter-area destinations and allows them to choose the optimal exit point. Route leaking must be done carefully with prefix filters to avoid overwhelming L1 routers with the full L2 routing table.

IS-IS Adjacency Formation

IS-IS adjacency formation is simpler than OSPF because the LSDB synchronization does not require the complex ExStart/Exchange/Loading states. IS-IS adjacency formation on point-to-point links uses a three-way handshake (RFC 5303):

Router A sends an IIH with its system ID and adjacency state set to Initializing.
Router B receives the IIH, adds Router A to its neighbor list, and responds with its own IIH containing Router A's system ID and adjacency state Initializing.
Router A receives Router B's IIH, sees itself listed, and transitions to Up. It sends another IIH with state Up.
Router B receives the Up IIH and also transitions to Up.

Once the adjacency is Up, LSDB synchronization happens through CSNP/PSNP exchange. Each side sends CSNPs listing all LSPs in its database. The other side compares the CSNP against its own LSDB and uses PSNPs to request any missing or newer LSPs. This is simpler and more robust than OSPF's DBD-based exchange.

Designated Intermediate System (DIS)

On broadcast (LAN) segments, IS-IS elects a Designated Intermediate System (DIS), which is analogous to OSPF's Designated Router but with important differences:

There is no backup DIS (unlike OSPF's BDR). If the DIS fails, a new election happens immediately.
DIS election is preemptive: if a router with a higher priority joins the segment, it becomes the DIS immediately. In OSPF, DR election is non-preemptive.
All routers on the segment form adjacencies with all other routers, not just with the DIS. The DIS's role is limited to originating the Pseudonode LSP (representing the LAN segment as a virtual node) and periodically sending CSNPs for LSDB synchronization.
DIS election is based on highest priority (0-127, default 64), with highest MAC address as tiebreaker.
The DIS sends IIH packets at one-third the normal interval (default: every 3.3 seconds instead of 10 seconds) to enable fast detection of DIS failure.

IS-IS Metrics

IS-IS originally defined a narrow metric with a maximum value of 63 per link and 1023 per path. This was quickly found to be inadequate for modern networks. RFC 3784 introduced wide metrics, which support up to 2²⁴ - 1 (16,777,215) per link and 2³² - 1 (4,294,967,295) per path. Wide metrics are carried in the Extended IS Reachability (TLV 22) and Extended IP Reachability (TLV 135) TLVs.

All modern IS-IS deployments use wide metrics exclusively. The narrow metric TLVs (Type 2 for IS neighbors, Type 128/130 for IP reachability) are deprecated but may still appear in very old configurations.

Like OSPF, IS-IS metric assignment is typically derived from interface bandwidth. A common formula is reference_bandwidth / interface_bandwidth, with the reference set high enough (e.g., 1 Tbps) to differentiate between 10G, 100G, and 400G links.

IS-IS vs. OSPF: Why ISPs Choose IS-IS

Both IS-IS and OSPF are link-state protocols running Dijkstra's SPF algorithm. They solve the same problem and produce equivalent results in terms of shortest-path computation. However, IS-IS has won the IGP battle in large ISP networks for several reasons:

TLV extensibility: Adding new features to IS-IS requires only new TLV definitions. OSPF extensions often require new LSA types, which can affect flooding behavior and require more significant code changes. IS-IS's TLV architecture made it easier to add Segment Routing, IPv6, and traffic engineering extensions.
Simpler flooding: IS-IS floods LSPs as opaque containers — a router does not need to understand every TLV to flood the LSP correctly. OSPF flooding behavior depends on the LSA type (area scope, AS scope, link-local scope), and new LSA types require routers to understand the scoping rules.
Layer 2 independence: IS-IS runs directly on Layer 2, so it does not depend on IP for its operation. An IS-IS adjacency can form even if no IP addresses are configured. OSPF requires IP connectivity to the neighbor to form an adjacency.
Stability at scale: IS-IS has been proven at scale in the largest ISP backbones (AT&T, NTT, Level 3/Lumen, and many others have used IS-IS for decades). While OSPF can also scale well with proper area design, IS-IS has a longer track record in these environments.
Fewer area design constraints: IS-IS does not have the rigid Area 0 backbone requirement that OSPF has. The L2 backbone is simply the set of all L2-capable routers, and there is no equivalent of OSPF's virtual link workaround for non-contiguous backbone areas.
Multi-topology support: IS-IS multi-topology (RFC 5120) allows separate topologies for IPv4 and IPv6, enabling operators to run different path computations for each address family. While OSPF supports address families in OSPFv3, IS-IS's approach is more operationally flexible.

OSPF remains dominant in enterprise networks, where its rich feature set (NSSA areas, stub areas, per-interface area assignment) and wider vendor documentation make it more accessible. The "IS-IS for ISPs, OSPF for enterprises" guideline, while not absolute, reflects real deployment patterns.

IS-IS and MPLS Segment Routing

IS-IS has become the preferred IGP for MPLS Segment Routing deployments. SR extensions for IS-IS (RFC 8667) define TLVs and sub-TLVs that carry:

SR Capability sub-TLV: Advertises the router's Segment Routing Global Block (SRGB) — the range of MPLS labels reserved for SR prefix SIDs. Carried in the Router Capability TLV (Type 242).
Prefix SID sub-TLV: Associates a SID (Segment Identifier) index with an IP prefix, typically a loopback address. Other routers compute the MPLS label for this prefix as SRGB_base + SID_index. Carried as a sub-TLV of Extended IP Reachability (TLV 135) or IPv6 Reachability (TLV 236).
Adjacency SID sub-TLV: Associates a SID with a specific adjacency (link), enabling traffic to be steered onto a specific link. Carried as a sub-TLV of Extended IS Reachability (TLV 22).
Flexible Algorithm Definition sub-TLV: Defines alternative path computation algorithms with specific constraints (e.g., minimize latency instead of IGP metric, or restrict to links with specific affinities). Enables multiple parallel routing topologies computed by the same IGP instance.

IS-IS Segment Routing eliminates the need for LDP and RSVP-TE signaling in most use cases, dramatically simplifying the MPLS control plane. The IGP alone distributes all label information needed for forwarding.

IS-IS Convergence

IS-IS convergence follows the same general pattern as other link-state protocols: detect failure, generate LSP, flood LSP, run SPF, update RIB/FIB. Key tuning parameters include:

Hello interval and hold time: Default 10 seconds and 30 seconds respectively. BFD (Bidirectional Forwarding Detection) provides sub-50ms failure detection as a supplement.
LSP generation interval: Throttled with initial/hold/max timers (e.g., 50ms / 200ms / 5s) to prevent CPU spikes from rapid topology changes.
SPF computation interval: Also throttled (e.g., 50ms / 200ms / 5s). Modern implementations support incremental SPF (iSPF) that recomputes only the affected portion of the shortest-path tree rather than rerunning the full algorithm.
Partial Route Computation (PRC): When only reachability information changes (e.g., a prefix is added or removed) without topology change, IS-IS can update routes without a full SPF computation. PRC is faster than SPF because it skips the tree computation step.

With BFD and aggressive timers, IS-IS networks routinely achieve sub-100ms failover for single link failures. Topology-Independent Loop-Free Alternate (TI-LFA), computed by IS-IS SR extensions, provides pre-computed backup paths that activate immediately when BFD detects a failure, achieving near-zero packet loss.

IS-IS Overload Bit

IS-IS provides a mechanism called the Overload Bit (OL bit) that a router can set in its LSP to signal that it should not be used for transit traffic. When a router sets the OL bit, other routers will compute paths that avoid it (except for destinations directly connected to the overloaded router). Use cases include:

Graceful maintenance: Before taking a router offline for maintenance, set the OL bit to drain transit traffic. Wait for convergence, then perform maintenance.
Startup delay: Set the OL bit during boot until the router has fully converged and populated its FIB. This prevents black-holing traffic through a router that is not yet ready to forward.
Memory exhaustion: If a router runs low on memory and cannot maintain the full LSDB, it sets the OL bit to signal that its routing information may be incomplete.

OSPF has an equivalent mechanism called the "max metric" (RFC 6987), where a router advertises all its links with the maximum metric value (0xFFFF) to make itself undesirable as a transit router.

IS-IS Authentication

IS-IS supports authentication at multiple levels:

IIH authentication: Protects Hello packets on each interface. Prevents unauthorized routers from forming adjacencies.
LSP authentication: Protects the integrity of LSPs in the LSDB. All routers in the domain must share the authentication key.
SNP authentication: Protects CSNP and PSNP packets used for LSDB synchronization.

Authentication methods include plaintext passwords (TLV Type 10, insecure) and HMAC-MD5 (RFC 5304). RFC 5310 added support for generic cryptographic authentication, enabling SHA-based HMAC algorithms for stronger security. Key chains with hitless key rollover allow changing authentication keys without disrupting adjacencies.

Multi-Instance IS-IS

RFC 6822 defines Multi-Instance IS-IS, which allows multiple independent IS-IS instances to run on the same set of links. Each instance has a unique Instance ID (IID) and maintains separate adjacencies and LSDBs. Use cases include running separate routing instances for different tenants in a shared infrastructure, or running a production instance alongside a test instance for validation.

Multi-Instance IS-IS is distinct from multi-topology IS-IS (RFC 5120), which runs a single instance with multiple topology-specific TLVs. Multi-instance provides complete isolation, while multi-topology shares adjacencies but computes separate paths for different address families or traffic classes.

Deploying IS-IS for a BGP Network

For a network running BGP as the inter-domain routing protocol, the IS-IS deployment strategy is straightforward:

Run IS-IS as the IGP to advertise only infrastructure prefixes: router loopbacks and point-to-point link addresses.
Keep the IS-IS topology small — tens to hundreds of prefixes, not thousands. Customer and internet routes stay in BGP.
Use L2-only routing unless the network is large enough to benefit from L1/L2 hierarchy. Many ISP backbones run entirely as L2.
Enable Segment Routing extensions to distribute MPLS labels via the IGP, eliminating LDP.
Enable BFD on all IS-IS adjacencies for fast failure detection.
Configure TI-LFA for pre-computed backup paths.
Use wide metrics with a high reference bandwidth (e.g., 1 Tbps or 10 Tbps).

See BGP Routes in Action

IS-IS provides the internal routing foundation that makes BGP work within an autonomous system. The routes you see in the global BGP table are carried across ISP backbones running IS-IS as their IGP. To explore live BGP routing data — AS paths, prefix origins, and the inter-domain routing that runs on top of IS-IS — use the god.ad BGP Looking Glass.