Listen to this Post
Introduction:
IS-IS (Intermediate System to Intermediate System) is a powerful link-state routing protocol commonly used in large service provider and data center networks. Multi-Topology (MT) ISIS allows a single routing domain to maintain multiple independent topologies—for IPv4, IPv6, or even traffic engineering—without forcing all routers to support every address family. This separation is critical for gradual IPv6 migration, network slicing, and avoiding black holes during protocol transitions, but misconfiguration can lead to route leaks, loops, and security blind spots.
Learning Objectives:
- Understand the architecture of IS-IS Multi-Topology and its role in dual-stack and segmented networks.
- Learn to configure, verify, and troubleshoot MT ISIS on Cisco IOS/IOS-XE routers using real-world commands.
- Identify security risks and mitigation strategies for MT ISIS deployments, including route filtering and authentication.
You Should Know:
1. Core ISIS Multi-Topology Concepts and Configuration
ISIS traditionally supports a single topology (Single Topology, ST) where IPv4 and IPv6 routes share the same link-state database and SPF calculations. Multi-Topology (RFC 5120) creates separate SPF trees for each address family, allowing IPv6 to be enabled on only a subset of routers. This prevents black holes when migrating and supports non-congruent topologies.
Step‑by‑step guide to enable ISIS MT on Cisco routers:
First, enable ISIS process and configure NET address:
router isis 1 net 49.0001.0000.0000.0001.00 is-type level-2-only metric-style wide ! Required for MT
Enable Multi-Topology for IPv6 (or other families):
router isis 1 address-family ipv6 multi-topology exit-address-family
Verify MT status:
show isis topology show isis spf-log show isis database verbose | include MT
For Linux-based routing (e.g., FRRouting or Bird), configure MT via daemon configs. Example for FRR:
router isis 1 net 49.0001.192.168.1.1 topology ipv6-unicast
2. Dual-Stack Migration Using MT – Step-by-Step Deployment
Scenario: You have an IPv4-only core and need to add IPv6 without upgrading all routers at once. MT ISIS allows IPv6 adjacencies only on upgraded nodes.
Step 1: On upgraded routers, enable IPv6 on interfaces and in ISIS:
interface GigabitEthernet0/0 ipv6 address 2001:db8::1/64 isis ipv6 enable 1
Step 2: Ensure MT is enabled under IPv6 address-family (as above). Legacy routers will ignore IPv6 TLVs.
Step 3: Verify separate IPv6 topology:
show isis ipv6 topology show isis ipv6 route
Step 4: Test reachability and check for route leaks:
ping ipv6 2001:db8::2 traceroute ipv6 2001:db8::3
If routes fail, check that all routers in the IPv6 topology have `metric-style wide` and `multi-topology` configured consistently.
3. Security Hardening for ISIS Multi-Topology
MT ISIS inherits the same vulnerabilities as standard ISIS: spoofed LSPs, adjacency attacks, and route injection. Because MT creates separate databases, an attacker might inject false IPv6 topologies while leaving IPv4 intact, enabling stealthy man-in-the-middle attacks.
Hardening commands:
Enable ISIS authentication on all interfaces:
interface GigabitEthernet0/0 isis authentication mode md5 isis authentication key-chain ISIS_KEY
Configure key chain globally:
key chain ISIS_KEY key 1 key-string SECURE_PASS
For MT-specific protection, filter LSPs by TLVs:
route-map DENY_IPV6_LSP deny 10 match tlv 232 ! TLV 232 for IPv6 Reachability ! router isis 1 distribute-list route-map DENY_IPV6_LSP in level-2
On Linux (FRR), use `isis filter-list` to block prefixes. Always enable `isis authentication send-only` during migration to avoid outages.
- Troubleshooting Common MT ISIS Failures – Commands & Fixes
Problem 1: Adjacency forms but no IPv6 routes appear.
– Check `show isis adjacency detail` – confirm `MT IPv6` appears under “Topologies”.
– Fix: Add `multi-topology` under IPv6 address-family and restart ISIS process.
Problem 2: Inconsistent MT support across area.
- Run `show isis database detail` – look for `MT` flags in LSPs. Missing flags indicate old routers.
- Fix: Upgrade or configure `ignore-lsp-errors` only as temporary workaround.
Problem 3: Route loops during transition.
- Use `show isis spf-log` to verify separate SPF runs for IPv4 and IPv6.
- Fix: Enable `spf-interval` to dampen flapping, and use `max-metric` on router-lsa during maintenance.
Windows does not run ISIS natively, but you can analyze ISIS dumps using Wireshark:
& "C:\Program Files\Wireshark\tshark.exe" -i 2 -Y "isis" -T fields -e isis.lsp.id
For Linux packet capture and analysis:
sudo tcpdump -i eth0 -v -n -c 100 'proto 124' ! ISIS uses IP protocol 124 sudo wireshark -r capture.pcap -Y "isis.mt.flag == 1"
- Advanced MT ISIS Use Cases: Network Slicing and TE
MT ISIS enables multiple logical topologies over the same physical infrastructure. For example, isolate voice traffic onto high-bandwidth links, while best-effort data uses different paths.
Configuration for topology “RED” (using administrative tags):
router isis 1 topology RED address-family ipv4 multi-topology exit-address-family ! interface GigabitEthernet0/1 isis topology RED isis metric 10 level-2
Verify per-topology routes:
show isis topology RED show isis route topology RED
For automation, use Ansible to push MT configurations across hundreds of routers:
- name: Enable ISIS MT IPv6 ios_config: lines: - address-family ipv6 - multi-topology - exit-address-family parents: router isis 1
What Undercode Say:
- Multi-Topology ISIS is not just an IPv6 migration tool – it’s a security boundary that can isolate failure domains and limit attack surface if properly configured.
- Most network breaches involving routing protocols stem from missing authentication and misconfigured MT flags; always combine MD5 authentication with TLV filtering.
- Automation (Ansible, Python with Netmiko) drastically reduces human error when rolling out MT across large fabrics – but always validate with `show isis spf-log` after changes.
Prediction:
As networks evolve toward 5G slicing, Kubernetes CNI, and segment routing, ISIS Multi-Topology will see a resurgence as the control plane for logically isolated “network slices”. However, without widespread adoption of authentication and systematic route filtering, MT ISIS deployments will become prime targets for topology poisoning attacks. Expect future router CVEs to exploit MT transition states, forcing vendors to implement per-topology key chains and zero-trust adjacency checks by 2028.
▶️ Related Video (80% Match):
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Ah M – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
