Fortinet white logo
Fortinet white logo

Administration Guide

IS-IS routing

IS-IS routing

NOTES:

  • You must have an advanced features license to use IS-IS routing.
  • This feature is supported only on the SVI.

Intermediate System to Intermediate System Protocol (IS-IS) allows routing of ISO’s OSI protocol stack Connectionless Network Service (CLNS). IS-IS is an Interior Gateway Protocol (IGP) that is not intended to be used between Autonomous Systems (AS).

IS-IS is a link state protocol that is well-suited to smaller networks. It is in widespread use and has near universal support on routing hardware. It is quick to configure and works well if there are no redundant paths. However, IS-IS updates are sent out node-by-node, so it can be slow to find a path around network outages. IS-IS also lacks good authentication, can not choose routes based on different quality-of-service methods, and can create network loops if you are not careful. IS-IS uses Djikstra’s algorithm to find the best path, like OSPF.

While OSPF is more widely known, IS-IS is a viable alternative to OSPF in enterprise networks and ISP infrastructures, largely due to its native support for IPv6 and its nondisruptive methods for splitting, merging, migrating, and renumbering network areas.

Terminology

TLV: IS-IS uses type-length-value (TLV) parameters to carry information in Link-State PDUs (LSPs). The TLV field consists of one octet of type (T), one octet of length (L), and “L” octets of value (V).

Link-state PDU (LSP): The LSP contains information about each router in an area and its connected interfaces.

Complete sequence number PDU (CSNP): CSNPs contain a list of all LSPs in the current LSDB.

Authentication keychain: A keychain is a list of one or more authentication keys including the send and receive lifetimes for each key. Keys are used for authenticating routing packets only during the specified lifetimes.

Configuring IS-IS

Configuring IS-IS on the FortiSwitch unit includes the following major steps:

  1. Entering the IS-IS configuration mode.
  2. Configuring the interface.
  3. Configuring the network.
  4. Redistributing non-IS-IS routes.

    Advertise these non-IS-IS routes within IS-IS.

Entering the IS-IS configuration mode

Enter the IS-IS configuration mode to access all of the IS-IS configuration commands:

# config router isis

Configuring the interface

Enable the status option for IPv4 traffic or the status6 option for IPv6 traffic on the specified interface:

config interface

edit <IS-IS interface name>

set auth-keychain-hello <string>

set auth-mode-hello {md5 | password}

set auth-password-hello <password>

set bfd {enable | disable}

set bfd6 {enable | disable}

set circuit-type {level-1 | level-1-2 | level-2}

set csnp-interval-l1 <1-65535 seconds>

set csnp-interval-l2 <1-65535 seconds>

set hello-interval-l1 <1-65535 seconds; 0 to use 1-second hold time>

set hello-interval-l2 <1-65535 seconds; 0 to use 1-second hold time>

set hello-multiplier-l1 <2-100>

set hello-multiplier-l2 <2-100>

set hello-padding {disable | enable}

set metric-l1 <1-63>

set metric-l2 <1-63>

set passive {disable | enable}

set priority-l1 <0-127>

set priority-l2 <0-127>

set status {disable | enable}

set status6 {disable | enable}

set wide-metric-l1 <1-16777214>

set wide-metric-l2 <1-16777214>

end

Configuring the network

Configure the IS-IS network:

config net

edit <identifier>

set <IS-IS net xx.xxxx. ... .xxxx.xx>

end

Redistributing non-IS-IS routes

Redistribute non-IS-IS routes within IS-IS for IPv4 traffic or for IPv6 traffic:

config redistribute {bgp | connected | ospf | rip | static}

set status {disable | enable}

set metric <0-4261412864>

set metric-type {external | internal}

set level {level-1 | level-1-2 | level-2}

set routemap <string>

end

config redistribute6 {bgp6 | connected | ospf6 | ripng | static}

set status {disable | enable}

set metric <0-4261412864>

set level {level-1 | level-1-2 | level-2}

set routemap <string>

end

The following is an example of an IS-IS configuration for IPv4 traffic:

config router isis

set default-information-metric 60

config interface

edit "vlan100"

set circuit-type level-1

set priority-l1 80

set wide-metric-l1 200

next

edit "vlan102"

set circuit-type level-2

next

end

config net

edit 1

set net 49.0002.0000.0000.1048.00

next

end

set metric-style wide

config redistribute "connected"

set status enable

end

config redistribute "rip"

end

config redistribute "ospf"

end

config redistribute "bgp"

end

config redistribute "static"

end

end

The following is an example of an IS-IS configuration for IPv6 traffic:

config router isis

config interface

edit "vlan10"

next

end

config net

edit 1

set net 49.0000.0010.0100.1001.00

next

end

config redistribute "connected"

end

config redistribute "rip"

end

config redistribute "ospf"

end

config redistribute "bgp"

end

config redistribute "static"

end

config redistribute6 "connected"

end

config redistribute6 "static"

end

config redistribute6 "ospf6"

end

config redistribute6 "ripng"

end

end

Configuring BFD for IS-IS

You can use bidirectional forwarding detection (BFD) for the IS-IS routing protocol using IPv4 or IPv6 addresses:

config router isis

config interface

edit <IS-IS interface name>

set bfd {enable| disable}

set bfd6 {enable| disable}

next

end

end

For example, if you want to enable IPv4 BFD on vlan100:

config router isis

config interface

edit "vlan100"

set bfd enable

next

end

end

Checking the IS-IS configuration

Use the following commands to check your IS-IS configuration:

get router info isis interface

get router info isis route

get router info isis summary

get router info isis topology

get router info6 isis interface

get router info6 isis route

get router info6 isis summary

get router info6 isis topology

IS-IS routing

IS-IS routing

NOTES:

  • You must have an advanced features license to use IS-IS routing.
  • This feature is supported only on the SVI.

Intermediate System to Intermediate System Protocol (IS-IS) allows routing of ISO’s OSI protocol stack Connectionless Network Service (CLNS). IS-IS is an Interior Gateway Protocol (IGP) that is not intended to be used between Autonomous Systems (AS).

IS-IS is a link state protocol that is well-suited to smaller networks. It is in widespread use and has near universal support on routing hardware. It is quick to configure and works well if there are no redundant paths. However, IS-IS updates are sent out node-by-node, so it can be slow to find a path around network outages. IS-IS also lacks good authentication, can not choose routes based on different quality-of-service methods, and can create network loops if you are not careful. IS-IS uses Djikstra’s algorithm to find the best path, like OSPF.

While OSPF is more widely known, IS-IS is a viable alternative to OSPF in enterprise networks and ISP infrastructures, largely due to its native support for IPv6 and its nondisruptive methods for splitting, merging, migrating, and renumbering network areas.

Terminology

TLV: IS-IS uses type-length-value (TLV) parameters to carry information in Link-State PDUs (LSPs). The TLV field consists of one octet of type (T), one octet of length (L), and “L” octets of value (V).

Link-state PDU (LSP): The LSP contains information about each router in an area and its connected interfaces.

Complete sequence number PDU (CSNP): CSNPs contain a list of all LSPs in the current LSDB.

Authentication keychain: A keychain is a list of one or more authentication keys including the send and receive lifetimes for each key. Keys are used for authenticating routing packets only during the specified lifetimes.

Configuring IS-IS

Configuring IS-IS on the FortiSwitch unit includes the following major steps:

  1. Entering the IS-IS configuration mode.
  2. Configuring the interface.
  3. Configuring the network.
  4. Redistributing non-IS-IS routes.

    Advertise these non-IS-IS routes within IS-IS.

Entering the IS-IS configuration mode

Enter the IS-IS configuration mode to access all of the IS-IS configuration commands:

# config router isis

Configuring the interface

Enable the status option for IPv4 traffic or the status6 option for IPv6 traffic on the specified interface:

config interface

edit <IS-IS interface name>

set auth-keychain-hello <string>

set auth-mode-hello {md5 | password}

set auth-password-hello <password>

set bfd {enable | disable}

set bfd6 {enable | disable}

set circuit-type {level-1 | level-1-2 | level-2}

set csnp-interval-l1 <1-65535 seconds>

set csnp-interval-l2 <1-65535 seconds>

set hello-interval-l1 <1-65535 seconds; 0 to use 1-second hold time>

set hello-interval-l2 <1-65535 seconds; 0 to use 1-second hold time>

set hello-multiplier-l1 <2-100>

set hello-multiplier-l2 <2-100>

set hello-padding {disable | enable}

set metric-l1 <1-63>

set metric-l2 <1-63>

set passive {disable | enable}

set priority-l1 <0-127>

set priority-l2 <0-127>

set status {disable | enable}

set status6 {disable | enable}

set wide-metric-l1 <1-16777214>

set wide-metric-l2 <1-16777214>

end

Configuring the network

Configure the IS-IS network:

config net

edit <identifier>

set <IS-IS net xx.xxxx. ... .xxxx.xx>

end

Redistributing non-IS-IS routes

Redistribute non-IS-IS routes within IS-IS for IPv4 traffic or for IPv6 traffic:

config redistribute {bgp | connected | ospf | rip | static}

set status {disable | enable}

set metric <0-4261412864>

set metric-type {external | internal}

set level {level-1 | level-1-2 | level-2}

set routemap <string>

end

config redistribute6 {bgp6 | connected | ospf6 | ripng | static}

set status {disable | enable}

set metric <0-4261412864>

set level {level-1 | level-1-2 | level-2}

set routemap <string>

end

The following is an example of an IS-IS configuration for IPv4 traffic:

config router isis

set default-information-metric 60

config interface

edit "vlan100"

set circuit-type level-1

set priority-l1 80

set wide-metric-l1 200

next

edit "vlan102"

set circuit-type level-2

next

end

config net

edit 1

set net 49.0002.0000.0000.1048.00

next

end

set metric-style wide

config redistribute "connected"

set status enable

end

config redistribute "rip"

end

config redistribute "ospf"

end

config redistribute "bgp"

end

config redistribute "static"

end

end

The following is an example of an IS-IS configuration for IPv6 traffic:

config router isis

config interface

edit "vlan10"

next

end

config net

edit 1

set net 49.0000.0010.0100.1001.00

next

end

config redistribute "connected"

end

config redistribute "rip"

end

config redistribute "ospf"

end

config redistribute "bgp"

end

config redistribute "static"

end

config redistribute6 "connected"

end

config redistribute6 "static"

end

config redistribute6 "ospf6"

end

config redistribute6 "ripng"

end

end

Configuring BFD for IS-IS

You can use bidirectional forwarding detection (BFD) for the IS-IS routing protocol using IPv4 or IPv6 addresses:

config router isis

config interface

edit <IS-IS interface name>

set bfd {enable| disable}

set bfd6 {enable| disable}

next

end

end

For example, if you want to enable IPv4 BFD on vlan100:

config router isis

config interface

edit "vlan100"

set bfd enable

next

end

end

Checking the IS-IS configuration

Use the following commands to check your IS-IS configuration:

get router info isis interface

get router info isis route

get router info isis summary

get router info isis topology

get router info6 isis interface

get router info6 isis route

get router info6 isis summary

get router info6 isis topology