Created on 02-18-2010 06:22 AM Edited on 04-06-2022 11:49 PM By Anonymous
Purpose
This article provides an IS-IS scenario example and the related FortiGate configurations with CLI debug commands.
Scope
FortiOS 4.0MR2 and above
FortiGate in NAT mode
ISIS - IS-IS
Diagram
Expectations, Requirements
Expectations :
Requirements for NSAP addressing :
Configuration
FortiGate CLI configuration (only relevant parts provided)
FGT1 :
config router isis config isis-interface edit "port3" set circuit-type level-1 set network-type broadcast set status enable next end config isis-net edit 1 set net 49.0048.1921.6818.2136.00 next end config redistribute "connected" end config redistribute "rip" set status enable set level level-1 end config redistribute "ospf" set status enable set level level-1 end end config router rip config interface edit "port2" set receive-version 2 set send-version 2 next end config network edit 1 set prefix 10.10.10.0 255.255.255.0 next end config redistribute "isis" set status enable end end |
FGT2 :
config router isis config isis-interface edit "port3" set circuit-type level-1 set network-type broadcast set status enable next edit "port2" set network-type broadcast set status enable next end config isis-net edit 1 set net 49.0048.1221.6818.2110.00 next end set redistribute-l1 enable set redistribute-l2 enable end |
FGT3 :
config router isis set is-type level-2-only config isis-interface edit "wan1" set network-type broadcast set status enable next edit "dmz1" set network-type broadcast set status enable next end config isis-net edit 1 set net 49.0048.1921.6818.2108.00 next edit 2 set net 49.0049.1921.6818.2108.00 next end end |
FGT4 :
config router isis set is-type level-2-only config isis-interface edit "wan1" set network-type broadcast set status enable next end config isis-net edit 1 set net 49.0049.1721.0160.1004.00 next end config redistribute "connected" set status enable end end |
Verification
(RTR1) # get router info routing-table all
C 10.1.1.0/24 is directly connected, vlan1 C 10.2.2.0/24 is directly connected, vlan2 C 10.10.10.0/24 is directly connected, dmz1 R 10.40.40.0/24 [120/2] via 10.10.10.1, dmz1, 00:04:07 R 10.50.50.0/24 [120/2] via 10.10.10.1, dmz1, 00:04:07 R 10.60.60.1/32 [120/2] via 10.10.10.1, dmz1, 00:04:07 |
(*) If required, filtering out 10.50.50.0 and 10.40.40.0 from the routing table could be done with a route-map.
FGT2 # get router info isis interface
port2 is up, line protocol is up Routing Protocol: IS-IS ((null)) Network Type: Broadcast Circuit Type: level-1-2 Local circuit ID: 0x01 Extended Local circuit ID: 0x00000003 Local SNPA: 0009.0f85.ad8c IP interface address: 10.40.40.2/24 IPv6 interface address: Level-1 Metric: 10/10, Priority: 64, Circuit ID: 1221.6818.2110.01 Number of active level-1 adjacencies: 0 Level-2 Metric: 10/10, Priority: 64, Circuit ID: 1221.6818.2110.01 Number of active level-2 adjacencies: 1 Next IS-IS LAN Level-1 Hello in 6 seconds Next IS-IS LAN Level-2 Hello in 1 seconds port3 is up, line protocol is up Routing Protocol: IS-IS ((null)) Network Type: Broadcast Circuit Type: level-1 Local circuit ID: 0x02 Extended Local circuit ID: 0x00000004 Local SNPA: 0009.0f85.ad8d IP interface address: 10.30.30.2/24 IPv6 interface address: Level-1 Metric: 10/10, Priority: 64, Circuit ID: 1221.6818.2110.02 Number of active level-1 adjacencies: 1 Next IS-IS LAN Level-1 Hello in 2 seconds |
FGT2 # get router info isis neighbor
System Id Interface SNPA State Holdtime Type Protocol 1921.6818.2108 port2 0009.0f04.0794 Up 22 L2 IS-IS 1921.6818.2136 port3 0009.0f85.acf7 Up 29 L1 IS-IS |
IS-IS router CLI commands available:
FGT3 # get router info isis ?
interface show isis interfaces neighbor show CLNS neighbor adjacencies is-neighbor show IS neighbor adjacencies database show IS-IS link state database route show IS-IS IP routing table topology show IS-IS paths |
Example of interface status and neighbors :
FGT3 # get router info isis interface
wan1 is up, line protocol is up Routing Protocol: IS-IS ((null)) Network Type: Broadcast Circuit Type: level-1-2 Local circuit ID: 0x01 Extended Local circuit ID: 0x00000003 Local SNPA: 0009.0f04.0794 IP interface address: 10.40.40.1/24 IPv6 interface address: Level-2 Metric: 10/10, Priority: 64, Circuit ID: 1221.6818.2110.01 Number of active level-2 adjacencies: 1 Next IS-IS LAN Level-2 Hello in 3 seconds dmz1 is up, line protocol is up Routing Protocol: IS-IS ((null)) Network Type: Broadcast Circuit Type: level-1-2 Local circuit ID: 0x02 Extended Local circuit ID: 0x00000005 Local SNPA: 0009.0f04.0792 IP interface address: 10.50.50.1/24 IPv6 interface address: Level-2 Metric: 10/10, Priority: 64, Circuit ID: 1721.0160.1004.01 Number of active level-2 adjacencies: 1 Next IS-IS LAN Level-2 Hello in 7 seconds |
FGT3 # get router info isis neighbor
System Id Interface SNPA State Holdtime Type Protocol 1221.6818.2110 wan1 0009.0f85.ad8c Up 8 L2 IS-IS 1721.0160.1004 dmz1 0009.0f52.7704 Up 8 L2 IS-IS |
FGT4# get router info routing-table all
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area * - candidate default i L2 10.1.1.0/24 [115/30] via 10.50.50.1, wan1, 00:12:46 i L2 10.2.2.0/24 [115/30] via 10.50.50.1, wan1, 00:12:46 i L2 10.3.3.0/24 [115/30] via 10.50.50.1, wan1, 00:12:46 i L2 10.4.4.0/24 [115/30] via 10.50.50.1, wan1, 00:12:46 i L2 10.10.10.0/24 [115/30] via 10.50.50.1, wan1, 00:12:46 i L2 10.11.11.0/24 [115/30] via 10.50.50.1, wan1, 00:12:46 i L2 10.20.20.0/24 [115/30] via 10.50.50.1, wan1, 00:12:46 i L2 10.30.30.0/24 [115/30] via 10.50.50.1, wan1, 00:13:55 i L2 10.40.40.0/24 [115/20] via 10.50.50.1, wan1, 00:15:30 C 10.50.50.0/24 is directly connected, wan1 C 10.60.60.1/32 is directly connected, loopback |
(*) If required, filtering out other IS-IS routes from the routing table could be done with a route-map
Troubleshooting
The following diagnose commands are available for further IS-IS troubleshooting and will display all IS-IS activity (sent and received packets) :
FGT # diagnose ip router isis level info
FGT # diagnose ip router isis all enable
FGT # diagnose debug enable
...to stop the debug type output :
FGT # diagnose ip router isis level none
Output and interpretation is depending on issue faced. This information can be provided to the TAC if a support ticket is opened.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.