IS-IS

Intermediate System to Intermediate System (IS-IS) is an Interior Gateway Protocol (IGP) used to exchange routing information between routers in a single autonomous system (AS).

IS-IS calculates the best path based on true costs. The true costs are based on metrics a network administrator configures.

IS-IS supports IPv4 and IPv6 routing in a single protocol.

Best Practice - In complex networks that contain many routers with varying IPv4 / IPv6 support, we recommend to configure IPv6 Multi-Topology.

For more information about the IS-IS protocol, see the standard ISO/IEC 10589:2002, Second Edition and RFC 7142.

IS-IS Terms

This section describes the primary IS-IS terms important to Check Point's implementation of the IS-IS protocol.

Term	Description
Adjacency	A part of the local routing information which pertains to the reachability of a single neighbor Intermediate System (IS) over a single circuit. Adjacencies are used as input for forming paths through the routing domain. A different adjacency is created for each neighbor on a circuit, and for each level of routing (Level 1 and Level 2) on a broadcast circuit.
Area	A routing subdomain which maintains: Detailed routing information about its own internal composition. Routing information to reach other routing subdomains. It corresponds to the Level 1 subdomain.
Broadcast Subnetwork	A subnetwork which supports an arbitrary number of Intermediate Systems (ISs) in the same broadcast domain.
CSNP	Complete Sequence Number Protocol Data Unit. Contains the list of LSP IDs along with sequence number and checksum. This PDU is used to make sure the database contents are the same on different Intermediate Systems on the same broadcast link.
DIS	Designated Intermediate System. The Intermediate System on a LAN, which is designated to perform more duties. Specifically, it generates Link State PDUs on behalf of the LAN, treating the LAN as a pseudonode.
Hello	Two neighbor IS-IS routers must exchange 'Hello' packets at intervals to create adjacency. Based on the negotiation, one of them is be selected as DIS (Designated IS). IS-IS routers send the 'Hello' packets separately for Level 1 and Level 2.
Intermediate System	This is a "router." Acronym: "IS."
Level 1 Intermediate Systems	These Intermediate Systems route directly to systems in their own area, and route to a Level 2 Intermediate System (IS) when the destination system is in a different area. By default, they only have visibility to routes in their own Level 1 subdomain.
Level 2 Intermediate Systems	Level 2 Intermediate Systems behave similarly to Level 1, but have visibility to network destinations in all IS-IS areas, not only those that they are a part of.
LSP	Link State Protocol Data Unit. Contains all routing and neighbor information in a single Intermediate System.
Neighbor	Two Intermediate Systems that share an adjacency are referred to as "neighbors."
PDU	Protocol Data Unit (known as a network packet).
PSNP	Partial Sequence Number Protocol Data Unit.
Pseudonode	Where a broadcast subnetwork has N connected Intermediate systems, the broadcast subnetwork itself is considered to be a pseudonode. The pseudonode has links to each of the N Intermediate and End systems. Each IS has a single link to the pseudonode (rather than N-1 links to each of the other Intermediate systems). Link State PDUs are generated on behalf of the pseudonode by the Designated IS.

Cluster Support for IS-IS

Gaia Check Point security operating system that combines the strengths of both SecurePlatform and IPSO operating systems. supports the IS-IS protocol in ClusterXL and on Scalable Platforms (Quantum Maestro and Quantum Scalable Chassis). In this configuration, the cluster Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing. becomes a Virtual Router.
The neighbor routers see the cluster as a single router, where the Cluster Virtual IP address and virtual MAC identify the router.
Each Cluster Member Security Gateway that is part of a cluster. runs the IS-IS process, but only the RouteD daemon in the Master state actively sends and receives routing information to and from the neighbor routers.
When a cluster failover occurs, the RouteD daemon on a peer Cluster Member becomes the RouteD Master and starts to send and receive routing information to and from the neighbor routers. The cluster uses IS-IS Graceful Restart to keep forwarding capabilities.

ClusterXL

Gaia ClusterXL advertises the Cluster Virtual IP address.
The Cluster Member that runs the RouteD in the Master state, synchronizes the IS-IS routes installed in the routing table to all other Cluster Members.
During a cluster failover, the RouteD daemon on one of the peer cluster members becomes the new RouteD Master and then continues where the previous RouteD Master failed.
During the time that the new RouteD Master is running the Graceful Restart to synchronize the route database with neighbor routers, the Cluster Member continues to forward traffic based on the previous kernel routes until IS-IS routes are fully synchronized and pushed into the kernel.

Important:

All Cluster Members must have the same configuration.
You must enable the "VMAC" feature (see the R82 ClusterXL Administration Guide).

Scalable Platforms

A Security Group on a Scalable Platforms behaves like ClusterXL.

The Security Group Member that runs the RouteD in the Master state makes the routing decisions.
Failover between Security Group Members behave like ClusterXL failovers.

Important:

All Security Group Members must have the same configuration.
You must enable the "Same VMAC" feature. Follow the instructions in sk165674.