Configuring IS-IS Authentication
- Tracy Yang
IS-IS authentication involves IS-IS authentication per interface, IS-IS area authentication and IS-IS routing domain authentication.
IS-IS Authentication per Interface
IS-IS authentication per interface refers to the interface that enables the IS-IS protocol to authenticate Level 1 and Level 2 Hello messages in a specified manner and password.
Area Authentication
Area authentication encapsulates authentication passwords in IS-IS packets within the Level-1 area, ensuring that only authenticated packets are received. Therefore, when authentication is required for the Level-1 area, IS-IS area authentication needs to be configured on all IS-IS devices within that area.
Domain Authentication
Domain authentication encapsulates authentication passwords in IS-IS packets within the Level-2 area, ensuring that only authenticated packets are received. Therefore, when authentication is required for the Level-2 area, IS-IS domain authentication needs to be configured on all IS-IS devices within that area.
Typically, the IS-IS protocol does not encapsulate authentication information in the sent IS-IS packets, nor does it perform authentication checks on received packets. However, in the event of malicious packet attacks that could lead to the theft of network information, configuring IS-IS authentication can enhance network security.
NOTEs:
When configuring IS-IS authentication per interface, it is required that the authentication type and password of all devices in the same area or routing domain must be consistent for IS-IS packets to propagate normally.
Regardless of whether area authentication or routing domain authentication is passed, it does not affect the establishment of Level-1 or Level-2 neighbor relationships.
Configuring Authentication for IS-IS Area
When configuring, authentication-type and authentication-key should be submitted in the same commit.
When deleting, the command is delete protocols isis area-tag <text> [vrf <vrf-name>] area-password, and all the area-password configuration of authentication-type and authentication-key will be removed.
To configure the authentication type for the IS-IS area, users can use command set protocols isis area-tag <text> [vrf <vrf-name>] area-password authentication-type <simple | md5>. The authentication type can be simple or md5.
To configure the authentication password for the IS-IS area, users can use command set protocols isis area-tag <text> [vrf <vrf-name>] area-password authentication-key <password>. IS-IS encapsulates authentication information for the sent IS-IS messages and performs authentication checks on the received messages.
By default, IS-IS does not encapsulate authentication information for the sent CSNP and PSNP messages, nor perform authentication checks on the received messages. Users can use command set protocols isis area-tag <text> [vrf <vrf-name>] area-password authenticate-snp <send-only|validate> to change this behavior.
The following commands configure the authentication type, authentication password for the IS-IS area, and configures the system only to encapsulate authentication information for the sent IS-IS messages but will not perform authentication checks on the received messages.
admin@PICOS# set protocols isis area-tag instance1 area-password authentication-type md5
admin@PICOS# set protocols isis area-tag instance1 area-password authentication-key picos123456
admin@PICOS# set protocols isis area-tag instance1 area-password authenticate-snp send-only
admin@PICOS# commitConfiguring Authentication for IS-IS Routing Domain
To configure the authentication type for the IS-IS domain, users can use command set protocols isis area-tag <text> [vrf <vrf-name>] domain-password authentication-type <simple | md5>. The authentication type can be simple or md5.
To configure the authentication password for the IS-IS domain, users can use command set protocols isis area-tag <text> [vrf <vrf-name>] domain-password authentication-key <password>.
By default, IS-IS does not encapsulate authentication information for the sent CSNP and PSNP messages, nor perform authentication checks on the received messages. Users can use command set protocols isis area-tag <text> [vrf <vrf-name>] domain-password authenticate-snp <send-only|validate> to change this behavior.
The following commands configure the authentication type, authentication password for the IS-IS domain, and configures the system only to encapsulate authentication information for the sent IS-IS messages but will not perform authentication checks on the received messages.
admin@PICOS# set protocols isis area-tag instance1 domain-password authentication-type md5
admin@PICOS# set protocols isis area-tag instance1 domain-password authentication-key picos123456
admin@PICOS# set protocols isis area-tag instance1 domain-password authenticate-snp send-only
admin@PICOS# commitConfiguring IS-IS Authentication per Interface
Make sure that the authentication configuration per interface on both ends of IS-IS neighbor is consistent, otherwise neighbors cannot be established.
To configure IS-IS authentication type per interface, users can use command set protocols isis area-tag <text> interface <interface-name> password authentication-type <simple | md5>. The authentication type can be simple or md5.
To configure IS-IS authentication password per interface, users can use command set protocols isis area-tag <text> interface <interface-name> password authentication-key <password>.
The following commands configure the authentication type, authentication password for the IS-IS interface.
admin@PICOS# set protocols isis area-tag instance1 interface vlan10 password authentication-type md5
admin@PICOS# set protocols isis area-tag instance1 interface vlan10 password authentication-key picos123456
admin@PICOS# commitCopyright © 2024 Pica8 Inc. All Rights Reserved.