IS-IS Authentication Explained with Example Configuration
Table of Contents
- What is IS-IS authentication? ‹
- How to configure IS-IS authentication? ‹
- IS-IS interface authenticaton configuration ‹
- IS-IS LSP authentication configuration ‹
- Download section ‹
What is IS-IS authentication?
To add security to the IS-IS routing protocol, authentication can be configured between neighboring devices. IS-IS supports the authentication of neighborships and of update packets. The followig capture shows an IS-IS Hello packet (IIH) with the authentication in cleartext.
The following packet capture shows an IS-IS Link State PDU (LSP) with authentication using MD5. Notice that the packet captures do not contain an IP header. This is because the IS-IS control plane operates on the OSI model Data Link Layer which is Layer-2. However, the information it carries (see LSP below) includes Layer-3 IP prefixes.
How to configure IS-IS authentication?
IS-IS authentication can be configured in two modes: cleartext or md5. Additionally, IS-IS provides the option to separately authenticate Link State Updates (LSPs) and Hello packets (neighborships). The following table displays configuration examples for these authentication methods.
| Method | Configuration |
|---|---|
| Interface with cleartext | R1>enable R1#configure terminal Enter configuration commands, one per line. End with CNTL/Z. R1(config)#key chain EXAMPLE-KEY R1(config-keychain)#key 10 R1(config-keychain-key)#key-string p4ssw0rd.123 R1(config-keychain-key)#exit R1(config-keychain)#exit R1(config)# R1(config)#interface GigabitEthernet 0/0 R1(config-if)#isis authentication mode text R1(config-if)#isis authentication key-chain EXAMPLE-KEY R1(config-if)#exit R1(config)#end R1# |
| Interface with MD5 | R1>enable R1#configure terminal Enter configuration commands, one per line. End with CNTL/Z. R1(config)#key chain EXAMPLE-KEY R1(config-keychain)#key 10 R1(config-keychain-key)#key-string p4ssw0rd.123 R1(config-keychain-key)#exit R1(config-keychain)#exit R1(config)# R1(config)#interface GigabitEthernet 0/0 R1(config-if)#isis authentication mode md5 R1(config-if)#isis authentication key-chain EXAMPLE-KEY R1(config-if)#exit R1(config)#end R1# |
| LSP with MD5 | R1>enable R1#configure terminal Enter configuration commands, one per line. End with CNTL/Z. R1(config)#key chain EXAMPLE-KEY R1(config-keychain)#key 10 R1(config-keychain-key)#key-string p4ssw0rd.123 R1(config-keychain-key)#exit R1(config-keychain)#exit R1(config)# R1(config)#router isis R1(config-router)#authentication mode md5 R1(config-router)#authentication key-chain EXAMPLE-KEY R1(config-router)#exit R1(config)#end R1# |
IS-IS interface authenticaton configuration
In the following example scenario the Level-2 IS-IS area 10 is configured between R1, R2 and R3. The three routers use interface authentication. This means they authenticate IS-IS Hello (IIH) packets before establishing a neighborship. Two modes of authentication are applied in this scenario. The neighborship between R1 - R2 has cleartext configured, and between R2 - R3 md5 authentication is configured.
Configuration:
R1
R1#show run int Gi0/0 | sec int interface GigabitEthernet0/0 description ** to Host1 ** ip address 192.168.1.1 255.255.255.0 duplex auto speed auto media-type rj45 R1#show run int Gi0/1 | sec int interface GigabitEthernet0/1 description ** to R2 ** ip address 10.1.0.1 255.255.255.252 ip router isis duplex auto speed auto media-type rj45 isis circuit-type level-2-only isis network point-to-point isis authentication mode text isis authentication key-chain EXAMPLE-KEY R1#show run | sec ^router router isis net 49.0010.0000.0000.0001.00 is-type level-2-only passive-interface GigabitEthernet0/0 R1#show run | sec ^key key chain EXAMPLE-KEY key 10 key-string p4ssw0rd.123
R2
R2#show run int Gi0/0 | sec int interface GigabitEthernet0/0 description ** to R1 ** ip address 10.1.0.2 255.255.255.252 ip router isis duplex auto speed auto media-type rj45 isis circuit-type level-2-only isis network point-to-point isis authentication mode text isis authentication key-chain EXAMPLE-KEY R2#show run int Gi0/1 | sec int interface GigabitEthernet0/1 description ** to R3 ** ip address 10.2.0.1 255.255.255.252 ip router isis duplex auto speed auto media-type rj45 isis circuit-type level-2-only isis network point-to-point isis authentication mode md5 isis authentication key-chain EXAMPLE-KEY R2#show run | sec ^router router isis net 49.0010.0000.0000.0002.00 is-type level-2-only R2#show run | sec ^key key chain EXAMPLE-KEY key 10 key-string p4ssw0rd.123
R3
R3#show run int Gi0/0 | sec int interface GigabitEthernet0/0 description ** to Host2 ** ip address 192.168.2.1 255.255.255.252 duplex auto speed auto media-type rj45 R3#show run int Gi0/1 | sec int interface GigabitEthernet0/1 description ** to R2 ** ip address 10.2.0.2 255.255.255.252 ip router isis duplex auto speed auto media-type rj45 isis circuit-type level-2-only isis network point-to-point isis authentication mode md5 isis authentication key-chain EXAMPLE-KEY R3#show run | sec ^router router isis net 49.0010.0000.0000.0003.00 is-type level-2-only passive-interface GigabitEthernet0/0 R3#show run | sec ^key key chain EXAMPLE-KEY key 10 key-string p4ssw0rd.123
Host1
Host1#show run int Gi0/0 | sec int interface GigabitEthernet0/0 description ** to R1 ** ip address 192.168.1.2 255.255.255.0 duplex auto speed auto media-type rj45 Host1#show run | sec ip route ip route 0.0.0.0 0.0.0.0 192.168.1.1
R1#show clns neighbors detail System Id Interface SNPA State Holdtime Type Protocol R2 Gi0/1 5254.0012.a9dd Up 29 L2 IS-IS Area Address(es): 49.0010 IP Address(es): 10.1.0.2* Uptime: 00:19:41 NSF capable Interface name: GigabitEthernet0/1 R1#show clns interface Gi0/1 GigabitEthernet0/1 is up, line protocol is up Checksums enabled, MTU 1497, Encapsulation SAP ERPDUs enabled, min. interval 10 msec. CLNS fast switching disabled CLNS SSE switching disabled DEC compatibility mode OFF for this interface Next ESH/ISH in 17 seconds Routing Protocol: IS-IS Circuit Type: level-2 Interface number 0x0, local circuit ID 0x100 Neighbor System-ID: R2 Level-2 Metric: 10, Priority: 64, Circuit ID: R2.00 Level-2 IPv6 Metric: 10 Number of active level-2 adjacencies: 1 Next IS-IS Hello in 3 seconds if state UP Host1#ping 192.168.2.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.2.2, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 2/2/4 ms Host1#trace 192.168.2.2 probe 1 Type escape sequence to abort. Tracing the route to 192.168.2.2 VRF info: (vrf in name/id, vrf out name/id) 1 192.168.1.1 2 msec 2 10.1.0.2 2 msec 3 10.2.0.2 2 msec 4 192.168.2.2 3 msec
IS-IS LSP authentication configuration
In the following scenario the IS-IS neighborship between R1, R2 and R3 is not authenticated. However, IS-IS LSP authentication is configured. This means, an IS-IS neighborship may establish between the routers, but if LSP authentication fails then the received routing updates will not be used. This is an important difference between interface (neighbor) authentication and LSP authentication.
Configuration:
R1
R1#show run int Gi0/0 | sec int interface GigabitEthernet0/0 description ** to Host1 ** ip address 192.168.1.1 255.255.255.0 duplex auto speed auto media-type rj45 R1#show run int Gi0/1 | sec int interface GigabitEthernet0/1 description ** to R2 ** ip address 10.1.0.1 255.255.255.252 ip router isis duplex auto speed auto media-type rj45 isis circuit-type level-2-only isis network point-to-point R1#show run | sec ^router router isis net 49.0010.0000.0000.0001.00 is-type level-2-only authentication mode text authentication key-chain EXAMPLE-KEY passive-interface GigabitEthernet0/0 R1#show run | sec ^key key chain EXAMPLE-KEY key 10 key-string p4ssw0rd.123
R2
R2#show run int Gi0/0 | sec int interface GigabitEthernet0/0 description ** to R1 ** ip address 10.1.0.2 255.255.255.252 ip router isis duplex auto speed auto media-type rj45 isis circuit-type level-2-only isis network point-to-point R2#show run int Gi0/1 | sec int interface GigabitEthernet0/1 description ** to R3 ** ip address 10.2.0.1 255.255.255.252 ip router isis duplex auto speed auto media-type rj45 isis circuit-type level-2-only isis network point-to-point R2#show run | sec ^router router isis net 49.0010.0000.0000.0002.00 is-type level-2-only authentication mode text authentication key-chain EXAMPLE-KEY R2#show run | sec ^key key chain EXAMPLE-KEY key 10 key-string p4ssw0rd.123
R3
R3#show run int Gi0/0 | sec int interface GigabitEthernet0/0 description ** to Host2 ** ip address 192.168.2.1 255.255.255.252 duplex auto speed auto media-type rj45 R3#show run int Gi0/1 | sec int interface GigabitEthernet0/1 description ** to R2 ** ip address 10.2.0.2 255.255.255.252 ip router isis duplex auto speed auto media-type rj45 isis circuit-type level-2-only isis network point-to-point R3#show run | sec ^router router isis net 49.0010.0000.0000.0003.00 is-type level-2-only authentication mode text authentication key-chain EXAMPLE-KEY passive-interface GigabitEthernet0/0 R3#show run | sec ^key key chain EXAMPLE-KEY key 10 key-string p4ssw0rd.123
R2#show isis neighbors System Id Type Interface IP Address State Holdtime Circuit Id R1 L2 Gi0/0 10.1.0.1 UP 26 00 R3 L2 Gi0/1 10.2.0.2 UP 25 00 R2#show isis rib IPv4 local RIB for IS-IS process IPV4 unicast topology base (TID 0, TOPOID 0x0) ================= 10.1.0.0/30 [115/L2/20] via 10.1.0.1(GigabitEthernet0/0), from 10.1.0.1, tag 0, LSP[2/2/33] 10.2.0.0/30 [115/L2/20] via 10.2.0.2(GigabitEthernet0/1), from 10.2.0.2, tag 0, LSP[3/3/22] 192.168.1.0/24 [115/L2/10] via 10.1.0.1(GigabitEthernet0/0), from 10.1.0.1, tag 0, LSP[2/2/33] (installed) 192.168.2.0/30 [115/L2/10] via 10.2.0.2(GigabitEthernet0/1), from 10.2.0.2, tag 0, LSP[3/3/22] (installed)