Like any other routing protocol, IS-IS supports authentication. You can choose between plain text or HMAC-MD5 authentication, and there are some different options that define which packets will be authenticated. In this lesson, I’ll walk you through the different options.
Here’s the topology I will use:
We have two routers in the same area. Both routers are configured as level 1-2 routers (the default).
Want to take a look for yourself? Here you will find the startup configuration of each device.
hostname R1 ! ip cef ! interface GigabitEthernet0/1 ip address 192.168.12.1 255.255.255.0 ip router isis ! router isis net 49.0012.0000.0000.0001.00 log-adjacency-changes ! end
hostname R2 ! ip cef ! interface GigabitEthernet0/1 ip address 192.168.12.2 255.255.255.0 ip router isis ! router isis net 49.0012.0000.0000.0002.00 log-adjacency-changes ! end
Clear Text Authentication
Let’s start with clear text (plain text) authentication. There are three options to choose from:
- Interface authentication
- Area authentication
- Domain authentication
As the names imply, you can enable authentication on the interface level, per area or domain. However, these three options also define which packets will be authenticated! These commands that I’m about to show you are the “old” method of configuring IS-IS authentication.
Let’s take a look at each authentication method, and you will see what I’m talking about.
Let’s go to the interface. We use the isis password command here to set a password for authentication:
R1(config)#interface GigabitEthernet 0/1R1(config-if)#isis password MY_PASSWORD ?
level-1 Specify password for level-1 PDUs level-2 Specify password for level-2 PDUs <cr>
Optionally, you can choose for which level you want to enable authentication. If you don’t add this, then it will be applied to both level 1 and 2 neighbor adjacencies. Let’s do this on both routers:
R1(config)#interface GigabitEthernet 0/1 R1(config-if)#isis password MY_PASSWORD R2(config)#interface GigabitEthernet 0/1 R2(config-if)#isis password MY_PASSWORD
Once you enable this, authentication is only enabled for hello packets. LSPs and SNPs are still unauthenticated. Here’s an example of an authenticated hello packet:
As you can see above, the password is sent in clear text.
This enabled authentication for the area. In my example, R1 and R2 are in area 0012. This option will authenticate LSPs that are exchanged and optionally, SNPs. Hello packets are not authenticated.
Here’s how to configure it:
R1(config)#router isis R1(config-router)#area-password MY_PASSWORD ? authenticate Authentication <cr>
Above you can see that I have set a password. The authenticate parameter has one option:
R1(config-router)#area-password MY_PASSWORD authenticate ? snp SNP PDUs
This is how you can include SNPs. I’ll stick to LSPs for now. Let’s configure this on both routers:
R1(config)#router isis R1(config-router)#area-password MY_PASSWORD
R2(config)#router isis R2(config-router)#area-password MY_PASSWORD
After enabling area authentication, you will see that LSPs are now authenticated:
As expected, the password shows up in clear text.
If you want your SNPs to be authenticated as well, then we can enable that extra parameter. There is one more option, however:
R1(config)#router isis R1(config-router)#area-password MY_PASSWORD authenticate snp ? send-only Send but do not check PDUs on receiving validate Send and check PDUs on receiving
You can choose if you want to send authenticated packets but accept unauthenticated packets. This can be useful if you are migrating from a non-authenticated scenario to an authenticated scenario. In our lab, we’ll validate everything right away:
R1(config)#router isis R1(config-router)#area-password MY_PASSWORD authenticate snp validate
R2(config)#router isis R2(config-router)#area-password MY_PASSWORD authenticate snp validate
From now on, SNPs will be authenticated. Here’s an example of a CSNP:
The last option for plain text authentication is domain authentication. This works similar to area authentication expect it is all applied to all routers in the same IS-IS domain. In my case, I’m using the private domain 49. If you do this, authentication will be applied to all routers in the 49 domain. Let’s try this:
R1(config)#router isis R1(config-router)#domain-password MY_PASSWORD
R2(config)#router isis R2(config-router)#domain-password MY_PASSWORD
The behavior is the same as area authentication. Hello packets are unauthenticated, LSPs will be authenticated. If you also want to authenticate SNPs, you’ll have to include the authenticate snp validate parameter.
Clear text authentication is fun but not very safe. A quick Wireshark capture shows us the password. Instead, we can use HMAC-MD5 authentication. It is similar to clear text authentication, but there are only two options:
- Interface authentication
- Instance authentication
There is no area or domain authentication. Instead, authentication can be applied to the IS-IS routing instance. The password is not configured directly, but we use a key-chain instead. I’ll create one on both routers:
R1 & R2 (config)#key chain ISIS_AUTH (config-keychain)#key 1 (config-keychain-key)#key-string MY_PASSWORD
The name of the keychain and key number can be different (unlike most protocols, the key number is not checked in IS-IS). The key string has to match on both ends.
Let’s start with interface authentication. We have to use the isis authentication mode command:
R1(config)#interface GigabitEthernet 0/1 R1(config-if)#isis authentication mode ? md5 Keyed message digest text Clear text password
As you can see above, this command is the “new” way of configuring authentication, and it also supports clear text authentication. We are going to use HDMAC-MD5 however:
R1(config-if)#isis authentication mode md5
The next thing we have to do is to tell the router which keychain we want to use. Optionally, you can decide if you want to use HMAC-MD5 authentication for level 1, level 2 or both:
R1(config-if)#isis authentication key-chain ISIS_AUTH ? level-1 ISIS authentication for level-1 PDUs level-2 ISIS authentication for level-2 PDUs <cr>
I’ll go for the default option which means authentication is enabled for both level 1 and level 2 adjacencies: