Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Configuring IS-IS Authentication

All IS-IS protocol exchanges can be authenticated to guarantee that only trusted routing devices participate in the autonomous system (AS) routing. By default, IS-IS authentication is disabled on the routing device.

To configure IS-IS authentication, you must define an authentication password and specify the authentication type.

You can configure one of the following authentication methods:

  • Simple authentication—Uses a text password that is included in the transmitted packet. The receiving routing device uses an authentication key (password) to verify the packet. Simple authentication is included for compatibility with existing IS-IS implementations. However, we recommend that you do not use this authentication method because it is insecure (the text can be “sniffed”).

    CAUTION:

    A simple password that exceeds 254 characters is truncated.

  • HMAC-MD5 or SHA-1 authentication—Uses an iterated cryptographic hash function. The receiving routing device uses an authentication key (password) to verify the packet.

You can also configure more fine-grained interface-level authentication for hello packets.

To enable authentication and specify an authentication method, include the authentication-type statement, specifying the simple or md5 authentication type:

For a list of hierarchy levels at which you can include this statement, see the statement summary section for this statement.

To configure a password, include the authentication-key statement. The authentication password for all routing devices in a domain must be the same.

For a list of hierarchy levels at which you can include this statement, see the statement summary section for this statement.

To configure hitless authentication key rollover, include the authentication-key-chain (Protocols IS-IS) statement.

The password can contain up to 255 characters. If you include spaces, enclose all characters in quotation marks (“ ”).

If you are using the Junos OS IS-IS software with another implementation of IS-IS, the other implementation must be configured to use the same password for the domain, the area, and all interfaces that are shared with a Junos OS implementation.

Authentication of hello packets, partial sequence number PDU (PSNP), and complete sequence number PDU (CSNP) can be suppressed to enable interoperability with the routing software of different vendors. Different vendors handle authentication in various ways, and suppressing authentication for different PDU types might be the simplest way to allow compatibility within the same network.

To configure IS-IS to generate authenticated packets, but not to check the authentication on received packets, include the no-authentication-check statement:

To suppress authentication of IS-IS hello packets, include the no-hello-authentication statement:

To suppress authentication of PSNPs, include the no-psnp-authentication statement:

To suppress authentication of CSNPs, include the no-csnp-authentication statement:

For a list of hierarchy levels at which you can include these statements, see the statement summary sections for these statements.

Note:

The authentication and the no-authentication statements must be configured at the same hierarchy level. Configuring authentication at the [edit protocols isis interface interface-name] hierarchy level and configuring no-authentication at the [edit protocols isis] hierarchy level has no effect.