Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Example: Configuring Hitless Authentication Key Rollover for IS-IS

This example shows how to configure hitless authentication key rollover for IS-IS.

Requirements

No special configuration beyond device initialization is required before configuring hitless authentication key rollover for IS-IS.

Overview

Authentication guarantees that only trusted routers participate in routing updates. This keychain authentication method is referred to as hitless because the keys roll over from one to the next without resetting any peering sessions or interrupting the routing protocol. Junos OS supports both RFC 5304, IS-IS Cryptographic Authentication and RFC 5310, IS-IS Generic Cryptographic Authentication.

This example includes the following statements for configuring the keychain:

  • algorithm—For each key in the keychain, you can specify an encryption algorithm. The algorithm can be SHA-1 or MD-5.

  • key—A keychain can have multiple keys. Each key within a keychain must be identified by a unique integer value. The range of valid identifier values is from 0 through 63.

  • key-chain—For each keychain, you must specify a name. This example defines two keychains: base-key-global and base-key-inter.

  • options—For each key in the keychain, you can specify the encoding for the message authentication code:isis-enhanced or basic. The basic (RFC 5304) operation is enabled by default.

    When you configure the isis-enhanced option, Junos OS sends RFC 5310-encoded routing protocol packets and accepts both RFC 5304-encoded and RFC 5310-encoded routing protocol packets that are received from other devices.

    When you configure basic (or do not include the options statement in the key configuration) Junos OS sends and receives RFC 5304-encoded routing protocols packets, and drops 5310-encoded routing protocol packets that are received from other devices.

    Because this setting is for IS-IS only, the TCP and the BFD protocols ignore the encoding option configured in the key.

  • secret—For each key in the keychain, you must set a secret password. This password can be entered in either encrypted or plain text format in the secret statement. It is always displayed in encrypted format.

  • start-time—Each key must specify a start time in UTC format. Control gets passed from one key to the next. When a configured start time arrives (based on the routing device’s clock), the key with that start time becomes active. Start times are specified in the local time zone for a routing device and must be unique within the key chain.

You can apply a keychain globally to all interfaces or more granularly to specific interfaces.

This example includes the following statements for applying the keychain to all interfaces or to particular interfaces:

  • authentication-key-chain—Enables you to apply a keychain at the global IS-IS level for all Level 1 or all Level 2 interfaces.

  • hello-authentication-key-chain—Enables you to apply a keychain at the individual IS-IS interface level. The interface configuration overrides the global configuration.

Topology

Figure 1 shows the topology used in the example.

Figure 1: Hitless Authentication Key Rollover for IS-ISHitless Authentication Key Rollover for IS-IS

This example shows the configuration for Router R0.

Configuration

Procedure

CLI Quick Configuration

To quickly configure the hitless authentication key rollover for IS-IS, copy the following commands and paste the commands into the CLI.

Step-by-Step Procedure

To configure hitless authentication key rollover for IS-IS:

  1. Configure the Router R0 interfaces.

  2. Configure one or more authentication keys.

  3. Apply the base-key-global keychain to all Level 1 IS-IS interfaces on Router R0.

  4. Apply the base-key-inter keychain to the ge-0/0/0.0 interface on Router R0.

  5. If you are done configuring the device, commit the configuration.

Results

Confirm your configuration by entering the show interfaces, show protocols, and show security commands.

Verification

To verify the configuration, run the following commands:

  • show isis authentication

  • show security keychain