The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
This module describes processes that you can follow to enhance network security when you use Intermediate System-to-Intermediate System (IS-IS) in your network. You can set passwords, prevent unauthorized routers from forming adjacencies with routers in your IS-IS network, and use the IS-IS HMAC-MD5 Authentication and Enhanced Clear Text Authentication feature.
Before performing the tasks in this module, you should be familiar with the concepts described in the "Integrated IS-IS Routing Protocol Overview" and "Configuring a Basic IS-IS Network" modules.
It is assumed you already have IS-IS running on your network.
It is recommended that you configure the security features described in this module in order to prevent unauthorized routing messages from being placed into the network routing domain. You can set an authentication password for each interface, as well as set an area password for each IS-IS area to prevent unauthorized devices from injecting false routing information into the link-state database, or you can configure a type of IS-IS authentication--either IS-IS HMAC-MD5 or enhanced clear text authentication.
The following sections describe configuration tasks for IS-IS authentication. Two types of authentication are supported: IS-IS HMAC-MD5 and clear text. The task you perform depends on whether you are introducing authentication or migrating from an existing authentication scheme.
Before you can configure authentication, you must make the following decisions:
Whether to configure authentication for the IS-IS instance and/or for individual IS-IS interfaces (both tasks are included in this section).
At what level(s) authentication is to be used.
What type of authentication (IS-IS HMAC-MD5 or clear text) is to be used.
New style IS-IS authentication (IS-IS HMAC-MD5 and clear text) provides a number of advantages over the old style password configuration commands that were described in the previous sections, "Setting an Authentication Password for each Interface" and "Setting a Password at Level 1".
Passwords are encrypted when the software configuration is displayed.
Passwords are easier to manage and change.
Passwords can be rolled over to new passwords without disrupting network operations.
Non-disruptive authentication transitions are supported by allowing configuration which allowed the router to accept PDUs without authentication or with stale authentication information, yet send PDUs with current authentication. Such transitions are useful when you are migrating from no authentication to some type of authentication, when you are changing authentication type, and when you are changing keys.
IS-IS has five PDU types: link state PDU (LSP), LAN Hello, Point-to-Point Hello, complete sequence number PDU (CSNP), and partial sequence number PDU (PSNP). IS-IS HMAC-MD5 authentication or clear text password authentication can be applied to all five PDU types. The authentication can be enabled on different IS-IS levels independently. The interface-related PDUs (LAN Hello, Point-to-Point Hello, CSNP, and PSNP) can be enabled with authentication on different interfaces, with different levels and different passwords.
IS-IS clear text (plain text) authentication provides the same functionality as is provided by using the area-password or domain-password command. However, use of clear text authentication takes advantage of the more flexible key management capabilities described above.
IS-IS now supports MD5 authentication, which is more secure than clear text authentication. IS-IS HMAC-MD5 authentication adds an HMAC-MD5 digest to each IS-IS protocol data unit (PDU). HMAC is a mechanism for message authentication codes (MACs) using cryptographic hash functions. The digest allows authentication at the IS-IS routing protocol level, which prevents unauthorized routing messages from being injected into the network routing domain.
MD5 authentication or clear text authentication can be enabled on Level 1 or Level 2 independently.
Passwords can be rolled over to new passwords without disrupting routing messages.
For the purpose of network transition, you can configure the networking device to accept PDUs without authentication or with wrong authentication information, yet send PDUs with authentication. Such transition might be because you are migrating from no authentication to some type of authentication, you are changing authentication type, or you are changing keys.
Before you migrate from using one type of security authentication to another, all routers must be loaded with the new image that supports the new authentication type. The routers will continue to use the original authentication method until all routers have been loaded with the new image that supports the new authentication method, and all routers have been configured to use the new authentication method. Once all routers are loaded with the required image, you must follow the configuration steps for the desired new authentication method as described in the previous Configuring HMAC-MD5 or Clear Text Authentication for an IS-IS Interface . You also must decide whether to configure authentication for the IS-IS area or for individual IS-IS interfaces. Both tasks are included in the referenced section.
 Note |
To achieve a smooth transition from one authentication method to another, allowing for continuous authentication of IS-IS PDUs, perform the task steps in the order shown, which requires moving from router to router doing certain steps before all the steps are performed on any one router. |
When you configure MD5 authentication, the area-password and domain-password command settings will be overridden automatically with the new authentication commands. When you configure MD5 authentication, the isis password command setting will be overridden automatically with the new authentication commands.
The benefits of migrating from the old method of clear text authentication to the new method of clear text authentication are as follows:
Passwords are easier to change and maintain.
Passwords can be encrypted when the system configuration is being displayed (if you use key management).
ISIS supports both plain text and cryptographic authentication. However, only one authentication scheme can be configured at a time:
Configure plain text authentication using the area-password command.
Configure cryptographic authentication using the authentication key-chain command for MD5, SHA, or other authentication schemes.
The following behavioral change was introduced that impacts the ISIS authentication configuration method.
Starting with Release 16.10.1, the authentication key-chain command can be used to enable cryptographic authentication. Therefore, plain text authentication cannot be configured using the area-password command if the authentication key-chain command is already configured.
Device#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Device(config)#router isis abc
Device(config-router)#authentication key-chain isis-key
Device(config-router)#area-password text-pw
%Please configure password using authentication command
Device(config-router)
Since the new software does not allow configuration of the authentication key-chain command to coexist with the area-password command, the behavior change will cause a service interruption when a device is upgraded. This command will be automatically deleted from the new configuration.
Note |
The password is exchanged as plain text and thus provides only limited security. |
| Command or Action | Purpose | |
|---|---|---|
|
Step 1 |
enable Example: |
Enables privileged EXEC mode.
|
|
Step 2 |
configure terminal Example: |
Enters global configuration mode. |
|
Step 3 |
interface type number Example: |
Enters interface configuration mode. |
|
Step 4 |
isis password password [level-1 | level-2 ] Example: |
Configures the authentication password for an interface.
|
|
Step 5 |
Repeat Step 4 for each interface password that you want to set. |
-- |
|
Step 6 |
end Example: |
Returns to privileged EXEC mode. |
|
Step 7 |
show ip interface [type number ] [brief ] Example: |
Displays the usability status of interfaces configured for IP. |
Note |
This password is exchanged as plain text, and, thus, this feature provides only limited security. |
| Command or Action | Purpose | |
|---|---|---|
|
Step 1 |
enable Example: |
Enables privileged EXEC mode.
|
|
Step 2 |
configure terminal Example: |
Enters global configuration mode. |
|
Step 3 |
router isis [area- tag ] Example: |
Enables IS-IS as an IP routing protocol and assigns a tag to a process, if required.
|
|
Step 4 |
area-password password Example: |
Configures the IS-IS area authentication password.
|
|
Step 5 |
end Example: |
Returns to privileged EXEC mode. |
Note |
This password is exchanged as plain text, and, thus, this feature provides only limited security. |
| Command or Action | Purpose | |||||||
|---|---|---|---|---|---|---|---|---|
|
Step 1 |
enable Example: |
Enables privileged EXEC mode.
|
||||||
|
Step 2 |
configure terminal Example: |
Enters global configuration mode. |
||||||
|
Step 3 |
router isis [area-tag ] Example: |
Enables IS-IS as an IP routing protocol and assigns a tag to a process, if required.
|
||||||
|
Step 4 |
domain-password password [authenticate snp {validate | send-only }] Example: |
Configures the IS-IS routing domain authentication password.
|
||||||
|
Step 5 |
end Example: |
Returns to privileged EXEC mode. |
In order to use HMAC-MD5 or clear text authentication with encrypted keys, the Integrated IS-IS routing protocol must be configured.
| Command or Action | Purpose | |
|---|---|---|
|
Step 1 |
enable Example: |
Enables privileged EXEC mode.
|
|
Step 2 |
configure terminal Example: |
Enters global configuration mode. |
|
Step 3 |
key chain name-of-chain Example: |
Enables authentication for routing protocols and identifies a group of authentication keys. |
|
Step 4 |
key key-id Example: |
Identifies an authentication key on a key chain.
|
|
Step 5 |
key-string text Example: |
Specifies the authentication string for a key.
|
|
Step 6 |
exit Example: |
Returns to keychain configuration mode. |
|
Step 7 |
exit Example: |
Returns to global configuration mode. |
|
Step 8 |
router isis [area- tag ] Example: |
Enables IS-IS as an IP routing protocol and assigns a tag to a process, if required.
|
|
Step 9 |
authentication send-only [level-1 | level-2 ] Example: |
Specifies for the IS-IS instance that MD5 authentication is performed only on IS-IS PDUs being sent (not received). |
|
Step 10 |
Repeat Steps 1 through 9 on each device that will communicate. |
Use the same key string on each device. |
|
Step 11 |
authentication key-chain name-of-chain [level-1 | level-2 ] Example: |
Enables MD5 authentication for the IS-IS instance. |
|
Step 12 |
Repeat Steps 11 and 12 on each router that will communicate. |
-- |
|
Step 13 |
no authentication send-only Example: |
Specifies for the IS-IS instance that MD5 authentication is performed on IS-IS PDUs being sent and received.
|
|
Step 14 |
Repeat Step 14 on each device that will communicate. |
-- |
| Command or Action | Purpose | |
|---|---|---|
|
Step 1 |
enable Example: |
Enables privileged EXEC mode.
|
|
Step 2 |
configure terminal Example: |
Enters global configuration mode. |
|
Step 3 |
key chain name-of-chain Example: |
Enables authentication for routing protocols and identifies a group of authentication keys. |
|
Step 4 |
key key-id Example: |
Identifies an authentication key on a key chain.
|
|
Step 5 |
key-string text Example: |
Specifies the authentication string for a key.
|
|
Step 6 |
exit Example: |
Returns to keychain configuration mode. |
|
Step 7 |
exit Example: |
Returns to global configuration mode. |
|
Step 8 |
interface type number Example: |
Configures an interface. |
|
Step 9 |
isis authentication send-only [level-1 | level-2 ] Example: |
Specifies that authentication is performed only on PDUs being sent (not received) on a specified IS-IS interface. |
|
Step 10 |
Repeat Steps 1 through 9 on each device that will communicate. |
Use the same key string on each device. |
|
Step 11 |
isis authentication key-chain name-of-chain [level-1 | level-2 ] Example: |
Enables MD5 authentication for an IS-IS interface. |
|
Step 12 |
Repeat Steps 11 and 12 on each router that will communicate. |
-- |
|
Step 13 |
no isis authentication send-only Example: |
Specifies that authentication is performed on PDUs being sent and received on a specified IS-IS interface. |
|
Step 14 |
Repeat Step 14 on each device that will communicate. |
-- |
|
Step 1 |
Load all devices with the image required to support the new, desired authentication method. |
|
Step 2 |
Configure the new authentication mode on both the interface and the IS-IS area by following the appropriate tasks in the Configuring HMAC-MD5 Authentication or Clear Text Authentication for the First Time. |
| Command or Action | Purpose | |
|---|---|---|
|
Step 1 |
enable Example: |
Enables privileged EXEC mode.
|
|
Step 2 |
configure terminal Example: |
Enters global configuration mode. |
|
Step 3 |
key chain name-of-chain Example: |
Enables authentication for routing protocols and identifies a group of authentication keys. |
|
Step 4 |
key key-id Example: |
Identifies an authentication key on a key chain.
|
|
Step 5 |
key-string text Example: |
Specifies the authentication string for a key.
|
|
Step 6 |
exit Example: |
Returns to keychain configuration mode. |
|
Step 7 |
exit Example: |
Returns to global configuration mode. |
|
Step 8 |
interface type number Example: |
Configures an interface. |
|
Step 9 |
isis authentication key-chain name-of-chain [level-1 | level-2 ] Example: |
Enables MD5 authentication for an IS-IS interface. |
The following example configures a key chain and key for IS-IS HMAC-MD5 authentication for GigabitEthernet interface 3/0/0 (on Hello PDUs) and for the IS-IS instance (on LSP, CSNP, and PSNP PDUs).
!
key chain cisco
key 100
key-string tasman-drive
!
interface GigabitEthernet3/0/0
ip address 10.1.1.1 255.255.255.252
ip router isis real_secure_network
isis authentication key-chain cisco level-1
!
router isis real_secure_network
net 49.0000.0101.0101.0101.00
is-type level-1
authentication key-chain cisco level-1
!The following example configures a key chain and key for IS-IS clear text authentication for GigabitEthernet interface 3/0/0 (on Hello PDUs) and for the IS-IS instance (on LSP, CSNP, and PSNP PDUs).
!
key chain cisco
key 100
key-string tasman-drive
!
interface GigabitEthernet3/0/0
ip address 10.1.1.1 255.255.255.252
ip router isis real_secure_network
isis authentication key-chain cisco level-1
!
router isis real_secure_network
net 49.0000.0101.0101.0101.00
is-type level-1
authentication key-chain cisco level-1
!|
Related Topic |
Document Title |
|---|---|
|
IPv6 addressing and connectivity |
IPv6 Configuration Guide |
|
Cisco IOS commands |
|
|
IPv6 commands |
|
|
Cisco IOS IPv6 features |
|
|
IPv6 Routing: IS-IS Multitopology Support for IPv6 |
“ Reducing Link Failure and Topology Change Notification Times in IS-IS Networks ” module |
|
Standard/RFC |
Title |
|---|---|
|
RFCs for IPv6 |
IPv6 RFCs |
|
MIB |
MIBs Link |
|---|---|
|
To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL: |
|
Description |
Link |
|---|---|
|
The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password. |
The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Feedback