The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
This chapter describes how to set the FabricPath Intermediate System-to-Intermediate System (IS-IS) authentication parameters on the Cisco Nexus 5500 Series switches.
This chapter includes the following sections:
Note For information about the prerequisites, guidelines and limitations, and licensing requirements for FabricPath, see Chapter1, “Overview”
FabricPath allows the authentication of IS-IS hello protocol data units (PDUs) and IS-IS Link State Packets (LSP). While authentication for the IS-IS LSPs is configured globally under the fabricpath domain default command configuration, that for the IS-IS hello PDUs is configured under the interface command configuration. The configuration structure is identical for both IS-IS hello PDUs and IS-IS LSPs.
Although the FabricPath Layer 2 IS-IS protocol works automatically after you enable FabricPath, you can optionally configure the global parameters.
|
|
|
---|---|---|
Enters the global FabricPath Layer 2 IS-IS configuration mode. |
||
(Optional) Configures an authentication check when the switch receives a PDU. The authentication check is On by default. (To turn off the authentication check, enter the no form of this command.) |
||
authentication key-chain auth-key-chain-name switch(config-fabricpath-isis)# switch(config-fabricpath-isis)# An example of creating a key-chain is as follows: |
(Optional) Configures the authentication key chain. (To clear this parameter, enter the no form of this command.) The auth-key-chain-name is the name of a key chain. A maximum of 63 alphanumeric characters is allowed. See the Cisco Nexus 5500 Series NX-OS Security Configuration Guide, Release 6.0 for information about key chains. |
|
authentication-type {cleartext | md5} |
(Optional) Configures the authentication type. (To clear this parameter, enter the no form of this command.) |
Although the FabricPath Layer 2 IS-IS protocol works automatically after you enable FabricPath, you can optionally configure the interface parameters.
|
|
|
---|---|---|
interface {ethernet mod/slot | port-channel channel-number } |
Enters the interface configuration mode and specifies the interfaces that you want to configure. The slot can be from 1 to 3. The following list defines the slots available:
The port number within a particular slot can be from 1 to 128. The port channel number assigned to the EtherChannel logical interface can be from 1 to 4096. |
|
fabricpath isis authentication-check |
(Optional) Enables an authentication check on the incoming FabricPath Layer 2 IS-IS PDUs for the interface. The authentication check is On by default. (To turn off the authentication check, enter the no form of this command.) |
|
fabricpath isis authentication key-chain auth-key-chain-name switch(config-if)# fabricpath isis authentication key-chain trees An example of creating a key-chain is as follows: |
(Optional) Assigns a password to authenticate hello PDUs. (To remove the password, enter the no form of this command.) The auth-key-chain-name is the name of a key chain. A maximum of 63 alphanumeric characters is allowed. See the Cisco Nexus 5500 Series NX-OS Security Configuration Guide, Release 6.0 for information about key chains. |
|
fabricpath isis authentication-type {cleartext | md5} |
(Optional) Specifies the authentication type for an interface for FabricPath Layer 2 IS-IS hello PDUs. (To remove the authentication type, enter the no form of this command.) |
The authentication-check command enables authentication and the no authentication-check command disables authentication without interrupting the FabricPath setup. The no authentication-check command informs IS-IS to send PDUs or LSPs with authentication, but not to verify the authentication of the received PDUs or LSPs. In the first step of the configuration roll-out, the authentication process allows the sending of the authenticated hello PDUs and LSPs in the entire fabric without disrupting the service. In the second step, the security mechanism is activated by applying the authentication-check command on all the fabric nodes and interfaces.
Note ● If you use LSP authentication on a FabricPath, you must also enable LSP authentication on all the FabricPath nodes. Otherwise, the FabricPath will not function properly.