IS-IS Configuration Guide for Cisco 8000 Series Routers, Cisco IOS XR Releases

PDF

IS-IS Configuration Guide for Cisco 8000 Series Routers, Cisco IOS XR Releases

IS-IS authentication methods

Want to summarize with AI?

Log in

Introduces IS-IS authentication principles and provides configuration procedures for enabling authentication on IS-IS, outlining step-by-step instructions to secure IS-IS message exchanges.


IS-IS authentication is a protocol feature that

  • limits the establishment of adjacencies and the exchange of Link State Packets (LSPs) using password commands

  • provides options for both plain-text and HMAC-MD5 authentication to protect against unauthorized access and ensure data integrity, and

  • supports keychain configuration with hitless key rollover and adjustable tolerance for clock skew.

Table 1. Feature History Table

Feature Name

Release Information

Feature Description

HMAC-MD5 Authentication

Release 25.4.1

Introduced in this release on: Fixed Systems (8010 [ASIC: A100], 8700 [ASIC: K100])(select variants only*)

*This feature is supported on:

  • 8711-48Z-M

  • 8011-12G12X4Y-A

  • 8011-12G12X4Y-D

HMAC-MD5 Authentication

Release 25.1.1

Introduced in this release on: Fixed Systems (8010 [ASIC: A100])(select variants only*)

*This feature is supported on Cisco 8011-4G24Y4H-I routers.

HMAC-MD5 Authentication

Release 24.4.1

Introduced in this release on: Fixed Systems (8200 [ASIC: P100], 8700 [ASIC: P100, K100])(select variants only); Modular Systems (8800 [LC ASIC: P100])(select variants only*)

We have enhanced security for IS-IS protocol through authentication, preventing unauthorized devices from forming adjacencies with the router. HMAC-MD5 passwords ensure data integrity by using cryptographic checksums instead of sending passwords over the network.

*This feature is supported on:

  • 8212-48FH-M

  • 8711-32FH-M

  • 8712-MOD-M

  • 88-LC1-36EH

  • 88-LC1-12TH24FH-E

  • 88-LC1-52Y8H-EM

Types of IS-IS authentication

IS-IS supports two main authentication types:

  • Plain-text authentication: Provides minimal protection. The password is configured on the router and is transmitted in clear text within IS-IS packets, making it visible to anyone able to capture these packets.

  • HMAC-MD5 authentication: Offers enhanced security. The password itself is not sent, but is used to generate a cryptographic checksum, which protects the integrity of the exchanged data.

IS-IS authentication commands

IS-IS authentication uses specific commands to secure routing communications.

  • Use the hello-password command to restrict adjacency formation between routers.

  • Use the lsp-password command to limit the exchange of Link State Packets (LSPs).

  • The area password is set at Level 1; the domain password is set at Level 2 using the lsp-password command.

Password configuration methods

IS-IS authentication passwords can be entered as

  • Clear text (plain): Directly visible and used in packets.

  • Encrypted form: Stored securely, but the plain-text password is still exchanged in certain packets (LSPs, SNPs, hello).

Global keychain configuration

The IS-IS keychain feature allows the protocol to reference globally configured keychains.

  • Keychains are used for hello and LSP authentication, configurable at both the router and interface levels.

  • Commands referencing the global keychain configuration direct IS-IS to obtain security parameters from the configured set.

Hitless key rollover and tolerance

IS-IS can implement hitless key rollover using keychains.

  • Key rollover is time-based; in the event of clock skew between peers, the rollover process may be affected.

  • The configurable tolerance setting allows you to extend the accept window (before and after) to accommodate time differences, ensuring seamless authentication transitions.


Configure authentication for IS-IS

Configure IS-IS authentication to protect routing protocol exchanges and enhance security.

IS-IS authentication is used to secure routing messages by requiring a password, ensuring the integrity of route announcements, and preventing unauthorized changes to routing tables. This task is optional but recommended for maintaining network security.

Before you begin

  • Decide which authentication method and password to use (for example, HMAC-MD5 or cleartext).

  • Identify the interfaces requiring IS-IS authentication.

Procedure

1.

Configure the IS-IS LSP authentication password.

Example:


Router(config)# router isis isp
Router(config-isis)# lsp-password hmac-md5 clear password1 level 1
  • Use hmac-md5 for HMAC-MD5 authentication or text for cleartext authentication.

  • Use clear for unencrypted or encrypted for encrypted password entry.

  • level 1 applies authentication to area LSPs/SNPs; level 2 applies it to backbone LSPs/SNPs.

  • send-only authenticates only sent messages; snp send-only disables SNP password checking.

2.

Enter interface configuration mode for each interface where you want IS-IS authentication.

Example:


Router(config-isis)# interface GigabitEthernet 0/1/0/3
                           
                            
3.

Configure the IS-IS Hello authentication password on the interface.

Example:


Router(config-isis-if)# hello-password text clear mypassword

This enables authentication for IS-IS Hello packets on this interface.