Introduces IS-IS authentication principles and provides configuration procedures for enabling authentication on IS-IS, outlining step-by-step instructions to secure IS-IS message exchanges.
IS-IS authentication is a protocol feature that
-
limits the establishment of adjacencies and the exchange of Link State Packets (LSPs) using password commands
-
provides options for both plain-text and HMAC-MD5 authentication to protect against unauthorized access and ensure data integrity, and
-
supports keychain configuration with hitless key rollover and adjustable tolerance for clock skew.
| Feature Name |
Release Information |
Feature Description |
|---|---|---|
| HMAC-MD5 Authentication |
Release 25.4.1 |
Introduced in this release on: Fixed Systems (8010 [ASIC: A100], 8700 [ASIC: K100])(select variants only*) *This feature is supported on:
|
| HMAC-MD5 Authentication |
Release 25.1.1 | Introduced in this release on: Fixed Systems (8010 [ASIC: A100])(select variants only*) *This feature is supported on Cisco 8011-4G24Y4H-I routers. |
| HMAC-MD5 Authentication |
Release 24.4.1 |
Introduced in this release on: Fixed Systems (8200 [ASIC: P100], 8700 [ASIC: P100, K100])(select variants only); Modular Systems (8800 [LC ASIC: P100])(select variants only*) We have enhanced security for IS-IS protocol through authentication, preventing unauthorized devices from forming adjacencies with the router. HMAC-MD5 passwords ensure data integrity by using cryptographic checksums instead of sending passwords over the network. *This feature is supported on:
|
Types of IS-IS authentication
IS-IS supports two main authentication types:
-
Plain-text authentication: Provides minimal protection. The password is configured on the router and is transmitted in clear text within IS-IS packets, making it visible to anyone able to capture these packets.
-
HMAC-MD5 authentication: Offers enhanced security. The password itself is not sent, but is used to generate a cryptographic checksum, which protects the integrity of the exchanged data.
IS-IS authentication commands
IS-IS authentication uses specific commands to secure routing communications.
-
Use the hello-password command to restrict adjacency formation between routers.
-
Use the lsp-password command to limit the exchange of Link State Packets (LSPs).
-
The area password is set at Level 1; the domain password is set at Level 2 using the lsp-password command.
Password configuration methods
IS-IS authentication passwords can be entered as
-
Clear text (plain): Directly visible and used in packets.
-
Encrypted form: Stored securely, but the plain-text password is still exchanged in certain packets (LSPs, SNPs, hello).
Global keychain configuration
The IS-IS keychain feature allows the protocol to reference globally configured keychains.
-
Keychains are used for hello and LSP authentication, configurable at both the router and interface levels.
-
Commands referencing the global keychain configuration direct IS-IS to obtain security parameters from the configured set.
Hitless key rollover and tolerance
IS-IS can implement hitless key rollover using keychains.
-
Key rollover is time-based; in the event of clock skew between peers, the rollover process may be affected.
-
The configurable tolerance setting allows you to extend the accept window (before and after) to accommodate time differences, ensuring seamless authentication transitions.