Enhancing IS-IS network security
To enhance the security of an IS-IS network, you can configure IS-IS authentication. IS-IS
authentication involves neighbor relationship authentication, area authentication, and routing
domain authentication.
Configuration prerequisites
Before the configuration, complete the following tasks:
•
Configure IP addresses for interfaces to ensure IP connectivity between neighboring nodes.
•
Enable IS-IS.
Configuring neighbor relationship authentication
With neighbor relationship authentication configured, an interface adds the key in the specified mode
into hello packets to the peer and checks the key in the received hello packets. If the authentication
succeeds, it forms the neighbor relationship with the peer.
The authentication mode and key at both ends must be identical.
To prevent packet exchange failure in case of an authentication key change, configure the interface
not to check the authentication information in the received packets.
To configure neighbor relationship authentication:
Step
1.
Enter system view.
2.
Enter interface view.
3.
Specify the authentication
mode and key.
4.
(Optional.)
interface not to check the
authentication information in
the received hello packets.
Configuring area authentication
Area authentication prevents the router from installing routing information from untrusted routers into
the Level-1 LSDB. The router encapsulates the authentication key in the specified mode in Level-1
packets (LSP, CSNP, and PSNP). It also checks the key in received Level-1 packets.
Routers in a common area must have the same authentication mode and key.
To prevent packet exchange failure in case of an authentication key change, configure IS-IS not to
check the authentication information in the received packets.
To configure area authentication:
Command
system-view
interface
interface-number
isis authentication-mode { { gca key-id
{
hmac-sha-1
hmac-sha-256
hmac-sha-512 } [ nonstandard ] | md5 |
simple } { cipher | plain } string |
keychain keychain-name } [ level-1 |
level-2 ] [ ip | osi ]
Configure
the
isis authentication send-only [ level-1
| level-2 ]
interface-type
|
hmac-sha-224
|
hmac-sha-384
158
Remarks
N/A
N/A
|
|
By
default,
authentication
configured.
When the authentication
mode
and
key
configured, the interface
checks the authentication
information in the received
packets by default.
no
is
are