Enhancing IS-IS network security
To enhance the security of an IS-IS network, you can configure IS-IS authentication. IS-IS authentication
involves neighbor relationship authentication, area authentication, and routing domain authentication.
Configuration prerequisites
Before the configuration, complete the following tasks:
Configure IP addresses for interfaces to ensure IP connectivity between neighboring nodes.
•
Enable IS-IS.
•
Configuring neighbor relationship authentication
With neighbor relationship authentication configured, an interface adds the password in the specified
mode into hello packets to the peer and checks the password in the received hello packets. If the
authentication succeeds, it forms the neighbor relationship with the peer.
The authentication mode and password at both ends must be identical.
To configure neighbor relationship authentication:
Step
1.
Enter system view.
2.
Enter interface view.
3.
Specify the authentication
mode and password.
Configuring area authentication
Area authentication prevents the router from installing routing information from untrusted routers into the
Level- 1 LSDB. The router encapsulates the authentication password in the specified mode in Level- 1
packets (LSP, CSNP, and PSNP) and checks the password in received Level- 1 packets.
Routers in a common area must have the same authentication mode and password.
To configure area authentication:
Step
1.
Enter system view.
2.
Enter IS-IS view.
Command
system-view
interface interface-type interface-number
isis authentication-mode { md5 | simple |
gca key-id { hmac-sha-1 | hmac-sha-224
| hmac-sha-256 | hmac-sha-384 |
hmac-sha-512 } } { cipher cipher-string |
plain plain-string } [ level-1 | level-2 ] [ ip
| osi ]
Command
system-view
isis [ process-id ] [ vpn-instance
vpn-instance-name ]
150
Remarks
N/A
N/A
By default, no authentication
is configured.
Remarks
N/A
N/A