Table of Contents

ISIS Authentication Types is what we discuss in this section especially that authentication in ISIS is a little different from than other routing protocols.

There are two types of authentication in ISIS. Authentication on Hello packet and authentication on other ISIS packets such as LSP, CSNP and PSNP.

Configuring IS-IS Authentication

ISIS Authentication Types

Hello Packet Authentication

The hello packet is authenticated at the interface level. Depending on the interface type, L1 authentication can be separate from L2 authentication. In other words, on the LAN interface, where L1 hello is sent separately from L2 hello, authentication can be done for each level individually, but on point-to-point interface, where only one kind of hello is sent, L1 authentication is the same as L2.

ISIS Authentication Types
ISIS Authentication Types

other ISIS Packet Authentication

The second type of authentication is related to other ISIS packets. Since the routers have no right to modify the ISIS packets, the authentication of the ISIS packets takes place in the scope of area or entire ISIS domain, depending on the level of the ISIS packet.

In other words, in this type of authentication, which is activated at ISIS process level, if it is activated for L1, all ISIS routers in the same area must use the same password, and if it is activated for L2, then all ISIS routers in entire domain must use the same password.

Therefore, in ISIS, for hello authentication, we enable it at the interface level, but for the authentication of other ISIS packets, we will activate it at the ISIS process level for L1 or L2 packets. If L1 or L2 authentication is not specified, both will be included.

Hello Packet Authentication Configuration

To configure hello packet authentication, we enable it at the interface level and the neighboring routers in the same link must use the same password.

First we configure an authentication chain globally, then authentication mode at interface level which can be clear text or MD5 and finally we call configured authentication chain at interface

key chain CHAIN1
 key 1
  key-string RAYKA
!

IOU1(config-if)#isis authentication mode ?
  md5   Keyed message digest
  text  Clear text password
!

IOU1(config-if)#isis authentication key-chain CHAIN1 ?
  level-1  ISIS authentication for level-1 PDUs
  level-2  ISIS authentication for level-2 PDUs
  <cr>

One point in authentication configuration is that, unlike OSPF which requires two “key” and “key ID” parameters, in ISIS the “key ID” parameter is locally significant and has no effect on authentication and is not carried in any of the ISIS packets.

other ISIS Packet Authentication Configuration

To configure authentication of other ISIS packets, we enable it at ISIS process level. If you enable authentication at the L1 level, all routers in the area must have the same password. If you enable L2 authentication, it is essential that all ISIS routers in entire domain have the same password.

key chain CHAIN1
 key 1
  key-string RAYKA
!

IOU1(config-router)#authentication mode ?
  md5   Keyed message digest
  text  Clear text password
!

IOU1(config-router)#authentication key-chain CHAIN1 ?
  level-1  ISIS authentication for level-1
  level-2  ISIS authentication for level-2
  <cr>
Back to: IS-IS Routing Protocol > Cisco ISIS Configuration and Troubleshooting

Leave a Reply

Your email address will not be published. Required fields are marked *


Post comment