IS-IS Authentication

I’ve been playing recently with IS-IS Authentication and want to share informational notes.

We know that almost every IGP’s Authentication mechanism  works almost same way , but it’s little bit different in case of IS-IS.

Let’s start with Simple topology , Two Router RA & RB connected with Broadcast Network Type.

Untitled Diagram

Configuration is basic , creation of IS-IS routing process and enabling is-is instance under interface.

Router A

router isis 1

net 00.0000.0000.0002.00

interface Ethernet0/2

ip address 10.1.2.2 255.255.255.0

ip router isis 1

isis circuit-type level-2-only

Router B

router isis 1

net 00.0000.0000.0001.00

interface Ethernet0/0

ip address 10.1.2.1 255.255.255.0

ip router isis 1

Neighborship is formed

RA#show isis neighbors

Tag 1:

System Id      Type Interface   IP Address      State Holdtime Circuit Id

RB             L2   Et0/2       10.1.2.1        UP    9        RB.04              

and wee see that Router B is elected as DIS , which means it sends CSNP’s every 10 second.

Now enable authentication , there is  two options MD5 and clear-text this time we wil configure MD5 authentication.

Unlike any other IGP routing protocols , it’s possible to configure authentication separately for only neighbor adjacancy which sets MD5  Hash authentication data to “IIH” Hello PDU’s or  for LSDP which authenticates CSNP, PSNP packets which is exchanged after the neighbors form adjacancy , both can be configured same time but on different configuration level , IIH authenticaiton is should be configured under interface level and LSDB authentication should be configured under IS-IS routing intance level.

Let’s capture IS-IS LSP’s on Router A to be it more visible , there is IIH & CSNP packet without authentication.

Screen Shot 2016-04-03 at 16.49.46

Screen Shot 2016-04-03 at 16.52.43.png

No authentication information under PDU’s , you can see here that Router B which is DIS sends CSNP’s every 10 second.

Screen Shot 2016-04-03 at 16.54.22.png

RB#show int ethernet 0/0

Ethernet0/0 is up, line protocol is up

  Hardware is AmdP2, address is aabb.cc00.1000 (bia aabb.cc00.1000)

Now enable authentication for IIH under interface level.

Router B

RB(config)#key chain PASS

RB(config-keychain)# key 1

RB(config-keychain-key)#  key-string PWD

RB(config-keychain-key)#

RB(config-keychain-key)#int eth0/0

RB(config-if)#isis authentication mode md5

RB(config-if)#isis authentication key-chain PASS

Untill  Router A is enabled for authentication Router B complains that IIH Authentication is failed by syslog.

*Apr  3 13:05:03.529: %CLNS-4-AUTH_FAIL: ISIS: LAN IIH authentication failed

RA(config-keychain-key)#do show clns nei

Tag 1:

System Id      Interface   SNPA                State  Holdtime  Type Protocol

RB             Et0/2       aabb.cc00.1000      Init   22        L2   IS-IS

And adjacancy state is stuck within Init state

Router A

RA(config)#key chain PASS

RA(config-keychain)# key 1

RA(config-keychain-key)#  key-string PWD

RA(config-keychain-key)#

 RA(config-keychain-key)#int eth0/2

RA(config-if)#isis authentication mode md5

RA(config-if)#isis authentication key-chain PASS

If we dont specify Level after isis authentication command it is enabled for both Level-1-2 by default.

And for now wee see that IIH Hello packet carries authentication information.

edit.png

We can enable authentication for LSDB as well right now and have both auth mechanism together but difference between IS-IS and OSPF is that  , you can enable authentication for LSDB but if password or hash is incorrect you can still form neighborship and have neighbors in up state but routing process does not proceed LSP Packets, which is not true in case of OSPF.

Let’s remove authentication for IIH and enable it for LSDB under routing process.

Router B

RB(config-if)#int eth0/0

RB(config-if)#no isis authentication mode md5

RB(config-if)#no isis authentication key-chain PASS

RB(config-if)#router isis 1

RB(config-router)#authentication mode md5

RB(config-router)#authentication key-chain PASS

Router A

RA(config-if)#int eth0/2

RA(config-if)#no isis authentication mode md5

RA(config-if)#no isis authentication key-chain PASS

untill we configure authentication under routing proccess on Router A , Router B complains that Authentication for LSP & PSNP is failing by syslog.

*Apr  3 13:18:14.939: %CLNS-4-AUTH_FAIL: ISIS: PSNP authentication failed

*Apr  3 13:19:15.667: %CLNS-4-AUTH_FAIL: ISIS: LSP authentication failed

the reason why we don’t see CSNP authentication error here is that , CSNP’s by default is not sent untill LSDB ages out , it is DIS which sends CSNP’s every 10 second which carries sequence numbers and checksums not routes itself.

RA(config-if)#router isis 1

RA(config-router)#authentication mode md5

RA(config-router)#authentication key-chain PASS

We’ve removed authentication for IIH and enabled it for LSDB , let’s capture it

edit2.png

Now CSNP carries authentication information as well , let me configure incorrect md5 password for Router A.

Router A

RA(config)#key chain PASS

RA(config-keychain)#key 1

RA(config-keychain-key)#key-string INCORRECT

Router A complains about CSNP authentication information.

*Apr  3 13:27:14.419: %CLNS-4-AUTH_FAIL: ISIS: CSNP authentication failed

RA#show clns neighbors

Tag 1:

System Id      Interface   SNPA                State  Holdtime  Type Protocol

RB             Et0/2       aabb.cc00.1000      Up     7         L2   IS-IS

However neighborhip is in Up state , but if we advertise new network from Router B or from Router A to each other , none of them installs it in LSDB , but old information is stored in database untill it ages out.

Hope you enjoyed ,

Thanks

 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s