isis authentication-mode
Function
The isis authentication-mode command configures an IS-IS interface to authenticate Hello packets using the specified mode and password.
The undo isis authentication-mode command cancels the authentication and deletes the authentication information in Hello packets.
By default, no authentication information is added to Hello packets and no authentication is performed on received Hello packets.
Format
isis authentication-mode { simple | md5 } { plain plain-text | [ cipher ] plain-cipher-text } [ level-1 | level-2 ] [ ip | osi ] [ send-only ]
isis authentication-mode keychain keychain-name [ level-1 | level-2 ] [ send-only ]
isis authentication-mode hmac-sha256 key-id key-id { plain plain-text | [ cipher ] plain-cipher-text } [ level-1 | level-2 ] [ send-only ]
undo isis authentication-mode [ level-1 | level-2 ]
undo isis authentication-mode keychain keychain-name [ level-1 | level-2 ] [ send-only ]
undo isis authentication-mode { simple { plain plain-text | cipher plain-cipher-text } | md5 { cipher plain-cipher-text | plain plain-text } } [ level-1 | level-2 ] [ ip | osi ] [ send-only ]
undo isis authentication-mode hmac-sha256 key-id key-id { plain plain-text | cipher plain-cipher-text } [ level-1 | level-2 ] [ send-only ]
Only the S5720-EI, S5720-HI, S5730-HI, S5731-H, S5731-S, S5731S-H, S5731S-S, S5732-H, S6720-EI, S6720-HI, S6720S-EI, S6730-H, S6730S-H, S6730-S, and S6730S-S support the keychain keychain-name parameter.
Parameters
| Parameter | Description | Value |
|---|---|---|
| simple | Indicates that the password is transmitted in plain text. NOTICE:
Simple authentication has potential risks. HMAC-SHA256 cipher text authentication is recommended. |
- |
| plain plain-text | Indicates that the password is in plain text. Only a plain-text password can be entered. The password in the configuration file is displayed in plain text. NOTICE:
If plain is selected, the password is saved in the configuration file in plain text. This brings security risks. It is recommended that you select cipher to save the password in cipher text. |
The value is a string of case-sensitive characters. It contains letters and digits without spaces. In simple authentication mode, the value is a string of 1 to 16 characters. In md5 or hmac-sha256 authentication mode, the value is a string of 1 to 255 characters. |
| cipher plain-cipher-text | Indicates that the password is in cipher text. A plain-text or cipher-text password can be entered. The password in the configuration file is displayed in cipher text. By default, the password is in cipher text. | The value is a string of case-sensitive characters. It contains letters and digits without spaces. In simple authentication mode, the value is a string of 1 to 16 characters in plain text or a string of 32 characters in cipher text. In md5 or hmac-sha256 authentication mode, the value is a string of 1 to 255 characters in plain text or a string of 20 to 392 characters in cipher text. |
| md5 | Indicates that the password to be transmitted is encrypted using MD5. NOTICE:
MD5 authentication has potential risks. HMAC-SHA256 cipher text authentication is recommended. |
- |
| level-1 | Indicates Level-1 authentication. When the link type of an IS-IS interface is Level-1-2, if level-1 and level-2 are not specified, both Level-1 and Level-2 Hello packets are configured with the authentication mode and password. | - |
| level-2 | Indicates Level-2 authentication. When the link type of an IS-IS interface is Level-1-2, if level-1 and level-2 are not specified, both Level-1 and Level-2 Hello packets are configured with the authentication mode and password. | - |
| ip | Indicates the IP authentication password. This parameter cannot be configured in keychain authentication mode. If parameters ip and osi are not specified, the parameter osi is used by default. | - |
| osi | Indicates the OSI authentication password. This parameter cannot be configured in keychain authentication mode. If parameters ip and osi are not specified, the parameter osi is used by default. | - |
| send-only | Encapsulates sent Hello packets with authentication information but does not authenticate received Hello packets. | - |
| keychain keychain-name | Indicates that the password is a keychain that changes with time. This parameter takes effect only when keychain-name is set using the keychain command. | The value is a string of 1 to 47 case-insensitive characters. Except the question mark (?) and space. However, when double quotation marks (") are used around the string, spaces are allowed in the string. |
| hmac-sha256 | Encapsulates generated packets with the HMAC-SHA256 authentication and a password encrypted by the HMAC-SHA256 algorithm and authenticates received packets. | - |
| key-id key-id | Indicates key ID of the HMAC-SHA256 algorithm. | It is an integer ranging from 0 to 65535. |
Usage Guidelines
To improve network security, authenticate received packets or encapsulate sent packets with authentication information. Only the packets that pass the authentication can be transmitted on the network.
You can use the isis authentication-mode command to discard the Hello packets whose authentication passwords are different from the authentication password configured using this command. At the same time, IS-IS adds the configured interface authentication password into all the Hello packets sent from the local node.
Prerequisites
IS-IS has been enabled on the interface using the isis enable command.
PrecautionsIf a broadcast interface is emulated as a P2P interface using the isis circuit-type command and then restored to the broadcast interface using the undo isis circuit-type command, the authentication configuration of the IS-IS area is restored to the default setting.
Example
# Set HMAC-SHA256 authentication password admin@huawei key id 33 on VLANIF100
<HUAWEI> system-view
[HUAWEI] isis
[HUAWEI-isis-1] network-entity 01.0000.0000.0001.00
[HUAWEI-isis-1] quit
[HUAWEI] interface vlanif 100
[HUAWEI-Vlanif100] isis enable 1
[HUAWEI-Vlanif100] isis authentication-mode hmac-sha256 key-id 33 cipher admin@huawei
# Set HMAC-SHA256 authentication password admin@huawei key id 33 GE0/0/1
<HUAWEI> system-view [HUAWEI] isis [HUAWEI-isis-1] network-entity 01.0000.0000.0001.00 [HUAWEI-isis-1] quit [HUAWEI] interface gigabitethernet 0/0/1 [HUAWEI-GigabitEthernet0/0/1] undo portswitch [HUAWEI-GigabitEthernet0/0/1] isis enable 1 [HUAWEI-GigabitEthernet0/0/1] isis authentication-mode hmac-sha256 key-id 33 cipher admin@huawei