isis process-id authentication-mode

Function

The isis process-id authentication-mode command configures an IS-IS interface to authenticate Hello packets based on a specified mode and password.

The undo isis process-id authentication-mode command cancels the authentication and deletes the password.

It is recommended that you enable authentication and use the HMAC-SHA256 algorithm to improve security, preventing route information from being modified by unauthorized users.

By default, no password is set and no authentication is performed. Configuring authentication is recommended to ensure system security.

Format

isis process-id process-id-value authentication-mode { simple { [ cipher ] simple-cipher | plain simple-plain } | md5 { [ cipher ] cipher | plain plain } } [ level-1 | level-2 ] [ ip | osi ] [ send-only ]

isis process-id process-id-value authentication-mode keychain keychain-name [ level-1 | level-2 ] [ send-only ]

isis process-id process-id-value authentication-mode hmac-sha256 key-id key-id { [ cipher ] cipher | plain plain } [ level-1 | level-2 ] [ send-only ]

undo isis process-id process-id-value authentication-mode [ level-1 | level-2 ]

undo isis process-id process-id-value authentication-mode { simple { cipher simple-cipher | plain simple-plain } | md5 { cipher cipher | plain plain } } [ level-1 | level-2 ] [ ip | osi ] [ send-only ]

undo isis process-id process-id-value authentication-mode keychain keychain-name [ level-1 | level-2 ] [ send-only ]

undo isis process-id process-id-value authentication-mode hmac-sha256 key-id key-id { cipher cipher | plain plain } [ level-1 | level-2 ] [ send-only ]

Parameters

Parameter Description Value
process-id-value

Specifies the IS-IS multi-instance process ID when multi-instance is enabled under the relevant process.

The value is an integer ranging from 1 to 4294967295.
simple

Indicates simple authentication.

For security purposes, you are advised to configure a password in ciphertext mode. To further improve device security, periodically change the password.

-
cipher

Indicates the ciphertext mode. The simple text or ciphertext can be entered. The password in the configuration file is displayed as a ciphertext. MD5 authentication uses the ciphertext mode by default.

-
cipher

Specifies a ciphertext password.

A ciphertext password is a character string that is encrypted using a special algorithm. A ciphertext is used for configuration restoration. The parameter value must be the same as the ciphertext in the configuration file.

The value is a string of case-sensitive characters that can be letters or digits. When quotation marks are used around the string, spaces are allowed in the string.

  • In simple authentication, the value is a string of 1 to 16 characters in a simple text, or a string of 24 to 128 characters in a ciphertext.
  • In md5 or hmac-sha256 authentication, the value is a string of 1 to 255 characters in a simple text, or a string of 20 to 432 characters in a ciphertext.
  • A 24-character ciphertext password configured in an earlier version is also supported in this version.
  • A password cannot contain a question mark (?), but can contain spaces if surrounded by double quotation marks (""). In this case, the double quotation marks are part of the password.
simple-cipher

Specifies a simple text or ciphertext.

A ciphertext password is a character string that is encrypted using a special algorithm. A ciphertext is used for configuration restoration. The parameter value must be the same as the ciphertext in the configuration file.

The value is a string of case-sensitive characters that can be letters or digits.

  • In simple authentication, the value is a string of 1 to 16 characters in a simple text, or a string of 24 to 128 characters in a ciphertext.
  • In md5 or hmac-sha256 authentication, the value is a string of 1 to 255 characters in a simple text, or a string of 20 to 432 characters in a ciphertext.
  • A 24-character ciphertext password configured in an earlier version is also supported in this version.
  • A password cannot contain a question mark (?), but can contain spaces if surrounded by double quotation marks (""). In this case, the double quotation marks are part of the password.
plain

Specifies a cleartext password.

The value is a string of case-sensitive characters that can be letters or digits.

In simple authentication, the value is a string of 1 to 16 characters. In MD5 authentication, the value is a string of 1 to 255 characters.

A password cannot contain a question mark (?), but can contain spaces if surrounded by double quotation marks (""). In this case, the double quotation marks are part of the password.
plain

Indicates the simple text mode. Only the simple text can be entered. The password in the configuration file is displayed as a simple text. Simple authentication uses the simple text mode by default.

When configuring an authentication password, select the ciphertext mode because the password is saved in the configuration file as a simple text if you select the simple text mode, which has a high risk. To ensure device security, change the password periodically.

-
simple-plain

Specifies a simple-text password.

The value is a string of case-sensitive characters that can be letters or digits. When quotation marks are used around the string, spaces are allowed in the string.

In simple authentication, the value is a string of 1 to 16 characters. In MD5 authentication, the value is a string of 1 to 255 characters.

A password cannot contain a question mark (?), but can contain spaces if surrounded by double quotation marks (""). In this case, the double quotation marks are part of the password.
md5

Indicates that the password is transmitted after being encrypted using HMAC-MD5.

For the sake of security, using the HMAC-SHA256 algorithm rather than the MD5 algorithm is recommended.

-
level-1

Indicates the Level-1 authentication.

-
level-2

Indicates the Level-2 authentication.

The level-1 and level-2 parameters are valid only on IS-IS-capable Ethernet interfaces.

-
ip

Indicates the IP authentication password. This parameter cannot be configured when keychain authentication is used.

-
osi

Indicates the OSI authentication password. This parameter cannot be configured when keychain authentication is used.

-
send-only

Encapsulates the Hello packets to be sent with authentication information and ignores checking authentication information carried in received Hello packets.

-
keychain keychain-name

Specifies the keychain that changes with time.

Before configuring this parameter, run the keychain command to create a keychain. Then, run the key-id, key-string, and algorithm commands to configure a key ID, a password, and an authentication algorithm for this keychain. Otherwise, the authentication will fail.

Keychain authentication supports only HMAC-MD5 and HMAC-SHA256 algorithms. Using any other algorithm may lead to an authentication failure.

If the dependent keychain is deleted, the neighbor relationship may be interrupted. Therefore, exercise caution when deleting the keychain.

The value is a string of 1 to 47 case-insensitive characters.

A password cannot contain a question mark (?), but can contain spaces if surrounded by double quotation marks (""). In this case, the double quotation marks are part of the password.
hmac-sha256

Encapsulates generated packets with the HMAC-SHA256 authentication and a password encrypted using the HMAC-SHA256 algorithm and authenticates received packets.

-
key-id key-id

Specifies a key ID for authentication, which must be the same as the one configured at the other end.

The value is an integer ranging from 0 to 65535.

Views

100GE interface view, 10GE interface view, 25GE sub-interface view, 25GE interface view, 400GE interface view, 40GE interface view, 50GE sub-interface view, 50GE interface view, Eth-Trunk interface view, FlexE interface view, GE optical interface view, GE electrical interface view, GMPLS-UNI interface view, Global VE sub-interface view, Loopback interface view, Tunnel interface view, VBDIF interface view, VE sub-interface view, VE interface view, VLANIF interface view

Default Level

2: Configuration level

Task Name and Operations

Task Name Operations
isis write

Usage Guidelines

Usage Scenario

To ensure network security, you can enable a router to authenticate received packets based on the pre-defined authentication mode or add authentication information to the packets to be sent. Only the packets that are authenticated can be forwarded on the network.

The isis authentication-mode command enables the local node to discard all the Hello packets with authentication passwords that are different from the one set using this command. You can also enable the device to add the set authentication password to all the Hello packets to be sent.

Prerequisites

IS-IS has been enabled using the isis enable command in the interface view.

Precautions

If a password is set, but neither ip nor osi is specified, osi is defaulted.

If a broadcast interface is emulated as a P2P interface using the isis circuit-type command or then restored to the broadcast interface through the undo isis circuit-type command, the authentication configuration on the interface is restored to the default setting.

For a P2P interface, only Level-1 authentication is specified by default.

Example

# Set the authentication password using HMAC-SHA256 on GigabitEthernet 0/1/1.
<HUAWEI> system-view
[~HUAWEI] isis 1
[*HUAWEI-isis-1] quit
[*HUAWEI] interface GigabitEthernet 0/1/1
[*HUAWEI-GigabitEthernet0/1/1] isis enable
[*HUAWEI-GigabitEthernet0/1/1] undo portswitch
[*HUAWEI-GigabitEthernet0/1/1] isis process-id 1 authentication-mode hmac-sha256 key-id 1 cipher Huawei-123
Parent Topic: IS-IS Configuration Commands
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >