The isis authentication-mode command configures an IS-IS interface to authenticate Hello packets based on a specified mode and password.
The undo isis authentication-mode command cancels the authentication and deletes the password.
By default, no password is set and no authentication is performed. Configuring authentication is recommended to ensure system security.
It is recommended that you enable authentication and use the HMAC-SHA256 algorithm to improve security, preventing route information from being modified by unauthorized users.
isis authentication-mode { simple { [ cipher ] simple-cipher | plain simple-plain } | md5 { [ cipher ] cipher | plain plain } } [ ip | osi ] [ send-only ]
isis authentication-mode keychain keychain-name [ send-only ]
isis authentication-mode hmac-sha256 key-id key-id { [ cipher ] cipher | plain plain } [ send-only ]
undo isis authentication-mode
undo isis authentication-mode { simple { cipher simple-cipher | plain simple-plain } | md5 { cipher cipher | plain plain } } [ ip | osi ] [ send-only ]
undo isis authentication-mode keychain keychain-name [ send-only ]
undo isis authentication-mode hmac-sha256 key-id key-id { cipher cipher | plain plain } [ send-only ]
| Parameter | Description | Value |
|---|---|---|
| simple |
Indicates simple authentication. For security purposes, you are advised to configure a password in ciphertext mode. To further improve device security, periodically change the password. |
- |
| cipher |
Indicates the ciphertext mode. The simple text or ciphertext can be entered. The password in the configuration file is displayed as a ciphertext. MD5 authentication uses the ciphertext mode by default. |
- |
| cipher simple-cipher |
Indicates the ciphertext mode. The simple text or ciphertext can be entered. The password in the configuration file is displayed as a ciphertext. MD5 authentication uses the ciphertext mode by default. A ciphertext password is a character string that is encrypted using a special algorithm. A ciphertext is used for configuration restoration. The parameter value must be the same as the ciphertext in the configuration file. |
The value is a string of case-sensitive characters that can be letters or digits. In simple authentication, the value is a string of 1 to 16 characters in the simple text mode or a string of 24 to 128 characters in the ciphertext mode. In MD5 authentication, the value is a string of 1 to 255 characters in the simple text mode or a string of 20 to 432 characters in the ciphertext mode.
|
| cipher |
Specifies a ciphertext password. A ciphertext password is a character string that is encrypted using a special algorithm. A ciphertext is used for configuration restoration. The parameter value must be the same as the ciphertext in the configuration file. |
The value is a string of case-sensitive characters that can be letters or digits. When quotation marks are used around the string, spaces are allowed in the string.
|
| simple-cipher |
Specifies a simple text or ciphertext. A ciphertext password is a character string that is encrypted using a special algorithm. A ciphertext is used for configuration restoration. The parameter value must be the same as the ciphertext in the configuration file. |
The value is a string of case-sensitive characters that can be letters or digits.
|
| plain |
Indicates the simple text mode. Only the simple text can be entered. The password in the configuration file is displayed as a simple text. Simple authentication uses the simple text mode by default. When configuring an authentication password, select the ciphertext mode because the password is saved in the configuration file as a simple text if you select the simple text mode, which has a high risk. To ensure device security, change the password periodically. |
- |
| plain |
Specifies a cleartext password. |
The value is a string of case-sensitive characters that can be letters or digits. In simple authentication, the value is a string of 1 to 16 characters. In MD5 authentication, the value is a string of 1 to 255 characters. A password cannot contain a question mark (?), but can contain spaces if surrounded by double quotation marks (""). In this case, the double quotation marks are part of the password. |
| simple-plain |
Specifies a simple-text password. |
The value is a string of case-sensitive characters that can be letters or digits. In simple authentication, the value is a string of 1 to 16 characters. In MD5 authentication, the value is a string of 1 to 255 characters. A password cannot contain a question mark (?), but can contain spaces if surrounded by double quotation marks (""). In this case, the double quotation marks are part of the password. |
| md5 |
Indicates that the password is transmitted after being encrypted using HMAC-MD5. For the sake of security, using the HMAC-SHA256 algorithm rather than the MD5 algorithm is recommended. |
- |
| ip |
Indicates the IP authentication password. This parameter cannot be configured when keychain authentication is used. |
- |
| osi |
Indicates the OSI authentication password. This parameter cannot be configured when keychain authentication is used. |
- |
| send-only |
Encapsulates the Hello packets to be sent with authentication information and ignores checking authentication information carried in received Hello packets. |
- |
| keychain keychain-name |
Specifies the keychain that changes with time. Before configuring this parameter, run the keychain command to create a keychain. Then, run the key-id, key-string, and algorithm commands to configure a key ID, a password, and an authentication algorithm for this keychain. Otherwise, the authentication will fail. Keychain authentication supports only HMAC-MD5 and HMAC-SHA256 algorithms. Using any other algorithm may lead to an authentication failure. If the dependent keychain is deleted, the neighbor relationship may be interrupted. Therefore, exercise caution when deleting the keychain. |
The value is a string of 1 to 47 case-insensitive characters. A password cannot contain a question mark (?), but can contain spaces if surrounded by double quotation marks (""). In this case, the double quotation marks are part of the password. |
| hmac-sha256 |
Encapsulates generated packets with the HMAC-SHA256 authentication and a password encrypted using the HMAC-SHA256 algorithm and authenticates received packets. |
- |
| key-id key-id |
Specifies a key ID for authentication, which must be the same as the one configured at the other end. |
The value is an integer ranging from 0 to 65535. |
100GE interface view, 10GE interface view, 25GE sub-interface view, 25GE interface view, 400GE interface view, 40GE interface view, 50GE sub-interface view, 50GE interface view, GE optical interface view, GE interface view, GE electrical interface view, Global VE sub-interface view, Loopback interface view, Tunnel interface view, VBDIF interface view, VE sub-interface view, VE interface view, VLANIF interface view
Usage Scenario
To ensure network security, you can enable a router to authenticate received packets based on the pre-defined authentication mode or add authentication information to the packets to be sent. Only the packets that are authenticated can be forwarded on the network.
The isis authentication-mode command enables the local node to discard all the Hello packets with authentication passwords that are different from the one set using this command. You can also enable the device to add the set authentication password to all the Hello packets to be sent.Prerequisites
IS-IS has been enabled using the isis enable command in the interface view.
Precautions
If a password is set, but neither ip nor osi is specified, osi is defaulted.
If a broadcast interface is emulated as a P2P interface using the isis circuit-type command or then restored to the broadcast interface through the undo isis circuit-type command, the authentication configuration on the interface is restored to the default setting. For a P2P interface, only Level-1 authentication is specified by default.<HUAWEI> system-view [~HUAWEI] isis 1 [*HUAWEI-isis-1] quit [*HUAWEI] interface GigabitEthernet0/1/0 [*HUAWEI-GigabitEthernet0/1/0] isis enable [*HUAWEI-GigabitEthernet0/1/0] undo portswitch [*HUAWEI-GigabitEthernet0/1/0] isis authentication-mode hmac-sha256 key-id 1 cipher Huawei-123