The optional-checksum enable command enables IS-IS to send Hello packets and SNP packets carrying optional checksum TLVs and to check received IS-IS packets and SNPs.
The undo optional-checksum enable command restores the default configuration.
By default, Hello packets and SNPs do not carry optional checksum TLVs, and received packets are not checked.
Usage Scenario
To prevent the attack of malicious packets and to ensure that packets are correctly received on an IS-IS network, you can configure the optional-checksum enable command to enable IS-IS devices to send SNP packets and Hello packets carrying optional checksum TLVs. After the peer device receives the packets, it checks whether the carried optional checksum TLVs are correct. If the TLVs are not correct, the peer device rejects the packets.
Prerequisites
An IS-IS process has been created and the IS-IS view has been displayed using the isis command.
Precautions
If HMAC-SHA256, HMAC-MD5, or Keychain authentication with valid HMAC-MD5 authentication is configured on an IS-IS interface or area, IS-IS devices send Hello packets and SNP packets without optional checksum TLVs and verify the checksum of the received packets.
For the sake of security, using the HMAC-SHA256 algorithm rather than the HMAC-MD5 algorithm is recommended.