Configure Auto-sense IS-IS Authentication

Note

Note

This procedure does not apply to VSP 8600 Series and XA1400 Series.

Before you begin

Enable IS-IS globally.

About this task

Perform this procedure to configure a global IS-IS authentication key for ports that are operating in Auto-sense mode.

Note

Note

If the IS-IS authentication keys on auto-sense ports between two switches do not match, then the auto-sense port state will be auto-sense UNI onboarding, until the keys are matching, then an IS-IS adjacency will be established.

Procedure

  1. Enter Global Configuration mode:

    enable

    configure terminal

  2. Configure the authentication type for IS-IS hello packets on Auto-sense ports:

    auto-sense isis hello-auth type {none|simple|hmac-md5|hmac-sha-256} [key WORD<1-16>] [key-id <1-255>]

Example

Configuring simple authentication for IS-IS hello packets on Auto-sense ports:

Switch:1>enable
Switch:1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch:1(config)#auto-sense isis hello-auth type simple key Secure

Variable Definitions

The following table defines parameters for the auto-sense isis hello-auth type command.

Variable

Value

{none|simple|hmac-md5|hmac-sha-256}

Specifies the authentication type for IS-IS hello packets on Auto-sense ports:

  • none
  • simple - simple password authentication uses a text password in the transmitted packet. The receiving router uses an authentication key (password) to verify the packet.
  • hmac-md5 - MD5 authentication creates an encoded checksum in the transmitted packet. The receiving router uses an authentication key (password) to verify the MD5 checksum of the packet.
  • hmac-sha–256 - with SHA-256 authentication, the switch adds an hmac-sha–256 digest to each Hello packet. The switch that receives the Hello packet computes the digest of the packet and compares it with the received digest.
    Note: Secure Hashing Algorithm 256 bits (SHA-256) is a cipher and a cryptographic hash function of SHA2 authentication. You can use SHA-256 to authenticate ISIS Hello messages. This authentication method uses the SHA-256 hash function and a secret key to establish a secure connection between switches that share the same key. This feature is in full compliance with RFC 5310.

The default authentication type is none.

key WORD<1-16>

Specifies the authentication key (password) used by the receiving router to verify the packet.

key-id <1-255>

Specifies the key ID.