isis authentication-mode
Use isis authentication-mode to specify the neighbor relationship authentication mode and a key.
Use undo isis authentication-mode to remove the configuration.
Syntax
isis authentication-mode { { gca key-id { hmac-sha-1 | hmac-sha-224 | hmac-sha-256 | hmac-sha-384 | hmac-sha-512 } [ nonstandard ] | md5 | simple } { cipher | plain } string | keychain keychain-name } [ level-1 | level-2 ] [ ip | osi ]
undo isis authentication-mode [ level-1 | level-2 ]
Default
No neighbor relationship authentication mode or key is configured.
Views
Interface view
Predefined user roles
network-admin
Parameters
gca: Specifies the GCA mode.
key-id: Uniquely identifies an SA in the range of 1 to 65535. The sender inserts the Key ID into the authentication TLV, and the receiver authenticates the packet by using the SA that is selected based on the Key ID.
hmac-sha-1: Specifies the HMAC-SHA-1 algorithm.
hmac-sha-224: Specifies the HMAC-SHA-224 algorithm.
hmac-sha-256: Specifies the HMAC-SHA-256 algorithm.
hmac-sha-384: Specifies the HMAC-SHA-384 algorithm.
hmac-sha-512: Specifies the HMAC-SHA-512 algorithm.
nonstandard: Specifies the nonstandard GCA mode.
md5: Specifies the MD5 authentication mode.
simple: Specifies the simple authentication mode.
cipher: Specifies a key in encrypted form.
plain: Specifies a key in plaintext form. For security purposes, the key specified in plaintext form will be stored in encrypted form.
string: Specifies the key. Its plaintext form is a case-sensitive string of 1 to 16 characters. Its encrypted form is a case-sensitive string of 33 to 53 characters.
keychain: Specifies the keychain authentication mode.
keychain-name: Specifies a keychain by its name, a case-sensitive string of 1 to 63 characters.
level-1: Configures the key for Level-1.
level-2: Configures the key for Level-2.
ip: Checks IP-related fields in LSPs and SNPs.
osi: Checks OSI-related fields in LSPs and SNPs.
Usage guidelines
The key in the specified mode is inserted into all outbound hello packets and is used for authenticating inbound hello packets. Only if the authentication succeeds can the neighbor relationship be formed.
IS-IS keychain authentication can operate correctly only when the keys in the keychain use the HMAC-MD5 authentication algorithm.
Before IS-IS sends a Hello packet, it uses the valid send key obtained from the keychain to authenticate the packet. If no valid send key exists or the valid send key does not use the HMAC-MD5 algorithm, the authentication fails and the packet does not contain the authentication information.
After IS-IS receives a Hello packet, it uses a valid accept key obtained from the keychain to authenticate the packet. If no valid accept key exists or all valid accept keys fail to authenticate the packet, the authentication fails and the packet is discarded.
The level-1 and level-2 keywords are configurable on an interface that has had IS-IS enabled with the isis enable command.
If you configure a key without specifying a level, the key applies to both Level-1 and Level-2.
For two routers to become neighbors, the authentication mode and key at both ends must be identical.
If neither ip nor osi is specified, the OSI-related fields in LSPs are checked.
When you specify the GCA mode, follow these guidelines:
If you do not specify the nonstandard keyword, the device can communicate only with devices that use the GCA mode.
If you specify the nonstandard keyword, the device can communicate only with devices that use the nonstandard GCA mode.
Examples
# On VLAN-interface 10, set the authentication mode to simple, and set the plaintext key to 123456.
<Sysname> system-view [Sysname] interface vlan-interface 10 [Sysname-Vlan-interface10] isis authentication-mode simple plain 123456
Related commands
area-authentication-mode
domain authentication-mode
isis authentication send-only