SOURCECODEBD.NET

Live Experience

Juniper Enabling IS-IS Authentication
 
You want to ensure that all IS-IS protocol traffic that your router accepts comes from devices known to you so that only trusted routers participate in determining the contents of the IS-IS routing database.
Configure MD5 authentication for IS-IS:
 
[edit protocols isis]
source@RouterA# set level 2 authentication-type md5
source@RouterA# set level 2 authentication-key $1991poPPi
 
It is a good security measure to authenticate IS-IS protocol packet exchanges to ensure that only trusted routers participate in the IS-IS network and in the exchange of LSA packets.
 
This recipe shows how to configure IS-IS to use MD5 authentication for the Level 2 area. First you configure MD5 authentication for the entire area, then you set the key, or password, for each interface. MD5 creates an encoded checksum that is included in all transmitted IS-IS packets. The receiving router verifies this checksum before accepting the packet. By default, the JUNOS implementation of IS-IS authenticates all PDU types, including link-state PDUs (LSPs), IIH PDUs, and complete and partial sequence number PDUs ( CSNPs and PSNPs). This is why the software has only one command for establishing authentication.
 
To configure authentication for all Level 1 areas that the router participates in, use the following commands:
 
[edit protocols isis]
source@RouterA# set level 1 authentication-type md5
source@RouterA# set level 1 authentication-key $SuMPasswRD
 
You cannot configure authentication for IS-IS Level 2 and Level 1 areas globally with a single command. You must configure the two authentications separately.
 
When you display the router's configuration after you have typed the password, you do not see the password itself but the encrypted form of the password. This safeguard means that someone casually glancing through the configuration does not see the actual password.
 
You can also configure a simple password for IS-IS authentication, which includes a plain-text password in the transmitted IS-IS packets. Plain-text passwords are easy to break by devices that sniff network traffic, so you should never use them when your goal is network security.
 
For authentication to work across the entire IS-IS domain, you need to configure MD5 authentication and the same password on all IS-IS interfaces in the same way as shown in this recipe. Once you have the encrypted version of the password, you can use it in the authentication-key statement instead of the password itself. This is one way to minimize the number of people who see the actual password.
 
source@RouterA# set interface ge-1/0/1 authentication-key "$9$dEbgoZUjqP5GUApO1hcgoaJHq"
 
When you are looking at the configuration contents, pipe the output to hide the passwords:
 
[edit protocols isis]
source@RouterA# show | except SECRET-DATA
level 2 {
}
interface ge-0/0/1.0;
interface ge-1/0/0.0 {
    level 2 disable;
}
interface lo0.0 {
    passive;
}
 
If the same authentication type and password are not configured across the area, IS-IS cannot establish adjacencies and you will see errors. Here, Level 2 authentication is configured on RouterC but not on RouterA:
 
source@RouterC> show isis adjacency extensive
RouterA
  Interface: ge-0/0/1.0, Level: 2, State: Down, Expires in 0 secs
  Priority: 64, Up/Down transitions: 2, Last transition: 00:00:37 ago
  Circuit type: 3, Speaks: IP, IPv6, MAC address: 0:5:85:c2:2e:d1
  Topologies: Unicast
  Restart capable: Yes
  LAN id: RouterC.02, IP addresses: 10.0.1.2
  Transition log:
  When                  State        Event           Down reason
  Tue Jun 21 19:51:33   Up           Seenself
  Tue Jun 21 23:51:01   Down         Error           Bad Hello
RouterA
  Interface: ge-1/0/1.0, Level: 1, State: Up, Expires in 7 secs
  Priority: 64, Up/Down transitions: 1, Last transition: 21:37:54 ago
  Circuit type: 1, Speaks: IP, IPv6, MAC address: 0:5:85:ca:e7:d0
  Topologies: Unicast
  Restart capable: Yes
  LAN id: RouterA.02, IP addresses: 10.0.24.2
  Transition log:
  When                  State        Event           Down reason
  Tue Jun 21 02:13:44   Up           Seenself
 
For tighter security, you can also define separate authentication passwords for the IS-IS Hello packet exchanges on interfaces. The following commands set the hello password on interface ge-0/0/1:
 
[edit protocols isis interface ge-0/0/1.0 ]
source@RouterA# set level 2 hello-authentication-type md5 
source@RouterA# set level 2 hello-authentication-key $NutherPaSSwd 
 
You are here: Home / IS-IS / How to Enable IS-IS Authentication in Juniper