Configuring Interface Authentication
Context
Generally, the IS-IS packets to be sent are not encapsulated with authentication information, and the received packets are not authenticated. If a user sends malicious packets to attack a network, information on the entire network may be stolen. Therefore, you can configure IS-IS authentication to improve the network security.
After the IS-IS interface authentication is configured, authentication information can be encapsulated into the Hello packet to confirm the validity and correctness of neighbor.
If plain is selected during the configuration of the authentication mode for the IS-IS interface, the password is saved in the configuration file in plain text. This brings security risks. It is recommended that you select cipher to save the password in cipher text.
Simple authentication and MD5 authentication have potential security risks. HMAC-SHA256 authentication mode is recommended.
Procedure
- Run system-view
The system view is displayed.
- Run interface interface-type interface-number
The interface view is displayed.
- On an Ethernet interface, run undo portswitch
The interface is switched to Layer 3 mode.
By default, an Ethernet interface works in Layer 2 mode.
The mode switching function takes effect when the interface only has attribute configurations (for example, shutdown and description configurations). Alternatively, if configuration information supported by both Layer 2 and Layer 3 interfaces exists (for example, mode lacp and lacp system-id configurations), no configuration that is not supported after the working mode of the interface is switched can exist. If unsupported configurations exist on the interface, delete the configurations first and then run the undo portswitch command.
If many Ethernet interfaces need to be switched to Layer 3 mode, run the undo portswitch batch interface-type { interface-number1 [ to interface-number2 ] } &<1-10> command in the system view to switch these interfaces to Layer 3 mode in batches.
- Run any of the following commands to configure the authentication mode of the IS-IS interface as required:
Run isis authentication-mode simple { plain plain-text | [ cipher ] plain-cipher-text } [ level-1 | level-2 ] [ ip | osi ] [ send-only ]
Simple authentication is configured for the IS-IS interface.
Run isis authentication-mode md5 { plain plain-text | [ cipher ] plain-cipher-text } [ level-1 | level-2 ] [ ip | osi ] [ send-only ]
MD5 authentication is configured for the IS-IS interface.
Run isis authentication-mode hmac-sha256 key-id key-id { plain plain-text | [ cipher ] plain-cipher-text } [ level-1 | level-2 ] [ send-only ]
HMAC-SHA256 authentication is configured for the IS-IS interface.
Run isis authentication-mode keychain keychain-name [ level-1 | level-2 ] [ send-only ]
Keychain authentication is configured for the IS-IS interface.
By default, an IS-IS interface does not authenticate received Hello packets and no authentication password is configured on the interface.
Use the send-only parameter according to network requirements:If the send-only parameter is specified, the device only encapsulates the Hello packets to be sent with authentication information rather than checks whether the received Hello packets pass the authentication. When the Hello packets do not need to be authenticated on the local device and pass the authentication on the remote device, the two devices can establish the neighbor relationship.
If the send-only parameter is not specified, ensure that passwords of all interfaces with the same level on the same network are the same.
If keychain authentication is used, the encryption algorithm must be configured to HMAC-MD5 or HMAC-SHA-256 algorithm.HMAC-MD5 encryption algorithm have potential security risks. HMAC-SHA256 encryption algorithm is recommended.
- Run commit
The configuration is committed.
