R1-R2 should use HELLO123 as the hello password using the legacy syntax
R2-R3-R4 should all use HELLO234 as the password using MD5
The area should authenticate L1 LSPs and SNPs using “AREA1234” in clear text, but they should all be accepted if they do not contain authentication. Use the legacy syntax for this.
Configure area 49.0056 as follows:
R5-R6 should use HELLO56 as the hello password in plain text using the new syntax. Allow received Hellos to not contain authentication, or to contain wrong authentication.
The area should authenticate L1 LSPs and SNPs using “AREA56” in clear text. LSPs and SNPs should be accepted without authentication. Use the new syntax for this.
Configure area 49.1920 as follows:
XR1-XR2 should use HELLO1920 as the hello password using MD5.
The area should authenticate L1 LSPs and SNPs using “AREA1920” with MD5.
Configure authentication the entire domain as follows:
All inter-area L2 adjacencies should use the password “LEVEL2” with MD5
All L2 LSPs/SNPs shoud use the password “LEVEL2” with MD5, but all LSPs/SNPs should be accepted without authentication.
Authentication for ISIS can be quite configuration intensive. We’ll first go over authentication on IOS-XE.
IOS-XE Authentication
To set the hello password using the legacy method, use the following command. This does not support MD5.
#R1
int Gi2.12
isis password HELLO123
To set the hello password using the new syntax, use the following commands. This requires a key chain. It also supports MD5. Optionally, you can enable “send-only” which does not require the other side’s authentication to match or exist. You can also specify the level for each command. By default, both levels are used.
To set the authentication for L1 LSPs and SNPs, you can use the following legacy method. By default, only LSPs are authenticated. You use the snp command to enable SNP authentication, and use send-only or validate for the SNPs. LSPs will always be “validate” mode.
router isis
area-password AREA1234 [authenticate snp send-only|validate]
To set the authentication for L2 LSPs and SNPs using the legacy method, you essentially use the same command but with domain-password.
router isis
domain-password AREA1234 [authenticate snp send-only|validate]
The newer syntax looks like the authentication for interfaces. You associate a key chain, and have the option of doing “send-only” for both LSPs and SNPs. You use level-1 for area authentication, and level-2 for domain authentication. It appears that both LSPs and SNPs are authenticated, and you cannot separate them (authenticating one but not the other).
Authentication on IOS-XR is a bit more simple. You configure a hello-password as follows. The accept keyword is used to only accept incoming Hellos with that password, but not send Hellos with that password.
router isis 1
int gi0/0/0/0
hello-password text|keychain|hmac-md5|accept [send-only]
Area and Domain authentication work similarly to the new syntax for IOS-XE. Except you can authenticate LSPs without SNPs (which is the default choice). If you authenticate SNPs, it appears you must use the send-only keyword. Level 1 is used for area password, and level 2 is used for domain password.
