cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1018
Views
0
Helpful
3
Replies

Enable IS-IS HMAC-MD5 authentication

avosdo
Level 1
Level 1

Hello

We would like to enable IS-IS HMAC-MD5 authentication on an production network for LSP authentication including LSP, CSNP and PSNP.

The problem is that when we are applying the command  "authentication mode md5" under the isis process there is authentications failure and the router loses all routes from routing table. Is there any way to enable authentication without the router losing the routing or to "delay" the authentication until all routers are configured.


key chain IS-IS

key 1

  key-string xxx

router isis

authentication mode md5

authentication key-chain IS-IS

Best Regards

Antonis.

1 Accepted Solution

Accepted Solutions

Giuseppe Larosa
Hall of Fame
Hall of Fame

Hello Antonis,

the ISIS configuration guide suggests the use of interface level command

isis authentication send-only

in order to ensure a smooth transition to a network to all routers using authentication. The command provides the capability to send authenticated PDUs and to receive non authenticated PDUs.

see

http://www.cisco.com/en/US/docs/ios-xml/ios/iproute_isis/configuration/15-mt/irs-scty.html#GUID-C7D24C37-83C2-41BB-ADA2-5DCA8C241EDC

Also in key chain configuration mode you should be able to configure a start time for key validity and an end time if necessary.

This should also provide the capability of key rollover without isssues.

Hope to help

Giuseppe

View solution in original post

3 Replies 3

Giuseppe Larosa
Hall of Fame
Hall of Fame

Hello Antonis,

the ISIS configuration guide suggests the use of interface level command

isis authentication send-only

in order to ensure a smooth transition to a network to all routers using authentication. The command provides the capability to send authenticated PDUs and to receive non authenticated PDUs.

see

http://www.cisco.com/en/US/docs/ios-xml/ios/iproute_isis/configuration/15-mt/irs-scty.html#GUID-C7D24C37-83C2-41BB-ADA2-5DCA8C241EDC

Also in key chain configuration mode you should be able to configure a start time for key validity and an end time if necessary.

This should also provide the capability of key rollover without isssues.

Hope to help

Giuseppe

Thank you Giuseppe

I will give it a try and let you know.

Regards

Antonis.

Giuseppe

Hello again. I have made the changes today. Everything went fine.

Best Regards

Antonis.

Review Cisco Networking products for a $25 gift card