IS-IS Authentication

IS-IS supports authentication for a link, an L1 area, or a L2 domain. Routers must exchange IIHs and LSPs for the corresponding L1 and L2 routing levels using the mutually agreed passwords. Authentication is not enabled by default.

Cisco IOS supports the following 3 types of IS-IS authentication:

• IS-IS authentication – Clear-text IS-IS authentication.
• IS-IS HMAC-MD5 authentication – Inserts an HMAC-MD5 digest TLV in IS-IS PDUs.
• Enhanced clear-text authentication – Clear-text IS-IS authentication using a series of authentication key chain and authentication mode commands that provide easier password management and modification.

IS-IS Interface, Area, and Domain Authentications

The isis password {passwd} [level-1 | level-2] interface subcommand configures IS-IS authentication for L1 or L2 routing on an interface in order to prevent forming adjacencies with unauthorized routers. If the routing level is not specified, the router will enable both levels and send out L1 and L2 IIHs that contain the Authentication TLV.

The area-password {passwd} [authenticate snp {send-only | validate}] IS-IS router subcommand configures an IS-IS area authentication password in order to prevent receiving false routing information from unauthorized routers. The router inserts the Authentication TLV into L1 LSPs, as well as L1 CSNPs and L1 PSNPs with the optional authenticate snp keyword.

The domain-password {passwd} [authenticate snp {send-only | validate}] IS-IS router subcommand configures the IS-IS routing domain authentication password. The router inserts the Authentication TLV into L2 LSPs, as well as L2 CSNPs and L2 PSNPs with the optional authenticate snp keyword.