Rate and give feedback:  Feedback Received. Thank You!

Rate and give feedback: 

X

This document helped resolve my issue

Yes No

Additional Comments

800 characters remaining

May we contact you if necessary?

Name:  

E-mail: 

Enter a valid Email ID

Need product assistance? Contact Juniper Support

Submit

This site is protected by hCaptcha and its Privacy Policy and Terms of Service apply.

Example: Configuring Hitless Authentication Key Rollover for IS-IS

Requirements

No special configuration beyond device initialization is required before configuring hitless authentication key rollover for IS-IS.

Overview

Authentication guarantees that only trusted routers participate in routing updates. This keychain authentication method is referred to as hitless because the keys roll over from one to the next without resetting any peering sessions or interrupting the routing protocol. Junos OS supports both RFC 5304, IS-IS Cryptographic Authentication and RFC 5310, IS-IS Generic Cryptographic Authentication.

• algorithm—For each key in the keychain, you can specify an encryption algorithm. The algorithm can be SHA-1 or MD-5.
• key—A keychain can have multiple keys. Each key within a keychain must be identified by a unique integer value. The range of valid identifier values is from 0 through 63.
• key-chain—For each keychain, you must specify a name. This example defines two keychains: base-key-global and base-key-inter.
• options—For each key in the keychain, you can specify the encoding for the message authentication code:isis-enhanced or basic. The basic (RFC 5304) operation is enabled by default.

  When you configure the isis-enhanced option, Junos OS sends RFC 5310-encoded routing protocol packets and accepts both RFC 5304-encoded and RFC 5310-encoded routing protocol packets that are received from other devices.

  When you configure basic (or do not include the options statement in the key configuration), Junos OS sends and receives RFC 5304-encoded routing protocols packets, and drops 5310-encoded routing protocol packets that are received from other devices.

  Because this setting is for IS-IS only, the TCP and the BFD protocols ignore the encoding option configured in the key.

• secret—For each key in the keychain, you must set a secret password. This password can be entered in either encrypted or plain text format in the secret statement. It is always displayed in encrypted format.
• start-time—Each key must specify a start time in UTC format. Control gets passed from one key to the next. When a configured start time arrives (based on the routing device’s clock), the key with that start time becomes active. Start times are specified in the local time zone for a routing device and must be unique within the key chain.

You can apply a keychain globally to all interfaces or more granularly to specific interfaces.

• authentication-key-chain—Enables you to apply a keychain at the global IS-IS level for all Level 1 or all Level 2 interfaces.
• hello-authentication-key-chain—Enables you to apply a keychain at the individual IS-IS interface level. The interface configuration overrides the global configuration.

Figure 1 shows the topology used in the example.

Figure 1: Hitless Authentication Key Rollover for IS-IS

This example shows the configuration for Router R0.

Configuration

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, and then copy and paste the commands into the CLI at the [edit] hierarchy level.

Step-by-Step Procedure

1. Configure the Router R0 interfaces.

   [edit interfaces ge-0/0/0 unit 0]user@R0# set description "interface A" user@R0# set family inet address 10.0.0.1/30 user@R0# set family iso user@R0# set family inet6 address fe80::200:f8ff:fe21:67cf/128 [edit interfaces ge-0/0/1 unit 0]user@R0# set interfaces ge-0/0/1 unit 0 description "interface B" user@R0# set interfaces ge-0/0/1 unit 0 family inet address 10.0.0.5/30 user@R0# set interfaces ge-0/0/1 unit 0 family iso user@R0# set interfaces ge-0/0/1 unit 0 family inet6 address 10FB::C:ABC:1F0C:44DA/128 [edit interfaces ge-0/0/2 unit 0]user@R0# set description "interface C" user@R0# set family inet address 10.0.0.9/30 user@R0# set interfaces ge-0/0/2 unit 0 family iso user@R0# set interfaces ge-0/0/2 unit 0 family inet6 address ff06::c3/128

2. Configure one or more authentication keys.

   [edit security authentication-key-chains key-chain base-key-global]user@R0# set key 63 secret "$9$jfkqfTQnCpBDiCt" user@R0# set key 63 start-time "2011-8-6.06:54:00-0700" user@R0# set key 63 algorithm hmac-sha-1 user@R0# set key 63 options isis-enhanced [edit security authentication-key-chains key-chain base-key-inter]user@R0# set key 0 secret "$9$8sgx7Vws4ZDkWLGD" user@R0# set key 0 start-time "2011-8-6.06:54:00-0700" user@R0# set key 0 algorithm md5 user@R0# set key 0 options basic

3. Apply the base-key-global keychain to all Level 1 IS-IS interfaces on Router R0.

   [edit protocols isis level 1]user@R0# set authentication-key-chain base-key-global

4. Apply the base-key-inter keychain to the ge-0/0/0.0 interface on Router R0.

   [edit protocols isis interface ge-0/0/0.0 level 1]user@R0# set hello-authentication-key-chain base-key-inter

5. If you are done configuring the device, commit the configuration.

   user@R0# commit

Results

From configuration mode, confirm your configuration by entering the show interfaces, show protocols, and show security commands. If the output does not display the intended configuration, repeat the instructions in this example to correct the configuration.

Verification

• show isis authentication
• show security keychain