Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Navigation

Example: Configuring BFD Authentication for IS-IS

This example shows how to configure BFD authentication for IS-IS.

Requirements

Before you begin, configure IS-IS on both routers. See Example: Configuring IS-IS for information about the required IS-IS configuration.

Overview

In this example, a BFD authentication keychain is configured with meticulous keyed MD5 authentication.

Figure 1 shows the topology used in this example.

Figure 1: IS-IS BFD Authentication Topology

IS-IS BFD Authentication Topology

CLI Quick Configuration shows the configuration for both of the devices in Figure 1. The section Step-by-Step Procedure describes the steps on Device R1.

Configuration

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, and then copy and paste the commands into the CLI at the [edit] hierarchy level.

Device R1

set security authentication-key-chains key-chain secret123 description for-isis-bfdset security authentication-key-chains key-chain secret123 key 1 secret "$9$cW-yrv"set security authentication-key-chains key-chain secret123 key 1 start-time "2012-5-31.13:00:00 -0700"set security authentication-key-chains key-chain secret123 key 2 secret "$9$m5T3"set security authentication-key-chains key-chain secret123 key 2 start-time "2013-5-31.13:00:00 -0700"set security authentication-key-chains key-chain secret123 key 3 secret "$9$mTQn"set security authentication-key-chains key-chain secret123 key 3 start-time "2014-5-31.13:00:00 -0700"set protocols isis interface ge-1/2/0.0 bfd-liveness-detection minimum-interval 100set protocols isis interface ge-1/2/0.0 bfd-liveness-detection authentication key-chain secret123set protocols isis interface ge-1/2/0.0 bfd-liveness-detection authentication algorithm meticulous-keyed-md5

Device R2

set security authentication-key-chains key-chain secret123 description for-isis-bfdset security authentication-key-chains key-chain secret123 key 1 secret "$9$cW-yrv"set security authentication-key-chains key-chain secret123 key 1 start-time "2012-5-31.13:00:00 -0700"set security authentication-key-chains key-chain secret123 key 2 secret "$9$m5T3"set security authentication-key-chains key-chain secret123 key 2 start-time "2013-5-31.13:00:00 -0700"set security authentication-key-chains key-chain secret123 key 3 secret "$9$mTQn"set security authentication-key-chains key-chain secret123 key 3 start-time "2014-5-31.13:00:00 -0700"set protocols isis interface ge-1/2/0.0 bfd-liveness-detection minimum-interval 100set protocols isis interface ge-1/2/0.0 bfd-liveness-detection authentication key-chain secret123set protocols isis interface ge-1/2/0.0 bfd-liveness-detection authentication algorithm meticulous-keyed-md5

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For information about navigating the CLI, see Using the CLI Editor in Configuration Mode in the CLI User Guide.

To configure IS-IS BFD authentication:

  1. Configure the authentication keychain.
    [edit security authentication-key-chains key-chain secret123]user@R1# set description for-isis-bfduser@R1# set key 1 secret "$9$cW-yrv"user@R1# set key 1 start-time "2012-5-31.13:00:00 -0700"user@R1# set key 2 secret "$9$m5T3"user@R1# set key 2 start-time "2013-5-31.13:00:00 -0700"user@R1# set key 3 secret "$9$mTQn"user@R1# set key 3 start-time "2014-5-31.13:00:00 -0700"
  2. Enable BFD.
    [edit protocols isis interface ge-1/2/0.0 bfd-liveness-detection]user@R1# set minimum-interval 100
  3. Apply the authentication keychain.
    [edit protocols isis interface ge-1/2/0.0 bfd-liveness-detection]user@R1# set authentication key-chain secret123
  4. Set the authentication type.
    [edit protocols isis interface ge-1/2/0.0 bfd-liveness-detection]user@R1# set authentication algorithm meticulous-keyed-md5

Results

From configuration mode, confirm your configuration by entering the show protocols and show security commands. If the output does not display the intended configuration, repeat the instructions in this example to correct the configuration.

user@R1# show protocols
isis {interface ge-1/2/0.0 {bfd-liveness-detection {minimum-interval 100;authentication {key-chain secret123;algorithm meticulous-keyed-md5;}}}}
user@R1# show security
authentication-key-chains {key-chain secret123 {description for-isis-bfd;key 1 {secret "$9$cW-yrv"; ## SECRET-DATAstart-time "2012-5-31.13:00:00 -0700";}key 2 {secret "$9$m5T3"; ## SECRET-DATAstart-time "2013-5-31.13:00:00 -0700";}key 3 {secret "$9$mTQn"; ## SECRET-DATAstart-time "2014-5-31.13:00:00 -0700";}}}

If you are done configuring the device, enter commit from configuration mode.

Verification

Confirm that the configuration is working properly.

Verifying IS-IS BFD Authentication

Purpose

Verify the status of IS-IS BFD authentication.

Action

From operational mode, enter the show bfd session extensive command.

user@R1> show bfd session extensive
                                                  Detect   Transmit
Address                  State     Interface      Time     Interval  Multiplier
10.0.0.2                 Down      ge-1/2/0.0     0.300     1.000        3   
 Client ISIS L1, TX interval 0.100, RX interval 0.100, Authenticate 
        keychain secret123, algo meticulous-keyed-md5, mode strict
 Client ISIS L2, TX interval 0.100, RX interval 0.100, Authenticate 
        keychain secret123, algo meticulous-keyed-md5, mode strict
 Session down time 00:35:13, previous up time 00:12:17
 Local diagnostic None, remote diagnostic None
 Remote state Up, version 1
 Logical system 2, routing table index 85
 Min async interval 0.100, min slow interval 1.000
 Adaptive async TX interval 0.100, RX interval 0.100
 Local min TX interval 1.000, minimum RX interval 0.100, multiplier 3
 Remote min TX interval 0.100, min RX interval 0.100, multiplier 3
 Local discriminator 2, remote discriminator 1
 Echo mode disabled/inactive, no-absorb, no-refresh
 Authentication enabled/active, keychain secret123, algo meticulous-keyed-md5, mode strict
  Session ID: 0x100101

1 sessions, 2 clients
Cumulative transmit rate 1.0 pps, cumulative receive rate 10.0 pps

Meaning

The output shows that BFD authentication is enabled on IS-IS Level 1 and Level 2.

Published: 2014-07-23