ON THIS PAGE
Example: Configuring BFD Authentication for IS-IS
This example shows how to configure BFD authentication for IS-IS.
Requirements
Before you begin, configure IS-IS on both routers. See Example: Configuring IS-IS for information about the required IS-IS configuration.
Overview
In this example, a BFD authentication keychain is configured with meticulous keyed MD5 authentication.
Figure 1 shows the topology used in this example.
CLI Quick Configuration shows the configuration for both of the devices in Figure 1. The section #configuration228__isis-bfd-auth-step-by-step describes the steps on Device R1.
Configuration
Procedure
CLI Quick Configuration
To quickly configure
this example, copy the following commands, paste them into a text
file, remove any line breaks, change any details necessary to match
your network configuration, and then copy and paste the commands into
the CLI at the [edit] hierarchy level.
Device R1
set security authentication-key-chains key-chain secret123 description for-isis-bfd set security authentication-key-chains key-chain secret123 key 1 secret $ABC123 set security authentication-key-chains key-chain secret123 key 1 start-time "2012-5-31.13:00:00 -0700" set security authentication-key-chains key-chain secret123 key 2 secret $ABC123 set security authentication-key-chains key-chain secret123 key 2 start-time "2013-5-31.13:00:00 -0700" set security authentication-key-chains key-chain secret123 key 3 secret $ABC123 set security authentication-key-chains key-chain secret123 key 3 start-time "2014-5-31.13:00:00 -0700" set protocols isis interface ge-1/2/0.0 bfd-liveness-detection minimum-interval 100 set protocols isis interface ge-1/2/0.0 bfd-liveness-detection authentication key-chain secret123 set protocols isis interface ge-1/2/0.0 bfd-liveness-detection authentication algorithm meticulous-keyed-md5
Device R2
set security authentication-key-chains key-chain secret123 description for-isis-bfd set security authentication-key-chains key-chain secret123 key 1 secret $ABC123 set security authentication-key-chains key-chain secret123 key 1 start-time "2012-5-31.13:00:00 -0700" set security authentication-key-chains key-chain secret123 key 2 secret $ABC123 set security authentication-key-chains key-chain secret123 key 2 start-time "2013-5-31.13:00:00 -0700" set security authentication-key-chains key-chain secret123 key 3 secret $ABC123 set security authentication-key-chains key-chain secret123 key 3 start-time "2014-5-31.13:00:00 -0700" set protocols isis interface ge-1/2/0.0 bfd-liveness-detection minimum-interval 100 set protocols isis interface ge-1/2/0.0 bfd-liveness-detection authentication key-chain secret123 set protocols isis interface ge-1/2/0.0 bfd-liveness-detection authentication algorithm meticulous-keyed-md5
Step-by-Step Procedure
The following example requires you to navigate various levels in the configuration hierarchy. For information about navigating the CLI, see Using the CLI Editor in Configuration Mode in the CLI User Guide.
To configure IS-IS BFD authentication:
Configure the authentication keychain.
[edit security authentication-key-chains key-chain secret123] user@R1# set description for-isis-bfd user@R1# set key 1 secret “$ABC123” user@R1# set key 1 start-time "2012-5-31.13:00:00 -0700" user@R1# set key 2 secret “$ABC123” user@R1# set key 2 start-time "2013-5-31.13:00:00 -0700" user@R1# set key 3 secret “$ABC123” user@R1# set key 3 start-time "2014-5-31.13:00:00 -0700"
Enable BFD.
[edit protocols isis interface ge-1/2/0.0 bfd-liveness-detection] user@R1# set minimum-interval 100
Apply the authentication keychain.
[edit protocols isis interface ge-1/2/0.0 bfd-liveness-detection] user@R1# set authentication key-chain secret123
Set the authentication type.
[edit protocols isis interface ge-1/2/0.0 bfd-liveness-detection] user@R1# set authentication algorithm meticulous-keyed-md5
Results
From configuration mode, confirm your configuration
by entering the show protocols and show security commands. If the output does not display the intended configuration,
repeat the instructions in this example to correct the configuration.
user@R1# show protocols
isis {
interface ge-1/2/0.0 {
bfd-liveness-detection {
minimum-interval 100;
authentication {
key-chain secret123;
algorithm meticulous-keyed-md5;
}
}
}
}
user@R1# show security
authentication-key-chains {
key-chain secret123 {
description for-isis-bfd;
key 1 {
secret “$ABC123”’;
start-time "2012-5-31.13:00:00 -0700";
}
key 2 {
secret “$ABC123”’;
start-time "2013-5-31.13:00:00 -0700";
}
key 3 {
secret “$ABC123”;
start-time "2014-5-31.13:00:00 -0700";
}
}
}
If you are done configuring the device, enter commit from configuration mode.
Verification
Confirm that the configuration is working properly.
Verifying IS-IS BFD Authentication
Purpose
Verify the status of IS-IS BFD authentication.
Action
From operational mode, enter the show bfd
session extensive command.
user@R1> show bfd session extensive
Detect Transmit
Address State Interface Time Interval Multiplier
10.0.0.2 Down ge-1/2/0.0 0.300 1.000 3
Client ISIS L1, TX interval 0.100, RX interval 0.100, Authenticate
keychain secret123, algo meticulous-keyed-md5, mode strict
Client ISIS L2, TX interval 0.100, RX interval 0.100, Authenticate
keychain secret123, algo meticulous-keyed-md5, mode strict
Session down time 00:35:13, previous up time 00:12:17
Local diagnostic None, remote diagnostic None
Remote state Up, version 1
Logical system 2, routing table index 85
Min async interval 0.100, min slow interval 1.000
Adaptive async TX interval 0.100, RX interval 0.100
Local min TX interval 1.000, minimum RX interval 0.100, multiplier 3
Remote min TX interval 0.100, min RX interval 0.100, multiplier 3
Local discriminator 2, remote discriminator 1
Echo mode disabled/inactive, no-absorb, no-refresh
Authentication enabled/active, keychain secret123, algo meticulous-keyed-md5, mode strict
Session ID: 0x100101
1 sessions, 2 clients
Cumulative transmit rate 1.0 pps, cumulative receive rate 10.0 ppsMeaning
The output shows that BFD authentication is enabled on IS-IS Level 1 and Level 2.