Here are my notes about how IS-IS deals with authentication. I'll be working on a simple network consisting of IOS XE, IOS XR and Junos based routers.
Here is reference diagram:
Some initial checks
First, I'll start off by verifying IS-IS adjacencies on R6.
R6#sh isis neighbors Tag 1: System Id Type Interface IP Address State Holdtime Circuit Id R3 L2 Gi1 10.3.6.3 UP 22 02 R9 L1 Gi2 10.6.9.9 UP 25 01
I'll check routing table on R9, too.
R9#sh ip route Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP a - application route + - replicated route, % - next hop override Gateway of last resort is 10.6.9.6 to network 0.0.0.0 i*L1 0.0.0.0/0 [115/10] via 10.6.9.6, 00:03:00, GigabitEthernet1 126.96.36.199/32 is subnetted, 1 subnets C 188.8.131.52 is directly connected, Loopback0 10.0.0.0/8 is variably subnetted, 3 subnets, 2 masks i L1 10.3.6.0/24 [115/20] via 10.6.9.6, 00:24:00, GigabitEthernet1 C 10.6.9.0/24 is directly connected, GigabitEthernet1 L 10.6.9.9/32 is directly connected, GigabitEthernet1
So far, so good. R6 is L1L2 router, so it sets ATT bit on LSP it generates.
I wasn't able to find an operational command to verify IS-IS authentication status both on IOS XE and XR
- IS-IS, similar to OSPF uses either plain text or MD5 authentication
- It uses Authentication TLV #10 to carry these information
- Authentication of protocol messages can be done on a per message type basis
- IS-IS, just like OSPF uses fightback
- IS-IS, unlike OSPF doesn't carry Cryptographic Sequence Numbers
- It is possible to change keys without disrupting IS-IS adjacency