[c-nsp] IOS-XR IS-IS authentication
Dave Bell
dave at geordish.org
Wed May 27 07:58:23 EDT 2020
We've just turned up something similar. The difference is we are not using
a keychain for the P2P password.
>show configuration protocols isis
topologies ipv6-unicast;
overload timeout 300;
level 1 disable;
level 2 {
authentication-key-chain ISIS_DOMAIN;
wide-metrics-only;
}
interface ae6.0 {
ldp-synchronization;
lsp-interval 50;
point-to-point;
link-protection;
level 2 {
metric 10000;
ipv6-unicast-metric 10000;
hello-authentication-key "<password>"; ## SECRET-DATA
hello-authentication-type md5;
}
}
> show configuration security
authentication-key-chains {
key-chain ISIS_DOMAIN {
key 1 {
secret "<PASSWORD>; ## SECRET-DATA
start-time "2019-1-1.00:00:00 +0000";
algorithm md5;
}
}
}
router isis ISIS
set-overload-bit on-startup wait-for-bgp
is-type level-2-only
net 49.0001.0511.4807.2051.00
lsp-password keychain ISIS-DOMAIN
address-family ipv4 unicast
metric-style wide level 2
maximum-paths 8
segment-routing mpls
!
address-family ipv6 unicast
metric-style wide level 2
maximum-paths 8
!
interface Bundle-Ether1
hello-password hmac-md5 encrypted <PASSWORD>
address-family ipv4 unicast
metric 10000
On Wed, 27 May 2020 at 12:46, Eric Van Tol <eric at atlantech.net> wrote:
> Sorry if this is a duplicate – Outlook chose the ‘bounces’ address as the
> one to send to and I didn’t notice.
>
> Hi all,
> I’m testing out an NCS540 for use in our network and this is my first
> foray into IOS-XR. We have a mix of Juniper and Cisco IOS/IOS-XE devices
> that the NCS needs to interoperate with. I’m having some minor trouble with
> IS-IS authentication and it’s kind of driving me nuts because I can’t get
> IS-IS to come up when authentication is configured. I keep getting this
> error:
>
> BAD P2P IIH rcvd from TenGigE0/0/0/19 SNPA 5c5e.abde.1e00: dropped because
> cryptographic password mismatch
>
> Seems pretty obvious, but my keychain key password is configured and
> verified to match on both sides:
>
> key chain isis-chain
> key 1
> accept-lifetime 00:00:00 january 01 1993 infinite
> key-string password <password>
> send-lifetime 00:00:00 january 01 1993 infinite
> cryptographic-algorithm HMAC-MD5
> !
> accept-tolerance infinite
>
> I’ve tried both MD5 and HMAC-MD5, neither works. Here is my IS-IS config
> on the NCS540:
>
> router isis rtr1
> set-overload-bit on-startup wait-for-bgp
> is-type level-2-only
> net 49.0001.1071.3820.2192.00
> log adjacency changes
> lsp-mtu 1497
> lsp-password keychain isis-chain
> address-family ipv4 unicast
> metric-style wide level 2
> !
> address-family ipv6 unicast
> metric-style wide level 2
> single-topology
> !
> interface Loopback1
> passive
> address-family ipv4 unicast
> !
> address-family ipv6 unicast
> !
> !
> interface TenGigE0/0/0/19
> circuit-type level-2-only
> point-to-point
> hello-password keychain isis-chain
> address-family ipv4 unicast
> metric 3500
> !
> address-family ipv6 unicast
> metric 3500
> !
> !
>
> traceoptions on the Juniper shows something similar:
>
> ERROR: IIH from 1071.3820.2192 on xe-0/0/0.0 failed authentication
>
> Here’s the Juniper key config and isis stanza:
>
> authentication-key-chains {
> key-chain isis-chain {
> key 1 {
> secret "<password>"; ## SECRET-DATA
> start-time "1993-1-1.00:00:00 +0000";
> algorithm md5;
> }
> }
> }
> protocols {
> isis {
> level 1 disable;
> level 2 {
> authentication-key-chain isis-chain;
> wide-metrics-only;
> }
> interface xe-0/0/0.0 {
> point-to-point;
> level 2 {
> metric 3500;
> hello-authentication-key-chain isis-chain;
> }
> level 1 disable;
> }
> }
>
> I know it’s got to be something simple, but it’s not clicking for me
> today. It seems like any step forward I take with IOS-XR, I end up taking
> two steps back on the next thing that ‘just works’ everywhere else.
>
> -evt
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
More information about the cisco-nsp
mailing list