A very simple topic wherein I have just configured a simple ISIS authentication in OTV. The topology continues to remain same as seen in: 'Multihoming with OTV'.
Link for 'Multihoming with OTV': http://stayinginit.blogspot.com/2014/06/multihoming-with-otv.html
Two things have to be done when considering to authenticate ISIS packets.
The first thing is to create a 'key-chain'. Key-chain has good number of options, but I am using the most basic operation which is to create a key-chain followed by a key-string.
key chain otv1
key 1
key-string otv
The key chain has to be configured on all the edge-devices.
Next comes the configuration related ISIS under one of two headings:
- otv site bridge-domain <x>
- interface overlay <x>
For authenticating ISIS packets across two sites, we configure it under 'interface overlay <x>'
Let's consider each one of them, one at a time.
CASE-1: Authenticating ISIS packets within the same site
S1ED1 and S1ED2 are in the same site and we see the following by default on both the edge-devices:
otv site bridge-domain 2
otv isis hello-interval 3
The neighbor relationship is as follows:
S1ED1#show otv isis neighbors
Tag Overlay2:
System Id Type Interface IP Address State Holdtime Circuit Id
S1ED2 L1 Ov2 UP 8 S1ED1.01
S2ED1 L1 Ov2 UP 6 S1ED1.01
Tag Site:
System Id Type Interface IP Address State Holdtime Circuit Id
0006.F685.4500 L1 OTV-Site UP 7 S1ED1.01
The focus will be on the second portion of the output, the 'Tag Site:'
Now, assuming the key-chain is already configured on both S1ED1 and S1ED2, let me go ahead and configure ISIS authentication on just S1ED1:
otv site bridge-domain 2
otv isis hello-interval 3
otv isis authentication mode md5
otv isis authentication key-chain otv1
It should be noted that the authentication is a two command configuration as highlighted above. As soon ISIS authentication is configured on S1ED1, we start seeing the below messages on it's console:
*Jun 13 05:07:06.268: %CLNS-4-AUTH_FAIL: ISIS: LAN IIH authentication failed
*Jun 13 05:07:36.842: %CLNS-4-AUTH_FAIL: ISIS: LAN IIH authentication failed
*Jun 13 05:08:08.488: %CLNS-4-AUTH_FAIL: ISIS: LAN IIH authentication failed
With this, the ISIS 'Tag site:' neighbor relationship goes down:
S1ED1#show otv isis neighbors
Tag Overlay2:
System Id Type Interface IP Address State Holdtime Circuit Id
S1ED2 L1 Ov2 UP 8 S1ED1.01
S2ED1 L1 Ov2 UP 7 S1ED1.01
Tag Site:
System Id Type Interface IP Address State Holdtime Circuit Id
Whereas it remains in INIT state on S1ED2:
S1ED2#show otv isis neighbors
Tag Overlay2:
System Id Type Interface IP Address State Holdtime Circuit Id
S1ED1 L1 Ov2 UP 2 S1ED1.01
S2ED1 L1 Ov2 UP 8 S1ED1.01
Tag Site:
System Id Type Interface IP Address State Holdtime Circuit Id
A80C.0DED.FA00 L1 OTV-Site INIT 7 A80C.0DED.FA00.01
Let me now configure the same set of authentication commands on S1ED2:
otv site bridge-domain 2
otv isis hello-interval 3
otv isis authentication mode md5
otv isis authentication key-chain otv1
Now, lets re-check on the neighbor relationship:
S1ED1#show otv isis neighbors
Tag Overlay2:
System Id Type Interface IP Address State Holdtime Circuit Id
S1ED2 L1 Ov2 UP 7 S1ED1.01
S2ED1 L1 Ov2 UP 7 S1ED1.01
Tag Site:
System Id Type Interface IP Address State Holdtime Circuit Id
0006.F685.4500 L1 OTV-Site UP 8 S1ED1.01
S1ED2#show otv isis neighbors
Tag Overlay2:
System Id Type Interface IP Address State Holdtime Circuit Id
S1ED1 L1 Ov2 UP 2 S1ED1.01
S2ED1 L1 Ov2 UP 7 S1ED1.01
Tag Site:
System Id Type Interface IP Address State Holdtime Circuit Id
A80C.0DED.FA00 L1 OTV-Site UP 2 A80C.0DED.FA00.01
As seen, the site neighbor relationship is restored and the state on both edge-devices shows Up. In all this it should be noted that the Overlay neighbor relationship remained unchanged.
CASE-2: Authenticating ISIS packets across the sites [via Overlay interface]
The configuration doesn't change much, except we will be using the 'otv isis authentication mode md5' and 'otv isis authentication key-chain otv1' under the overlay interface.
We again make use of the same topology. This time we will track S1ED1 and S2ED1. So, by default this is our observation:
S1ED1#show otv isis neighbors
Tag Overlay2:
System Id Type Interface IP Address State Holdtime Circuit Id
S1ED2 L1 Ov2 UP 7 S1ED1.01
S2ED1 L1 Ov2 UP 7 S1ED1.01
Tag Site:
System Id Type Interface IP Address State Holdtime Circuit Id
0006.F685.4500 L1 OTV-Site UP 8 S1ED1.01
S2ED1#show otv isis neighbors
Tag Overlay2:
System Id Type Interface IP Address State Holdtime Circuit Id
S1ED1 L1 Ov2 UP 2 S1ED1.01
S1ED2 L1 Ov2 UP 8 S1ED1.01
Tag Site:
System Id Type Interface IP Address State Holdtime Circuit Id
Now, let me configure ISIS authentication on S2ED1, again assuming one has already configured the key-chain used before on S1ED1 and S1ED2:
interface Overlay2
no ip address
otv join-interface GigabitEthernet2/1/0
otv adjacency-server unicast-only
otv isis hello-interval 3
otv isis authentication mode md5
otv isis authentication key-chain otv1
As before, soon after configuration you start observing the console message:
*Jun 13 06:25:23.567: %CLNS-4-AUTH_FAIL: ISIS: LAN IIH authentication failed
*Jun 13 06:25:54.358: %CLNS-4-AUTH_FAIL: ISIS: LAN IIH authentication failed
*Jun 13 06:26:24.760: %CLNS-4-AUTH_FAIL: ISIS: LAN IIH authentication failed
Also, as expected even ISIS goes down:
S2ED1#show otv isis neighbors
Tag Overlay2:
System Id Type Interface IP Address State Holdtime Circuit Id
Tag Site:
System Id Type Interface IP Address State Holdtime Circuit Id
Now, let me configure the same commands on both S1ED1 and S1ED2:
Once, configured we see the ISIS neighbor relationship restored:
S2ED1#show otv isis neighbors
Tag Overlay2:
System Id Type Interface IP Address State Holdtime Circuit Id
S1ED1 L1 Ov2 UP 2 S1ED1.01
S1ED2 L1 Ov2 UP 7 S1ED1.01
Tag Site:
System Id Type Interface IP Address State Holdtime Circuit Id
This concludes a very simple ISIS authentication topic under OTV. Hopefully this would be helpful to some of you.