Friday, June 13, 2014

Authenticating ISIS packets within the same site / across the site

A very simple topic wherein I have just configured a simple ISIS authentication in OTV. The topology continues to remain same as seen in: 'Multihoming with OTV'.

Two things have to be done when considering to authenticate ISIS packets.

The first thing is to create a 'key-chain'. Key-chain has good number of options, but I am using the most basic operation which is to create a key-chain followed by a key-string.

key chain otv1
 key 1
   key-string otv

The key chain has to be configured on all the edge-devices.

Next comes the configuration related ISIS under one of two headings:
  1. otv site bridge-domain <x>
  2. interface overlay <x>
The 'otv site bridge-domain <x>' can be used when authenticating ISIS packets within the same site.

For authenticating ISIS packets across two sites, we configure it under 'interface overlay <x>'

Let's consider each one of them, one at a time.

CASE-1: Authenticating ISIS packets within the same site
======

Topology:



S1ED1 and S1ED2 are in the same site and we see the following by default on both the edge-devices:

otv site bridge-domain 2
 otv isis hello-interval 3

The neighbor relationship is as follows:

S1ED1#show otv isis neighbors
Tag Overlay2:
System Id      Type Interface   IP Address      State Holdtime Circuit Id
S1ED2          L1   Ov2         10.1.2.1        UP    8        S1ED1.01          
S2ED1          L1   Ov2         10.1.3.1        UP    6        S1ED1.01
Tag Site:
System Id      Type Interface   IP Address      State Holdtime Circuit Id
0006.F685.4500 L1   OTV-Site                    UP    7         S1ED1.01
S1ED1#

The focus will be on the second portion of the output, the 'Tag Site:'

Now, assuming the key-chain is already configured on both S1ED1 and S1ED2, let me go ahead and configure ISIS authentication on just S1ED1:

otv site bridge-domain 2
 otv isis hello-interval 3
 otv isis authentication mode md5 
 otv isis authentication key-chain otv1

It should be noted that the authentication is a two command configuration as highlighted above. As soon ISIS authentication is configured on S1ED1, we start seeing the below messages on it's console:

S1ED1#
*Jun 13 05:07:06.268: %CLNS-4-AUTH_FAIL: ISIS: LAN IIH authentication failed
*Jun 13 05:07:36.842: %CLNS-4-AUTH_FAIL: ISIS: LAN IIH authentication failed
*Jun 13 05:08:08.488: %CLNS-4-AUTH_FAIL: ISIS: LAN IIH authentication failed
S1ED1#

With this, the ISIS 'Tag site:' neighbor relationship goes down:

S1ED1#show otv isis neighbors
Tag Overlay2:
System Id      Type Interface   IP Address      State Holdtime Circuit Id
S1ED2          L1   Ov2         10.1.2.1        UP    8        S1ED1.01 
S2ED1          L1   Ov2         10.1.3.1        UP    7        S1ED1.01           
Tag Site:
System Id      Type Interface   IP Address      State Holdtime Circuit Id
S1ED1#

Whereas it remains in INIT state on S1ED2:

S1ED2#show otv isis neighbors
Tag Overlay2:
System Id      Type Interface   IP Address      State Holdtime Circuit Id
S1ED1          L1   Ov2         10.1.1.1        UP    2        S1ED1.01          
S2ED1          L1   Ov2         10.1.3.1        UP    8        S1ED1.01          
Tag Site:
System Id      Type Interface   IP Address      State Holdtime Circuit Id
A80C.0DED.FA00 L1   OTV-Site                    INIT  7        A80C.0DED.FA00.01 
S1ED2#

Let me now configure the same set of authentication commands on S1ED2:

otv site bridge-domain 2
 otv isis hello-interval 3
 otv isis authentication mode md5
 otv isis authentication key-chain otv1

Now, lets re-check on the neighbor relationship:

S1ED1#show otv isis neighbors
Tag Overlay2:
System Id      Type Interface   IP Address      State Holdtime Circuit Id
S1ED2          L1   Ov2         10.1.2.1        UP    7        S1ED1.01          
S2ED1          L1   Ov2         10.1.3.1        UP    7        S1ED1.01          
Tag Site:
System Id      Type Interface   IP Address      State Holdtime Circuit Id
0006.F685.4500 L1   OTV-Site                    UP    8        S1ED1.01          
S1ED1#

S1ED2#show otv isis neighbors
Tag Overlay2:
System Id      Type Interface   IP Address      State Holdtime Circuit Id
S1ED1          L1   Ov2         10.1.1.1        UP    2        S1ED1.01          
S2ED1          L1   Ov2         10.1.3.1        UP    7        S1ED1.01          
Tag Site:
System Id      Type Interface   IP Address      State Holdtime Circuit Id
A80C.0DED.FA00 L1   OTV-Site                    UP    2        A80C.0DED.FA00.01 
S1ED2#

As seen, the site neighbor relationship is restored and the state on both edge-devices shows Up. In all this it should be noted that the Overlay neighbor relationship remained unchanged.

CASE-2: Authenticating ISIS packets across the sites [via Overlay interface]
======

The configuration doesn't change much, except we will be using the 'otv isis authentication mode md5' and 'otv isis authentication key-chain otv1' under the overlay interface.

We again make use of the same topology. This time we will track S1ED1 and S2ED1. So, by default this is our observation:

S1ED1#show otv isis neighbors
Tag Overlay2:
System Id      Type Interface   IP Address      State Holdtime Circuit Id
S1ED2          L1   Ov2         10.1.2.1        UP    7        S1ED1.01          
S2ED1          L1   Ov2         10.1.3.1        UP    7        S1ED1.01          
Tag Site:
System Id      Type Interface   IP Address      State Holdtime Circuit Id
0006.F685.4500 L1   OTV-Site                    UP    8        S1ED1.01          
S1ED1#

S2ED1#show otv isis neighbors
Tag Overlay2:
System Id      Type Interface   IP Address      State Holdtime Circuit Id
S1ED1          L1   Ov2         10.1.1.1        UP    2        S1ED1.01          
S1ED2          L1   Ov2         10.1.2.1        UP    8        S1ED1.01          
Tag Site:
System Id      Type Interface   IP Address      State Holdtime Circuit Id
S2ED1#

Now, let me configure ISIS authentication on S2ED1, again assuming one has already configured the key-chain used before on S1ED1 and S1ED2:

interface Overlay2
 no ip address
 otv join-interface GigabitEthernet2/1/0
 otv adjacency-server unicast-only
 otv isis hello-interval 3
 otv isis authentication mode md5 
 otv isis authentication key-chain otv1
<snippet>

As before, soon after configuration you start observing the console message:

S2ED1#
*Jun 13 06:25:23.567: %CLNS-4-AUTH_FAIL: ISIS: LAN IIH authentication failed
*Jun 13 06:25:54.358: %CLNS-4-AUTH_FAIL: ISIS: LAN IIH authentication failed
*Jun 13 06:26:24.760: %CLNS-4-AUTH_FAIL: ISIS: LAN IIH authentication failed
S2ED1#

Also, as expected even ISIS goes down:

S2ED1#show otv isis neighbors
Tag Overlay2:
System Id      Type Interface   IP Address      State Holdtime Circuit Id
Tag Site:
System Id      Type Interface   IP Address      State Holdtime Circuit Id
S2ED1#

Now, let me configure the same commands on both S1ED1 and S1ED2:

Once, configured we see the ISIS neighbor relationship restored:

S2ED1#show otv isis neighbors
Tag Overlay2:
System Id      Type Interface   IP Address      State Holdtime Circuit Id
S1ED1          L1   Ov2         10.1.1.1        UP    2        S1ED1.01          
S1ED2          L1   Ov2         10.1.2.1        UP    7        S1ED1.01          
Tag Site:
System Id      Type Interface   IP Address      State Holdtime Circuit Id
S2ED1#

This concludes a very simple ISIS authentication topic under OTV. Hopefully this would be helpful to some of you.
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)