Filter
Top Products
Implementing IS-IS on Cisco IOS XR Software
Information About Implementing IS-IS on Cisco IOS XR Software
RC-271
Cisco IOS XR Routing Configuration Guide
OL-14356-01
Single-Topology IPv6 Support
Single-topology IPv6 support on Cisco IOS XR software allows IS-IS for IPv6 to be configured on
interfaces along with an IPv4 network protocol. All interfaces must be configured with the identical set
of network protocols, and all routers in the IS-IS area (for Level 1 routing) or the domain (for Level 2
routing) must support the identical set of network layer protocols on all interfaces.
When single-topology support for IPv6 is used, only narrow link metrics, also known as old-style type,
length, and value (TLV) arguments, may be employed. During single-topology operation, one shortest
path first (SPF) computation for each level is used to compute both IPv4 and IPv6 routes. Using a single
SPF is possible because both IPv4 IS-IS and IPv6 IS-IS routing protocols share a common link topology.
Multitopology IPv6 Support
Multitopology IPv6 support on Cisco IOS XR software for IS-IS assumes that multitopology support is
required as soon as it detects interfaces configured for both IPv6 and IPv4 within the IS-IS stanza.
Because multitopology is the default behavior in the software, you must explicitly configure IPv6 to use
the same topology as IPv4 to enable single-topology IPv6. Configure the single-topology command in
IPv6 router address family configuration submode of the IS-IS router stanza.
IS-IS Authentication
Authentication is available to limit the establishment of adjacencies by using the hello-password
command, and to limit the exchange of LSPs by using the lsp-password command.
IS-IS supports plain-text authentication, which does not provide security against unauthorized users.
Plain-text authentication allows you to configure a password to prevent unauthorized networking devices
from forming adjacencies with the router. The password is exchanged as plain text and is potentially
visible to an agent able to view the IS-IS packets.
When an HMAC-MD5 password is configured, the password is never sent over the network and is
instead used to calculate a cryptographic checksum to ensure the integrity of the exchanged data.
IS-IS stores a configured password using simple encryption. However, the plain-text form of the
password is used in LSPs, sequence number protocols (SNPs), and hello packets, which would be visible
to a process that can view IS-IS packets. The passwords can be entered in plain text (clear) or encrypted
form.
To set the domain password, configure the lsp-password command for Level 2; to set the area password,
configure the lsp-password command for Level 1.
The keychain feature allows IS-IS to reference configured keychains. IS-IS key chains enable hello and
LSP keychain authentication. Keychains can be configured at the router level (in the case of the
lsp-password command) and at the interface level (in the case of the hello-password command) within
IS-IS. These commands reference the global keychain configuration and instruct the IS-IS protocol to
obtain security parameters from the global set of configured keychains.
IS-IS is able to use the keychain to implement hitless key rollover for authentication. The key rollover
specification is time based, and in the event of clock skew between the peers, the rollover process is
impacted. The configurable tolerance specification allows for the accept window to be extended (before
and after) by that margin. This accept window facilitates a hitless key rollover for applications (for
example, routing and management protocols).
See Cisco IOS XR System Security Guide for information on keychain management.