No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search


To have a better experience, please upgrade your IE browser.


AR500, AR510, AR531, AR550, AR1500, and AR2500 Security Hardening And Maintenance Guide

This document provides guidance for strengthening network and device security in terms of network security risks, security architecture, and security hardening policies. It also provides guidance for routine maintenance of device security in terms of the management, control, and forwarding planes.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).


Security Policy

IS-IS authentication encrypts IS-IS packets by adding the authentication field to packets to ensure network security. When receiving IS-IS packets from a remote router, the local router discards the packets if the authentication passwords in the packets are different from the authentication password set through the area-authentication-mode command. This protects the local router.

Attack Modes

Denial of error packets: Attackers can capture correct Hello packets or link state packets from the network, forge attack packets with identifiable IS-IS, and send these packets to routers. Although routers can identify and discard these attack packets based on the authentication information, routers may also discard correct packets because they cannot process these packets in time. This affects stability of the network.

Configuration and Maintenance Methods

  1. Run:

    area-authentication-mode { simple { [ cipher ] password-key | plain password } | md5 { [ cipher ] password-key | plain password } } [ snp-packet { authentication-avoid | send-only } | all-send-only ]

    The area authentication mode is set.

  2. Run:

    domain-authentication-mode { simple { plain plain-text | [ cipher ] plain-cipher-text } | md5 { [ cipher ] plain-cipher-text | plain plain-text } } [ ip | osi ] [ snp-packet { authentication-avoid | send-only } | all-send-only ]

    The routing domain authentication mode is set.

  3. Run:

    isis authentication-mode { simple | md5 } { plain plain-text | [ cipher ] plain-cipher-text } [ level-1 | level-2 ] [ ip | osi ] [ send-only ]

    The IS-IS authentication mode is set.

Updated: 2019-05-06

Document ID: EDOC1000097300

Views: 5175

Downloads: 72

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Previous Next