No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CLI-based Configuration Guide - IP Unicast Routing

AR100, AR120, AR150, AR160, AR200, AR1200, AR2200, AR3200, and AR3600 V200R009

Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring Area or Domain Authentication

Configuring Area or Domain Authentication

Context

Generally, the IS-IS packets to be sent are not encapsulated with authentication information, and the received packets are not authenticated. If a user sends malicious packets to attack a network, information on the entire network may be stolen. Therefore, you can configure IS-IS authentication to improve the network security.

The area authentication password is encapsulated into Level-1 IS-IS packets. Only the packets that pass the area authentication can be accepted. Therefore, you must configure IS-IS area authentication on all the IS-IS devices in the specified Level-1 area to authenticate the Level-1 area.

The domain authentication password is encapsulated into Level-2 IS-IS packets. Only the packets that pass the domain authentication can be accepted. Therefore, you must configure IS-IS domain authentication on all the IS-IS devices in the Level-2 area to authenticate Level-2 area.

If plain is selected during the configuration of the area authentication mode or domain authentication mode, the password is saved in the configuration file in plain text. This brings security risks. It is recommended that you select cipher to save the password in cipher text.

Simple authentication and MD5 authentication have potential security risks. HMAC-SHA256 authentication mode is recommended.

NOTE:

When configuring IS-IS authentication, the area or domain authentication modes and passwords of the routers in the same area must be consistent so that IS-IS packets can be flooded normally.

Whether IS-IS packets can pass area or domain authentication does not affect the establishment of Level-1 or Level-2 neighbor relationships.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run isis [ process-id ]

    The IS-IS process view is displayed.

  3. Perform the following operations at any sequence as required.

    • Run area-authentication-mode { { simple | md5 } { plain plain-text | [ cipher ] plain-cipher-text } [ ip | osi ] | keychain keychain-name | hmac-sha256 key-id key-id } [ snp-packet { authentication-avoid | send-only } | all-send-only ]

      The area authentication mode is configured.

      By default, the system neither encapsulates generated Level-1 packets with authentication information nor authenticates received Level-1 packets.

    • Run domain-authentication-mode { { simple | md5 } { plain plain-text | [ cipher ] plain-cipher-text } [ ip | osi ] | keychain keychain-name | hmac-sha256 key-id key-id } [ snp-packet { authentication-avoid | send-only } | all-send-only ]

      The domain authentication mode is configured.

      By default, the system neither encapsulates generated Level-2 packets with authentication information nor authenticates received Level-2 packets.

    NOTE:

    The authentication involves the following situations:

    • The device encapsulates the authentication mode into LSPs and SNPs to be sent and checks whether the received packets pass authentication. Then, the device discards the packets that do not pass the authentication. In this case, the parameter snp-packet or all-send-only is not specified.

    • The device encapsulates authentication information into LSPs to be sent and checks whether the received LSPs pass the authentication; the device neither encapsulates the SNPs to be sent with authentication information nor checks whether the received SNPs pass the authentication. In this case, the parameter snp-packet authentication-avoid needs to be specified.

    • The device encapsulates the LSPs and SNPs to be sent with authentication information; the device, however, checks the authentication mode of only the received LSPs rather than the received SNPs. In this case, the parameter snp-packet send-only needs to be specified.

    • The device encapsulates the LSPs and SNPs to be sent with authentication information, but does not check whether the received LSPs or SNPs pass the authentication. In this case, the parameter all-send-only needs to be specified.

Translation
Download
Updated: 2019-05-17

Document ID: EDOC1000174069

Views: 113884

Downloads: 254

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next