No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Configuration Guide - IP Unicast Routing

S7700 and S9700 V200R011C10

This document describes IP Unicast Routing configurations supported by the switch, including the principle and configuration procedures of IP Routing Overview, Static Route, RIP, RIPng, OSPF, OSPFv3, IS-IS(IPv4), IS-IS(IPv6), BGP, Routing Policy ,and PBR, and provides configuration examples.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring Interface Authentication

Configuring Interface Authentication

Context

Generally, the IS-IS packets to be sent are not encapsulated with authentication information, and the received packets are not authenticated. If a user sends malicious packets to attack a network, information on the entire network may be stolen. Therefore, you can configure IS-IS authentication to improve network security.

After the IS-IS interface authentication is configured, authentication information can be encapsulated into the Hello packet to confirm the validity and correctness of neighbor relationships.

If plain is selected during the configuration of the authentication mode for the IS-IS interface, the password is saved in the configuration file in plain text. This brings security risks. It is recommended that you select cipher to save the password in cipher text.

Simple and MD5 authentication have potential security risks. HMAC-SHA256 authentication mode is recommended.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run interface interface-type interface-number

    The interface view is displayed.

  3. (Optional) On an Ethernet interface, run undo portswitch

    The interface is switched to Layer 3 mode.

    By default, an Ethernet interface works in Layer 2 mode.

  4. Run any of the following commands to configure an authentication mode for the IS-IS interface as required:

    • Run isis authentication-mode simple { plain plain-text | [ cipher ] plain-cipher-text } [ level-1 | level-2 ] [ ip | osi ] [ send-only ]

      Simple authentication is configured for the IS-IS interface.

    • Run isis authentication-mode md5 { plain plain-text | [ cipher ] plain-cipher-text } [ level-1 | level-2 ] [ ip | osi ] [ send-only ]

      MD5 authentication is configured for the IS-IS interface.

    • Run isis authentication-mode hmac-sha256 key-id key-id { plain plain-text | [ cipher ] plain-cipher-text } [ level-1 | level-2 ] [ send-only ]

      HMAC-SHA256 authentication is configured for the IS-IS interface.

    • Run isis authentication-mode keychain keychain-name [ level-1 | level-2 ] [ send-only ]

      The Keychain authentication is configured for the IS-IS interface.

    By default, an IS-IS interface does not authenticate received Hello packets and no authentication password is configured on the interface.

    NOTE:
    Use the send-only parameter according to network requirements:
    • If the send-only parameter is specified, the device only encapsulates the Hello packets to be sent with authentication information rather than checks whether the received Hello packets pass the authentication. When the Hello packets do not need to be authenticated on the local device and pass the authentication on the remote device, the two devices can establish the neighbor relationship.

    • If the send-only parameter is not specified, ensure that passwords of all interfaces with the same level on the same network are the same.

    Parameters level-1 and level-2 apply only to the VLANIF interfaces on which IS-IS is enabled using the isis ipv6 enable command.

Translation
Download
Updated: 2019-10-18

Document ID: EDOC1000178324

Views: 235278

Downloads: 205

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next