147
Enhancing IS-IS network security
To enhance the security of an IS-IS network, you can configure IS-IS authentication. IS-IS authentication
involves neighbor relationship authentication, area authentication, and routing domain authentication.
Configuration prerequisites
Before the configuration, complete the following tasks:
• Configure IP addresses for interfaces to ensure IP connectivity between neighboring nodes.
• Enable IS-IS.
Configuring neighbor relationship authentication
With neighbor relationship authentication configured, an interface adds the password in the specified
mode into hello packets to the peer and checks the password in the received hello packets. If the
authentication succeeds, it forms the neighbor relationship with the peer.
The authentication mode and password at both ends must be identical.
To configure neighbor relationship authentication:
Ste
Command
Remarks
1. Enter system view.
system-view N/A
2. Enter interface view.
interface interface-type interface-number
N/A
3. Specify the authentication
mode and password.
isis authentication-mode { md5 | simple }
{ cipher cipher-string | plain plain-string }
[ level-1 | level-2 ] [ ip | osi ]
By default, no authentication
is configured.
Configuring area authentication
Area authentication prevents the router from installing routing information from untrusted routers into the
Level-1 LSDB. The router encapsulates the authentication password in the specified mode in Level-1
packets (LSP, CSNP, and PSNP) and checks the password in received Level-1 packets.
Routers in a common area must have the same authentication mode and password.
To configure area authentication:
Ste
Command
Remarks
1. Enter system view.
system-view N/A
2. Enter IS-IS view.
isis [ process-id ] [ vpn-instance
vpn-instance-name ]
N/A
3. Specify the area
authentication mode and
password.
area-authentication-mode { md5 |
simple } { cipher cipher-string | plain
plain-string } [ ip | osi ]
By default, no area authentication
is configured.
To Next Page
Loading...
Need help?
General