155
Enhancing IS-IS network security
To enhance the security of an IS-IS network, you can configure IS-IS authentication. IS-IS authentication
involves neighbor relationship authentication, area authentication and routing domain authentication.
Configuration prerequisites
Before you enhance IS-IS network security, complete the following tasks:
• Configure IP addresses for interfaces, and make sure that all neighboring nodes can reach each
other at the network layer.
• Enable IS-IS.
Configuring neighbor relationship authentication
With neighbor relationship authentication configured, an interface adds the password in the specified
mode into hello packets to the peer and checks the password in the received hello packets. If the
authentication succeeds, it forms the neighbor relationship with the peer.
Follow these guidelines when you configure neighbor relationship authentication:
• The authentication mode and password at both ends must be identical.
• The level-1 and level-2 keywords are configurable on an interface that has IS-IS enabled.
• If you configure an authentication mode and a password without specifying a level, the
authentication mode and password apply to both Level-1 and Level-2.
• If neither ip nor osi is specified, the OSI related fields in LSPs are checked.
To configure neighbor relationship authentication:
Ste
Command
Remarks
1. Enter system view.
system-view N/A
2. Enter interface view.
interface interface-type interface-number
N/A
3. Specify the authentication
mode and password.
isis authentication-mode { md5 | simple }
[ cipher ] password [ level-1 | level-2 ]
[ ip | osi ]
By default, no authentication
is configured.
Configuring area authentication
Area authentication enables a router not to install routing information from untrusted routers into the
Level-1 LSDB. The router encapsulates the authentication password in the specified mode into Level-1
packets (LSP, CSNP, and PSNP) and checks the password in received Level-1 packets.
Routers in a common area must have the same authentication mode and password.
To configure area authentication:
Ste
Command
Remarks
1. Enter system view.
system-view N/A
2. Enter IS-IS view.
isis [ process-id ] [ vpn-instance
vpn-instance-name ]
N/A
To Next Page
Loading...
Need help?
General
