beautypg.com

Enhancing is-is network security, Configuration prerequisites, Configuring neighbor relationship authentication – H3C Technologies H3C SR8800 User Manual

Page 183: Configuring area authentication

background image

167

NOTE:

With this feature enabled, the router delivers information about neighbor state changes to the terminal for
display.

Enhancing IS-IS network security

To enhance the security of an IS-IS network, you can configure IS-IS authentication. IS-IS authentication
involves neighbor relationship authentication, area authentication and routing domain authentication.

Configuration prerequisites

Before this configuration, complete the following tasks:

Configure IP addresses for interfaces, and make sure that all neighboring nodes are reachable to
each other at the network layer.

Enable IS-IS.

Configuring neighbor relationship authentication

With neighbor relationship authentication configured, an interface adds the password in the specified
mode into hello packets to the peer and checks the password in the received hello packets. If the

authentication succeeds, it forms the neighbor relationship with the peer.
The authentication mode and password at both ends must be identical.
To configure neighbor relationship authentication:

Step Command

Remarks

1.

Enter system view.

system-view

N/A

2.

Enter interface view.

interface interface-type interface-number N/A

3.

Specify the authentication

mode and password.

isis authentication-mode { md5 | simple }
password [ level-1 | level-2 ] [ ip | osi ]

By default, no authentication
is configured.

NOTE:

The level-1 and level-2 keywords are configurable on an interface that has IS-IS enabled with the isis
enable command.

If you configure an authentication mode and a password without specifying a level, the authentication
mode and password apply to both Level-1 and Level-2.

If neither ip nor osi is specified, the OSI related fields in LSPs are checked.

Configuring area authentication

Area authentication enables a router not to install routing information from untrusted routers into the

Level-1 LSDB. The router encapsulates the authentication password in the specified mode into Level-1
packets (LSP, CSNP, PSNP) and check the password in received Level-1 packets.
Routers in a common area must have the same authentication mode and password.
To configure area authentication:

This manual is related to the following products:
See also other documents in the category H3C Technologies Routers: