Thanks for the link, very nice summary. To authenticate all 5 PDU types you
will need the interface commands to authenticate hellos and then either the
old style area/domain-password with the snp option or the new style with a
key-chain. PSNP and CSNP are not authenticated with the old style unless you
add the "authenticate snp" option.
On Wed, Jul 1, 2009 at 1:09 AM, backbone systems <backbone.systems_at_gmail.com
> wrote:
> check this link....it helped me understand ISIS authentication...
>
> http://www.debugall.co.uk/2008/12/13/isis-security/
>
>
>
> On Wed, Jul 1, 2009 at 9:29 AM, Rin<rintrum_at_gmail.com> wrote:
> > Hi group,
> >
> >
> >
> > Two questions regarding ISIS authentication:
> >
> > 1. If the question ask to authenticate 5 ISIS PDU types (LAN Hello,
> > point-to-point Hello, LSP, CSNP, PSNP), should I configure authentication
> > under interface mode or routing process mode? The documentation states
> "The
> > interface-related PDUs (LAN Hello, Point-to-Point Hello, CSNP, and PSNP)
> can
> > be enabled with authentication on different interfaces, with different
> > levels and different passwords." -->this means enabling authentication
> on
> > interface will not authenticate LSP messages. So I reckon to
> authentication
> > all 5 PDU types, I must configure under routing process mode like:
> >
> > router isis
> >
> > authentication mode md5
> >
> > authentication key-chain ISIS
> >
> > 2. When using old-style to configure ISIS domain password, should I
> add
> > the keyword authenticate snp so that CSNP & PSPN are authenticated? I'm
> not
> > really understand this statement from the documentation: "This password
> is
> > inserted in Level 2 PDU link-state PDUs (LSPs), complete sequence number
> > PDUs (CSNPs), and partial sequence number PDUs (PSNPs). If you specify
> the
> > authenticate snp keyword along with either the validate or send-only
> > keyword, the IS-IS routing protocol will insert the password into
> sequence
> > number PDUs (SNPs)"
> >
> > Thanks
> >
> > Rin
> >
> >
> > Blogs and organic groups at http://www.ccie.net
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>
>
>
>
-- Bryan Bartik CCIE #23707 (R&S), CCNP Sr. Support Engineer - IPexpert, Inc. URL: http://www.IPexpert.com Blogs and organic groups at http://www.ccie.netReceived on Wed Jul 01 2009 - 09:02:02 ART
This archive was generated by hypermail 2.2.0 : Sat Aug 01 2009 - 13:10:21 ART