Thanks for the link, very nice summary. To authenticate all 5 PDU types you will need the interface commands to authenticate hellos and then either the old style area/domain-password with the snp option or the new style with a key-chain. PSNP and CSNP are not authenticated with the old style unless you add the "authenticate snp" option.
On Wed, Jul 1, 2009 at 1:09 AM, backbone systems <[email protected] > wrote: > check this link....it helped me understand ISIS authentication... > > http://www.debugall.co.uk/2008/12/13/isis-security/ > > > > On Wed, Jul 1, 2009 at 9:29 AM, Rin<[email protected]> wrote: > > Hi group, > > > > > > > > Two questions regarding ISIS authentication: > > > > 1. If the question ask to authenticate 5 ISIS PDU types (LAN Hello, > > point-to-point Hello, LSP, CSNP, PSNP), should I configure authentication > > under interface mode or routing process mode? The documentation states > "The > > interface-related PDUs (LAN Hello, Point-to-Point Hello, CSNP, and PSNP) > can > > be enabled with authentication on different interfaces, with different > > levels and different passwords." -->this means enabling authentication > on > > interface will not authenticate LSP messages. So I reckon to > authentication > > all 5 PDU types, I must configure under routing process mode like: > > > > router isis > > > > authentication mode md5 > > > > authentication key-chain ISIS > > > > 2. When using old-style to configure ISIS domain password, should I > add > > the keyword authenticate snp so that CSNP & PSPN are authenticated? I'm > not > > really understand this statement from the documentation: "This password > is > > inserted in Level 2 PDU link-state PDUs (LSPs), complete sequence number > > PDUs (CSNPs), and partial sequence number PDUs (PSNPs). If you specify > the > > authenticate snp keyword along with either the validate or send-only > > keyword, the IS-IS routing protocol will insert the password into > sequence > > number PDUs (SNPs)" > > > > Thanks > > > > Rin > > > > > > Blogs and organic groups at http://www.ccie.net > > > > _______________________________________________________________________ > > Subscription information may be found at: > > http://www.groupstudy.com/list/CCIELab.html > > > Blogs and organic groups at http://www.ccie.net > > _______________________________________________________________________ > Subscription information may be found at: > http://www.groupstudy.com/list/CCIELab.html > > > > > > > > -- Bryan Bartik CCIE #23707 (R&S), CCNP Sr. Support Engineer - IPexpert, Inc. URL: http://www.IPexpert.com
