domain-authentication-mode
Function
The domain-authentication-mode command configures an IS-IS routing domain to authenticate received Level-2 packets using the specified authentication mode and password and adds authentication information to Level-2 packets to be sent.
The undo domain-authentication-mode command cancels authenticating Level-2 packets and deletes the added authentication information from Level-2 packets.
By default, the system neither encapsulates generated Level-2 packets with authentication information nor authenticates received Level-2 packets.
Format
domain-authentication-mode { simple { plain plain-text | [ cipher ] plain-cipher-text } | md5 { [ cipher ] plain-cipher-text | plain plain-text } } [ ip | osi ] [ snp-packet { authentication-avoid | send-only } | all-send-only ]
domain-authentication-mode keychain keychain-name [ snp-packet { authentication-avoid | send-only } | all-send-only ]
domain-authentication-mode hmac-sha256 key-id key-id { plain plain-text | [ cipher ] plain-cipher-text } [ snp-packet { authentication-avoid | send-only } | all-send-only ]
undo domain-authentication-mode
Only the S5720-EI, S5720-HI, S5730-HI, S5731-H, S5731-S, S5731S-H, S5731S-S, S5732-H, S6720-EI, S6720-HI, S6720S-EI, S6730-H, S6730S-H, S6730-S, and S6730S-S support the keychain keychain-name parameter.
Parameters
| Parameter | Description | Value |
|---|---|---|
simple |
Transmits the password in plain text. NOTICE:
Simple authentication has potential risks. HMAC-SHA256 cipher text authentication is recommended. |
- |
plain plain-text |
Specifies the authentication password in plain text. You can enter only the password in plain text. When you view the configuration file, the password is displayed in plain text. NOTICE:
If plain is selected, the password is saved in the configuration file in plain text. This brings security risks. It is recommended that you select cipher to save the password in cipher text. |
The value is a string of case-sensitive characters without spaces. The value contains digits and letters. When the authentication mode is simple, the value is a string of 1 to 16 characters. When the authentication mode is md5 or hmac-sha256, the value is a string of 1 to 255 characters. |
cipher plain-cipher-text |
Specifies the authentication password in cipher text. You can enter the password in plain or cipher text. When you view the configuration file, the password is displayed in cipher text. By default, the password is in cipher text. |
The value is a string of case-sensitive characters without spaces. The value contains digits and letters. When the authentication mode is simple, the value is a string of 1 to 16 characters in plain text or a string of 32 or 48 characters in cipher text. When the authentication mode is md5 or hmac-sha256, the value is a string of 1 to 255 characters in plain text or a string of 20 to 392 characters in cipher text. |
md5 |
Transmits the password that is encrypted using MD5. NOTICE:
MD5 authentication has potential risks. HMAC-SHA256 cipher text authentication is recommended. |
- |
keychain keychain-name |
Specifies the keychain that changes with time. |
The value is a string of 1 to 47 case-insensitive characters. Except the question mark (?) and space. However, when double quotation marks (") are used around the string, spaces are allowed in the string. |
ip |
Indicates the IP authentication password. When neither ip nor osi is specified, the default parameter osi is used. |
- |
osi |
Indicates the OSI authentication password. When neither ip nor osi is specified, the default parameter osi is used. |
- |
snp-packet |
Authenticates SNPs. |
- |
authentication-avoid |
Encapsulates generated LSPs but not SNPs with authentication information and authenticates received LSPs but not SNPs. |
- |
send-only |
Encapsulates generated LSPs and SNPs with authentication information, and authenticates received LSPs but not SNPs. |
- |
all-send-only |
Encapsulates generated LSPs and SNPs with authentication information, but does not authenticate received LSPs and SNPs. |
- |
hmac-sha256 |
Encapsulates generated packets with the HMAC-SHA256 authentication and a password encrypted by the HMAC-SHA256 algorithm and authenticates received packets. |
- |
key-id key-id |
Indicates key ID of the HMAC-SHA256 algorithm. |
It is an integer ranging from 0 to 65535. |
Usage Guidelines
Usage Scenario
Generally, the IS-IS packets to be sent are not encapsulated with authentication information, and the received packets are not authenticated. If a user sends malicious packets to attack a network, information on the entire network may be stolen. Therefore, you can configure IS-IS authentication to improve the network security.
The domain authentication password is encapsulated into Level-2 IS-IS packets. Only the packets that pass the domain authentication can be accepted. Therefore, you can configure IS-IS domain authentication to authenticate Level-2 area.
Precautions
This command is valid in all the topologies in the specified IS-IS process and is only valid for Level-2 or Level-1-2 routers.
By using this command, you can discard all the Level-2 packets whose domain authentication password does not contain the one set through this command. At the same time, IS-IS adds the configured domain authentication password in all the Level-2 packets carrying routing information sent from the local node.
The authentication takes effect on the interface with the password. The port without the password can still receive the LSP and SNP with password.