The area-authentication-mode command enables an IS-IS device to authenticate received Level-1 packets (LSPs and SNPs) based on the pre-defined authentication mode and password and to add authentication information to the Level-1 packets to be sent.
The undo area-authentication-mode command disables the function.
It is recommended that you enable authentication and use the HMAC-SHA256 algorithm to improve security, preventing route information from being modified by unauthorized users.
By default, the system neither encapsulates the generated Level-1 routing packets with authentication information nor authenticates received Level-1 routing packets. Configuring area authentication is recommended to ensure system security.
area-authentication-mode { simple { plain simple-plain | [ cipher ] simple-cipher } | md5 { plain plain | [ cipher ] cipher } } [ ip | osi ] [ [ snp-packet { send-only | authentication-avoid } ] | all-send-only ]
area-authentication-mode keychain keychain-name [ [ snp-packet { send-only | authentication-avoid } ] | all-send-only ]
area-authentication-mode hmac-sha256 key-id key-id { plain plain | [ cipher ] cipher } [ [ snp-packet { send-only | authentication-avoid } ] | all-send-only ]
undo area-authentication-mode
| Parameter | Description | Value |
|---|---|---|
| simple |
Indicates the simple authentication. For security purposes, you are advised to configure a password in ciphertext mode. To further improve device security, periodically change the password. |
- |
| plain |
Indicates the simple text mode. Only the simple text can be entered. The password in the configuration file is displayed as a simple text. Simple authentication used the simple text mode by default. When configuring an authentication password, select the ciphertext mode because the password is saved in the configuration file as a simple text if you select the simple text mode, which has a high risk. To ensure device security, change the password periodically. |
- |
| plain |
Specifies a cleartext password. |
The value is a string of case-sensitive characters that can be letters or digits. In simple authentication, the value is a string of 1 to 16 characters. In MD5 authentication, the value is a string of 1 to 255 characters. A password cannot contain a question mark (?), but can contain spaces if surrounded by double quotation marks (""). In this case, the double quotation marks are part of the password. |
| simple-plain |
Specifies a simple-text password. |
The value is a string of case-sensitive characters that can be letters or digits. In simple authentication, the value is a string of 1 to 16 characters. In md5 or hmac-sha256 authentication, the value is a string of 1 to 255 characters. A password cannot contain a question mark (?), but can contain spaces if surrounded by double quotation marks (""). In this case, the double quotation marks are part of the password. |
| cipher |
Indicates the ciphertext mode. The simple text or ciphertext can be entered. The password in the configuration file is displayed as a ciphertext. MD5 authentication uses the ciphertext mode by default. |
- |
| cipher simple-cipher |
Indicates the ciphertext mode. The simple text or ciphertext can be entered. The password in the configuration file is displayed as a ciphertext. MD5 authentication uses the ciphertext mode by default. A ciphertext password is a character string that is encrypted using a special algorithm. A ciphertext is used for configuration restoration. The parameter value must be the same as the ciphertext in the configuration file. |
The value is a string of case-sensitive characters that can be letters or digits In simple authentication, the value is a string of 1 to 16 characters in a simple text, or a string of 24 to 128 characters in a ciphertext. In md5 or hmac-sha256 authentication, the value is a string of 1 to 255 characters in a simple text, or a string of 20 to 432 characters in a ciphertext. A 24-character ciphertext password configured in an earlier version is also supported in this version. A password cannot contain a question mark (?), but can contain spaces if surrounded by double quotation marks (""). In this case, the double quotation marks are part of the password. |
| cipher |
Specifies a ciphertext password. A ciphertext password is a character string that is encrypted using a special algorithm. A ciphertext is used for configuration restoration. The parameter value must be the same as the ciphertext in the configuration file. |
The value is a string of case-sensitive characters that can be letters or digits. When quotation marks are used around the string, spaces are allowed in the string.
|
| simple-cipher |
Specifies a simple-text or ciphertext password. A ciphertext password is a character string that is encrypted using a special algorithm. A ciphertext is used for configuration restoration. The parameter value must be the same as the ciphertext in the configuration file. |
The value is a string of case-sensitive characters that can be letters or digits When quotation marks are used around the string, spaces are allowed in the string.
A 24-character ciphertext password configured in an earlier version is also supported in this version. A password cannot contain a question mark (?), but can contain spaces if surrounded by double quotation marks (""). In this case, the double quotation marks are part of the password. |
| md5 |
Indicates that the password is transmitted after being encrypted using HMAC-MD5. For the sake of security, using the HMAC-SHA256 algorithm rather than the MD5 algorithm is recommended. |
- |
| ip |
Indicates the IP authentication password. This parameter is not specified in most cases. |
- |
| osi |
Indicates the OSI authentication password. By default, the OSI authentication password is specified. |
- |
| snp-packet |
Enables the device to authenticate SNPs. |
- |
| send-only |
Enables the device to encapsulate the generated LSPs and SNPs with authentication information and authenticate the received LSPs instead of the SNPs. |
- |
| authentication-avoid |
Prevents the device from encapsulating the generated SNP packets with authentication information and authenticating received SNPs. After the parameter is configured, the device encapsulates only the generated LSPs with authentication information and authenticates received LSPs. |
- |
| all-send-only |
Enables the device to encapsulate authentication information to the generated LSPs and SNPs and prevents the device from checking authentication information in received LSPs or SNPs. |
- |
| keychain keychain-name |
Specifies the keychain that changes with time. Before configuring this parameter, run the keychain command to create a keychain. Then, run the key-id, key-string, and algorithm commands to configure a key ID, a password, and an authentication algorithm for this keychain. Otherwise, the authentication will fail. Keychain authentication supports only HMAC-MD5 and HMAC-SHA256 algorithms. Using any other algorithm may lead to an authentication failure. If the dependent keychain is deleted, the neighbor relationship may be interrupted. Therefore, exercise caution when deleting the keychain. |
The value is a string of 1 to 47 characters. When quotation marks are used around the string, spaces are allowed in the string. A password cannot contain a question mark (?), but can contain spaces if surrounded by double quotation marks (""). In this case, the double quotation marks are part of the password. |
| hmac-sha256 |
Enables the device to encapsulate generated packets with the HMAC-SHA256 authentication and a password encrypted using the HMAC-SHA256 algorithm and authenticate received packets. |
- |
| key-id key-id |
Specifies a key ID for authentication, which must be the same as the one configured at the other end. |
The value is an integer ranging from 0 to 65535. |
Usage Scenario
To ensure network security, you can enable a router to authenticate received packets based on the pre-defined authentication mode or add authentication information to the packets to be sent. Only the packets that are authenticated can be forwarded on the network.
The area-authentication-mode command is valid only on Level-1 or Level-1-2 routers, and it is for all topologies in an IS-IS process.Configuration Impact
After the area-authentication-mode command is run on the local device, the device discards newly received Level-1 LSP and SNP packets if these packets fail to be authenticated. However, the device does not discard the Level-1 LSP packets in the local LSDB immediately if they fail to be authenticated. Instead, the device waits for the LSP packets to be aged out. To prevent packet loss before the area-authentication-mode command is run on the IS-IS neighbor, specify the send-only parameter in the command on all the IS-IS devices.
Regardless of whether packets pass area authentication, Level-1 IS-IS neighbor relationships can be established.Precautions
Area authentication takes effect only on the end that is configured with area authentication. The other end that is not configured with area authentication can still receive LSPs with authentication passwords.
<HUAWEI> system-view [~HUAWEI] isis 1 [*HUAWEI-isis-1] area-authentication-mode hmac-sha256 key-id 2 Huawei-123
<HUAWEI> system-view [~HUAWEI] isis 1 [*HUAWEI-isis-1] area-authentication-mode keychain Huawei-123