The domain-authentication-mode command enables an IS-IS router in a domain to authenticate received Level-2 LSPs and SNPs using the specified authentication mode and password.
The undo domain-authentication-mode command disables an IS-IS router from authenticating received Level-2 LSPs and SNPs.
It is recommended that you enable authentication and use the HMAC-SHA256 algorithm to improve security, preventing route information from being modified by unauthorized users.
By default, the system neither encapsulates the originated Level-2 LSPs and SNPs with authentication information nor authenticates received Level-2 LSPs and SNPs. Configuring authentication is recommended to ensure system security.
domain-authentication-mode { simple { plain simple-plain | [ cipher ] simple-cipher } | md5 { plain plain | [ cipher ] cipher } } [ ip | osi ] [ [ snp-packet { send-only | authentication-avoid } ] | all-send-only ]
domain-authentication-mode keychain keychain-name [ [ snp-packet { send-only | authentication-avoid } ] | all-send-only ]
domain-authentication-mode hmac-sha256 key-id key-id { plain plain | [ cipher ] cipher } [ [ snp-packet { send-only | authentication-avoid } ] | all-send-only ]
undo domain-authentication-mode
| Parameter | Description | Value |
|---|---|---|
| simple |
Indicates simple authentication. For security purposes, you are advised to configure a password in ciphertext mode. To further improve device security, periodically change the password. |
- |
| plain |
Indicates the simple text mode. Only the simple text can be entered. The password in the configuration file is displayed as a simple text. Simple authentication is in simple text by default. NOTICE: When configuring an authentication password, select the ciphertext mode because the password is saved in the configuration file as a simple text if you select the simple text mode, which has a high risk. To ensure device security, change the password periodically. |
- |
| simple-plain |
Specifies a simple-text password. |
The value is a string of case-sensitive characters, which can be letters or digits. When the authentication mode is simple, the value is a string of 1 to 16 characters. When the authentication mode is md5 or hmac-sha256, the value is a string of 1 to 255 characters. The value cannot contain question marks (?) and spaces. However, when double quotation marks are used around the password, spaces are allowed in the password. In this case, the double quotation marks at both ends of the password are used as a part of the password. |
| cipher |
Indicates that the password is in ciphertext mode. You can enter a cleartext or ciphertext. When you view the configuration file, the password is displayed in ciphertext. The ciphertext mode is used by default. |
- |
| cipher simple-cipher |
Indicates the ciphertext mode. The simple text or ciphertext can be entered. The password in the configuration file is displayed as a ciphertext. MD5 authentication is in ciphertext by default. |
The value is a string of case-sensitive characters, which can be letters or digits.
|
| simple-cipher |
Specifies a simple text or ciphertext. A ciphertext password is a character string that is encrypted using a special algorithm. A ciphertext is used for configuration restoration. The parameter value must be the same as the ciphertext in the configuration file. |
The value is a string of case-sensitive characters, which can be letters or digits.
|
| md5 |
Indicates that the password is transmitted after being encrypted using HMAC-MD5. For the sake of security, using the HMAC-SHA256 algorithm rather than the MD5 algorithm is recommended. |
- |
| ip |
Indicates the IP authentication password. This parameter cannot be configured when keychain authentication is used. |
- |
| osi |
Indicates the OSI authentication password. This parameter cannot be configured when keychain authentication is used. |
- |
| snp-packet |
Authenticates SNPs. |
- |
| send-only |
Encapsulates generated LSPs and SNPs with authentication information and authenticates received LSPs instead of the SNPs. |
- |
| authentication-avoid |
Neither encapsulates generated SNPs with authentication information nor authenticates received SNPs. It encapsulates only the generated LSPs with authentication information and authenticates received LSPs. |
- |
| all-send-only |
Encapsulates authentication information in generated LSPs and SNPs but does not check authentication information in the received LSPs or SNPs. |
- |
| keychain keychain-name |
Specifies the keychain that changes with time. Before configuring this parameter, run the keychain command to create a keychain. Then, run the key-id, key-string, and algorithm commands to configure a key ID, a password, and an authentication algorithm for this keychain. Otherwise, the authentication will fail. Keychain authentication supports only HMAC-MD5 and HMAC-SHA256 algorithms. Using any other algorithm may lead to an authentication failure. If the dependent keychain is deleted, the neighbor relationship may be interrupted. Therefore, exercise caution when deleting the keychain. |
The value is a string of 1 to 47 case-sensitive characters. A password cannot contain a question mark (?), but can contain spaces if surrounded by double quotation marks (""). In this case, the double quotation marks are part of the password. |
| hmac-sha256 |
Encapsulates generated packets with the HMAC-SHA256 authentication and a password encrypted using the HMAC-SHA256 algorithm and authenticates received packets. |
- |
| key-id key-id |
Specifies a key ID for authentication, which must be the same as the one configured at the other end. |
The value is an integer that ranges from 0 to 65535. |
Usage Scenario
To ensure network security, you can enable a router to authenticate received packets based on the pre-defined authentication mode or add authentication information to the packets to be sent. Only the packets that are authenticated can be forwarded on the network.
The domain-authentication-mode command enables the local node to discard all the Level-2 LSPs and SNPs with area authentication passwords that are different from the one set using this command. You can also add area authentication passwords to all the Level-2 LSPs and SNPs sent by this node. The domain-authentication-mode command is valid for all topologies in an IS-IS process but only on Level-2 or Level-1-2 routers.Configuration Impact
After the domain-authentication-mode command is run, newly received Level-2 LSPs and SNPs that fail to be authenticated are discarded. All Level-2 LSPs that fail to be authenticated in the local LSDB are not discarded until they age out. If authentication packets are lost, routes may be incorrectly calculated. As a result, routing loops occur and services are affected. To prevent packet loss before authentication is configured on the peer end, you can specify the send-only parameter when configuring authentication on the network running services.
Precautions
If the password is set, but neither ip nor osi is specified, the system defaults it as osi.
When a keychain password is used, the parameter ip or osi cannot be configured. The authentication takes effect only on the interface where the command is run, but other interfaces can still receive the LSPs carrying the password.