domain-authentication-mode
Function
The domain-authentication-mode command configures an IS-IS route domain to authenticate the received Level-2 packets, according to the pre-defined mode and password, and add the authentication information to Level-2 packets generated.
The undo domain-authentication-mode command configures IS-IS not to authenticate the above received packets and delete the authentication information of IS-IS packets.
By default, the system neither encapsulates the generated Level-2 packets carrying routing information with authentication information nor authenticates the received Level-2 packets. Configuring authentication is recommended to ensure system security.
Format
domain-authentication-mode { simple { plain explicit-text | [ cipher ] explicit-cipher-text } | md5 { [ cipher ] explicit-cipher-text | plain explicit-text } } [ ip | osi ] [ snp-packet { authentication-avoid | send-only } | all-send-only ]
domain-authentication-mode keychain keychain-name [ snp-packet { authentication-avoid | send-only } | all-send-only ]
domain-authentication-mode hmac-sha256 key-id key-id { plain explicit-text | [ cipher ] explicit-cipher-text } [ snp-packet { authentication-avoid | send-only } | all-send-only ]
undo domain-authentication-mode
Parameters
| Parameter | Description | Value |
|---|---|---|
simple |
Specifies the password transmit in plain text. |
- |
plain |
Indicates the password in explicit text. Only the explicit text password can be entered. The password in the configuration file is displayed in explicit text. NOTICE:
When configuring an authentication password, select the ciphertext mode because the password is saved in configuration files in plaintext if you select plaintext mode, which has a high risk. To ensure device security, change the password periodically. |
- |
explicit-text |
Specifies the authentication password in explicit text. |
The value is a string of case-sensitive characters that can be letters or numbers. In simple authentication, the value is a string of 1 to 16 characters. In md5 or hmac-sha256 authentication, the value is a string of 1 to 255 characters. |
cipher |
Indicates the password in ciphertext. The explicit text password or the ciphertext password can be entered. The password in the configuration file is displayed in ciphertext. IS-IS authentication is in ciphertext by default. |
- |
explicit-cipher-text |
Specifies the authentication password in explicit text or ciphertext. A ciphertext password is a character string that is encrypted using a special algorithm. A ciphertext password is used for configuration restoration. The parameter value must be the same as the ciphertext password in the configuration file. |
The value is a string of case-sensitive characters that can be letters or numbers. In simple authentication, the value is a string of 1 to 16 characters in explicittext, or a string of 32 or 48 characters in ciphertext. In md5 or hmac-sha256 authentication, the value is a string of 1 to 255 characters in explicit text, or a string of 20 to 392 characters in ciphertext. |
md5 |
Specifies the password transmit encrypted by MD5. |
- |
keychain keychain-name |
Specifies the keychain that changes with time. |
The name is a string of 1 to 47 characters. It is case-insensitive. |
ip |
Indicates the IP authentication password. |
- |
osi |
Indicates the OSI authentication password. |
- |
snp-packet |
Authenticates SNP packets. |
- |
authentication-avoid |
Neither encapsulates the generated SNP packet with authentication information nor authenticates the received SNP packet. Only the generated LSP packet is encapsulated with authentication information, and the received LSP packet is authenticated. |
- |
send-only |
Encapsulates the generated LSP and SNP packets with authentication information, and authenticates the received LSP packet instead of the SNP packet. |
- |
all-send-only |
Encapsulates the generated LSP and SNP packets with authentication information but ignores checking authentication information carried in the received LSP or SNP packets. |
- |
hmac-sha256 |
Encapsulates generated packets with the HMAC-SHA256 authentication and a password encrypted by the HMAC-SHA256 algorithm and authenticates received packets. |
- |
key-id key-id |
Indicates key ID of the HMAC-SHA256 algorithm. |
It is an integer ranging from 0 to 65535. |
Usage Guidelines
The domain-authentication-mode command is valid only on Level-2 or Level-2-2 routers.
By using this command, you can discard all the Level-2 packets whose domain authentication password does not contain the one set through this command. At the same time, IS-IS adds the configured domain authentication password in all the Level-2 packets carrying routing information sent from the local node.
If the password is set, but neither ip nor osi is specified, the system defaults it as osi.
The authentication takes effect on the interface with the password. The port without the password can still receive the LSP and SNP with password.
You can select ip authentication password or osi authentication password according to the real network environment.
If hmac-sha256 is specified, packets can be authenticated only when the key-id and password carried by the packet are the same as those configured on the remote end.
After the domain-authentication-mode command is run, IS-IS does not process the Level-2 LSPs in the local LSDB that fail to be authenticated or new Level-2 LSPs and SNPs that fail to be authenticated but discards them after they age.
Characters %#%# are used as the prefix and suffix of existing passwords with variable lengths. Therefore, characters %#%# cannot be configured together at the beginning or end of a explicit text password.