Re: isis md5 authen

From: ccie2be (ccie2be@nyc.rr.com)
Date: Mon Oct 11 2004 - 21:34:25 GMT-3

• Next message: Cisco Net: "Frame-relay interface-dlci and Inv ARP"
• Previous message: Peter Ding: "RE: BSR harsh value"
• Maybe in reply to: ccie2be: "isis md5 authen"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Thanks Ian for getting back to me.

A little earlier I discovered that the command, authentication send-only
level-2, was what was causing all the problems and confusion.

In the new feature documentation, all their examples show this command being
used although they didn't highlight that this command is optional and
essentially disables authentication.

However, if you dig deep enough they do mention that that command is for
migration scenarios.

Another important detail one has to be aware of is that with isis, md5
authentication can be configured for the router as a whole under the isis
routing process or under each interface.

Now, here's the kicker.

If authen is configured under the isis process, different isis packets are
authenticated than if isis authen is configured under the interface.

Under the interface, just isis hello packets are authenticated. When
configured under the routing process the other types of isis packets are
authenticated.

And, just to make things interesting, you're allowed to do some mixing and
matching, but I haven't spent enough time figuring what combo's work and
which don't work.

So, thanks again for getting back to me.

Tim

----- Original Message -----
From: <istong@stong.org>
To: "ccie2be" <ccie2be@nyc.rr.com>; "Group Study" <ccielab@groupstudy.com>
Sent: Monday, October 11, 2004 8:05 PM
Subject: Re: isis md5 authen

> Hmmm,
>
> well you should see that authentication is being used in the
> isis packets. Another way to check would be to configure
> one end without authentication and see if it neighbors and
> exchanges routes. I see you are doing send only so keep
> that in mind when troubleshooting.
>
>
> Ian
> www.ccie4u.com
> CCIE Labs and Rack Rentals
>
>
> > Hi guys,
> >
> > This is my isis config. This follows the example shown in
> > the documentation. However, the solution shows
> > authentication configured on the the interface.
> >
> > key chain AUTH
> > key 1
> > key-string Cisco
> >
> > router isis
> > net 33.0000.0003.0003.0005.00
> > authentication mode md5
> > authentication key-chain AUTH
> > authentication send-only level-2
> >
> > I have a similar config on all neighboring routers.
> > Everything seems to be working fine. But, I've tried to
> > verify that authentication is actually taking place using
> > debug isis authen info, debug isis adjacency and various
> > show commands, but nothing proves to me that authen is
> > actually being used.
> >
> > BTW, all neighbors are correctly extablished.
> >
> > How can I verify that isis authen is being used?
> >
> > Thanks, Tim
> >
> > __________________________________________________________
> > _____________ Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> ______________________________________________
>
> Check Your Email From Any Where in the World!
>
> http://www.myemail.com
>
> Tell Your Friends about MyEmail.com!
> ______________________________________________

• Next message: Cisco Net: "Frame-relay interface-dlci and Inv ARP"
• Previous message: Peter Ding: "RE: BSR harsh value"
• Maybe in reply to: ccie2be: "isis md5 authen"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sat Nov 06 2004 - 17:11:46 GMT-3