RE: ISIS show command for authentication

From: John Do (mcseccnp03@yahoo.com)
Date: Mon Aug 29 2005 - 16:21:14 GMT-3

• Next message: ccie2be: "RE: ISIS show command for authentication"
• Previous message: ccie2be: "absolute or percentage - will it cost points?"
• Maybe in reply to: ccie2be: "RE: ISIS show command for authentication"
• Next in thread: ccie2be: "RE: ISIS show command for authentication"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Tim,
 
 
debug isis authentication information

ccie2be <ccie2be@nyc.rr.com> wrote:
Hi Tom.

Thanks for your response. It's been very helpful.

I tried using your method to verify the new md5 authentication on isis but
it doesn't seem to work.

I can hardly believe there's isn't any way to verify the new md5 authen but
so far, I haven't been able to find any show command that does it.

I have md5 authen configured between R1 and R3.

R3's config:

R3#f key chain
key chain CISCO
key 1
key-string CISCO

R3#r in s1/2
Building configuration...

Current configuration : 166 bytes
!
interface Serial1/2
ip address 164.1.13.3 255.255.255.0
ip router isis
clockrate 128000
isis authentication mode md5
isis authentication key-chain CISCO
end

R3#sh clns ne

System Id Interface SNPA State Holdtime Type
Protocol
R1 Se1/2 *HDLC* Up 24 L2 IS-IS
R2 Se1/1.23 DLCI 312 Up 23 L2 IS-IS

R1's config:

R1#r in s0/1
Building configuration...

Current configuration : 148 bytes
!
interface Serial0/1
ip address 164.1.13.1 255.255.255.0
ip router isis
isis authentication mode md5
isis authentication key-chain CISCO
end

R1#f key chain
key chain CISCO
key 1
key-string CISCO

R1#sh cln n

System Id Interface SNPA State Holdtime Type
Protocol
R3 Se0/1 *HDLC* Up 29 L2 IS-IS
R2 Se0/0 DLCI 102 Init 23 L2 IS-IS
R1#

R1#sh isis data R3.00-00 detail

IS-IS Level-2 LSP R3.00-00
LSPID LSP Seq Num LSP Checksum LSP Holdtime ATT/P/OL
R3.00-00 0x00000016 0x526E 1042 0/0/0
Area Address: 0d
NLPID: 0xCC
Hostname: R3
IP Address: 164.1.13.3
Metric: 10 IS-Extended R1.00
Metric: 10 IS-Extended R2.00
Metric: 1224 IP 204.12.1.0/24
Metric: 100 IP 164.1.45.0/24
Metric: 100 IP 164.1.47.0/24
Metric: 100 IP 164.1.55.0/24
Metric: 100 IP 164.1.5.0/24
Metric: 100 IP 164.1.0.5/32
Metric: 100 IP 164.1.0.4/32
Metric: 100 IP 164.1.7.0/24
Metric: 100 IP 164.1.0.0/24
Metric: 0 IP 164.1.3.0/24
Metric: 10 IP 164.1.13.0/24
Metric: 10 IP 164.1.23.0/24
Metric: 100 IP 164.1.74.0/24
Metric: 1224 IP 31.3.0.0/16
Metric: 1224 IP 31.2.0.0/16
Metric: 1224 IP 31.1.0.0/16
Metric: 1224 IP 31.0.0.0/16
Metric: 100 IP 150.1.3.0/24
Metric: 100 IP 150.1.7.7/32
Metric: 100 IP 150.1.5.5/32
Metric: 100 IP 150.1.4.4/32
Metric: 1224 IP 30.2.0.0/16
Metric: 1224 IP 30.3.0.0/16
Metric: 1224 IP 30.0.0.0/16
Metric: 1224 IP 30.1.0.0/16
R1#

R1#sh clns int s0/1
Serial0/1 is up, line protocol is up
Checksums enabled, MTU 1500, Encapsulation HDLC
ERPDUs enabled, min. interval 10 msec.
CLNS fast switching enabled
CLNS SSE switching disabled
DEC compatibility mode OFF for this interface
Next ESH/ISH in 27 seconds
Routing Protocol: IS-IS
Circuit Type: level-1-2
Interface number 0x1, local circuit ID 0x100
Neighbor System-ID: R3
Level-2 Metric: 10, Priority: 64, Circuit ID: R1.00
Level-2 IPv6 Metric: 10
Number of active level-2 adjacencies: 1
Next IS-IS Hello in 1 seconds
if state UP

I hope this doesn't turn out to be one of those things that's hidden "in
plain sight"

TIA, Tim

-----Original Message-----
From: Tom Lijnse [mailto:Tom.Lijnse@globalknowledge.nl]
Sent: Friday, November 19, 2004 7:40 AM
To: ccie2be; Group Study
Subject: RE: ISIS show command for authentication

Hi Tim,

Since area authentication adds a password to the LSPs in the level-1
database, that's where you can see it configured. As you can see this
router has area authentication configured:

R5#sh run | b ^router isis
router isis
net 49.0001.5555.5555.5555.00
is-type level-1
area-password cisco

Now when you look at the LSP for this router in the level-1 database you
can see that it has authentication configured:

R5#sh isis database R5.00-00 level-1 detail

IS-IS Level-1 LSP R5.00-00
LSPID LSP Seq Num LSP Checksum LSP Holdtime
ATT/P/OL
R5.00-00 * 0x000000D3 0xD475 896 0/0/0
Auth: Length: 6
Area Address: 49.0001
NLPID: 0xCC
Hostname: R5
IP Address: 133.1.1.5
Metric: 10 IP 133.1.1.0 255.255.255.0
Metric: 10 IP 133.1.2.0 255.255.255.0
Metric: 10 IS R4.00

There's a line saying 'Auth: Length: 6' which is not there when
authentication is not configured.

In a similar way domain authentication is visible in the level-2
database with an extra TLV in the LSPs. Only for the interface level
authentication I have not been able to find a decent show command.

Regards,

Tom Lijnse
CCIE #11031
Global Knowledge Netherlands

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
ccie2be
Sent: woensdag 17 november 2004 23:00
To: Group Study
Subject: ISIS show command for authentication

Hi guys,

does a show command exists in isis that shows what authentication is
configured?

I've been looking through all the isis show commands and didn't come
with
anything.

Interestingly enough, although isis supports 3 levels of authentication,
I
couldn't find any command that shows anything about any of the isis
authentication levels, link, area, or domain.

Do such show command not exist or am I just looking in all the wrong
places?

TIA, Tim

• Next message: ccie2be: "RE: ISIS show command for authentication"
• Previous message: ccie2be: "absolute or percentage - will it cost points?"
• Maybe in reply to: ccie2be: "RE: ISIS show command for authentication"
• Next in thread: ccie2be: "RE: ISIS show command for authentication"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sun Sep 04 2005 - 17:01:20 GMT-3