Configuring routing domain authentication
Routing domain authentication prevents untrusted routing information from entering into a routing domain. A router with the authentication configured encapsulates the key in the specified mode into Level-2 packets (LSP, CSNP, and PSNP) and check the key in received Level-2 packets.
All the routers in the backbone must have the same authentication mode and key.
To prevent packet exchange failure in case of an authentication key change, configure IS-IS not to check the authentication information in the received packets.
To configure routing domain authentication:
Step | Command | Remarks |
|---|---|---|
1. Enter system view. | system-view | N/A |
2. Enter IS-IS view. | isis [ process-id ] [ vpn-instance vpn-instance-name ] | N/A |
3. Specify the routing domain authentication mode and key. | domain-authentication-mode { { gca key-id { hmac-sha-1 | hmac-sha-224 | hmac-sha-256 | hmac-sha-384 | hmac-sha-512 } [ nonstandard ] | md5 | simple } { cipher | plain } string | keychain keychain-name } [ ip | osi ] | By default, no routing domain authentication is configured. |
4. (Optional.) Configure the interface not to check the authentication information in the received Level-2 packets, including LSPs, CSNPs, and PSNPs. | domain-authentication send-only | When the authentication mode and key are configured, the interface checks the authentication information in the received packets by default. |