domain-authentication-mode
Use domain-authentication-mode to specify the routing domain authentication mode and a key.
Use undo domain-authentication-mode to restore the default.
Syntax
domain-authentication-mode { { gca key-id { hmac-sha-1 | hmac-sha-224 | hmac-sha-256 | hmac-sha-384 | hmac-sha-512 } [ nonstandard ] | md5 | simple } { cipher | plain } string | keychain keychain-name } [ ip | osi ]
undo domain-authentication-mode
Default
No routing domain authentication mode or key is configured.
Views
IS-IS view
Predefined user roles
network-admin
Parameters
gca: Specifies the GCA mode.
key-id: Uniquely identifies an SA in the range of 1 to 65535. The sender inserts the Key ID into the authentication TLV, and the receiver authenticates the packet by using the SA that is selected based on the Key ID.
hmac-sha-1: Specifies the HMAC-SHA-1 algorithm.
hmac-sha-224: Specifies the HMAC-SHA-224 algorithm.
hmac-sha-256: Specifies the HMAC-SHA-256 algorithm.
hmac-sha-384: Specifies the HMAC-SHA-384 algorithm.
hmac-sha-512: Specifies the HMAC-SHA-512 algorithm.
nonstandard: Specifies the nonstandard GCA authentication mode.
md5: Specifies the MD5 authentication mode.
simple: Specifies the simple authentication mode.
cipher: Specifies a key in encrypted form.
plain: Specifies a key in plaintext form. For security purposes, the key specified in plaintext form will be stored in encrypted form.
string: Specifies the key. Its plaintext form is a case-sensitive string of 1 to 16 characters. Its encrypted form is a case-sensitive string of 33 to 53 characters.
keychain: Specifies the keychain authentication mode.
keychain-name: Specifies a keychain by its name, a case-sensitive string of 1 to 63 characters.
ip: Checks IP-related fields in LSPs.
osi: Checks OSI-related fields in LSPs.
Usage guidelines
The configured key in the specified mode is inserted into all outgoing Level-2 packets (LSP, CSNP, and PSNP) and is used for authenticating the incoming Level-2 packets.
IS-IS keychain authentication can operate correctly only when the keys in the keychain use the HMAC-MD5 authentication algorithm.
Before IS-IS sends a Level-2 packet, it uses the valid send key obtained from the keychain to authenticate the packet. If no valid send key exists or the valid send key does not use the HMAC-MD5 algorithm, the authentication fails and the packet does not contain the authentication information.
After IS-IS receives a Level-2 packet, it uses a valid accept key obtained from the keychain to authenticate the packet. If no valid accept key exists or all valid accept keys fail to authenticate the packet, the authentication fails and the packet is discarded.
All the backbone routers must have the same authentication mode and key.
If neither ip nor osi is specified, the OSI-related fields in LSPs are checked.
When you specify the GCA mode, follow these guidelines:
If you do not specify the nonstandard keyword, the device can communicate only with devices that use the GCA mode.
If you specify the nonstandard keyword, the device can communicate only with devices that use the nonstandard GCA mode.
Examples
# Set the routing domain authentication mode to simple, and set the plaintext key to 123456.
<Sysname> system-view [Sysname] isis 1 [Sysname-isis-1] domain-authentication-mode plain 123456
Related commands
area-authentication-mode
domain-authentication send-only
isis authentication-mode