cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
129
Views
0
Helpful
4
Replies
Highlighted

ISIS area authentication addition

Hi there,

we have a production network that uses ISIS as the underlay protocol for the MP-BGP / MPLS cloud.

We have many IOS routers and two ASR-9K with IOS-XR, all of them configured in the same ISIS domain and area. 

All of the IOS routers are configured with the ISIS area password but the IOS-XR do not have it configured.  The ISIS neighbor-ship / adjacencies are formed without issues, but we are concerned if the routing information is really being sent/received.

Can we just add the lsp-password to the IOS-XR without disturbing any already established connections?  Or do we need to reset the ISIS process in these IOS-XR? How should we reset it if needed? What are the risks of changing the area authentication in ISIS?

If we use this ISIS connection to reach the devices loopback address and get inline access, can we loose access to them until the new LSP are sent?

 

Thank

4 REPLIES 4
Highlighted
Collaborator

Re: ISIS area authentication addition

Hi,

 

    IS-IS allows for two distinct authentication schemes: for building the adjacency (hello packets) and for the LSP's; these can be configured concurrently or independently.

   The moment you configure adjacency authentication, depending on the configured timers, if you're fast enough to apply it on both sides of the adjacency, you should not experience downtime, but still this would require a maintenance window.

  The moment you configure LSP authentication, unathenticated LSP's will be simply ignored. However, what you're saying is strange, that one side has it on and the other side off and it still works. Pay attention that if the "area password" or "domain password" are not configured also with the "authenticate snp validate" the configured password is not inserted into LSP's and not used to validate incoming LSP's. 

 

Regards,

Cristian Matei.

Highlighted

Re: ISIS area authentication addition

Thanks for your reply!

 

I have only the area password configured in the IOS routers.  No domain nor interface password.  The neighbors are present but in the RIB database I don´t have any routes.  I don´t know if it is because it is ignoring the LSP packets because the IOS-XR router does not have the LSP-password.  And if I added it, how will that impact the environment.

All the routers are Level-2 only and the connection in this interface I am looking at is a broadcast domain with 6 routers in total (4 IOS, 2 XR)

 

ROUTER_A

router isis CGs
is-type level-2-only
net 49.0001.2170.1001.6020.00
nsf cisco
log adjacency changes
address-family ipv4 unicast
metric-style wide
redistribute connected route-policy CONN2ISIS
!
interface Bundle-Ether10.2085
circuit-type level-2-only
address-family ipv4 unicast
metric 10000000
!
!
interface Loopback0
passive
address-family ipv4 unicast
!
!

interface Bundle-Ether10.2085
ipv4 address 85.X.X.X 255.255.255.240
load-interval 30
encapsulation dot1q 2085
!

ROUTER_A#sh isis neig
Wed Apr 1 17:12:58.689 CEST

IS-IS CGs neighbors:
System Id Interface SNPA State Holdtime Type IETF-NSF
ROUTER_B BE10.2085 001b.8f12.57c0 Up 25 L2 Capable

 

 

ROUTER_B

router isis
net 49.0001.2170.1001.6045.00
is-type level-2-only
area-password MY_PASSWORD
metric-style wide
no hello padding
redistribute connected route-map CONN-TO-ISIS
redistribute static ip route-map STATIC-TO-ISIS
passive-interface Loopback0

 

passive-interface Loopback0
ROUTER_B#SH ISIS NEIG

System Id Type Interface IP Address State Holdtime Circuit Id
ROUTER_A L2 Po10.2085 85.X.X.X UP 28 ROUTER_C.04

 

ROUTER_B

interface Port-channel10.2085
encapsulation dot1Q 2085
ip address 85.X.X.X 255.255.255.240
no ip redirects
no ip proxy-arp
ip router isis
ip flow ingress
clns mtu 8982
isis metric 10000000
end

If I do a "show isis rib" I don´t have any entries for Po10.2085

 

Hope this is a little bit clear for you to help me assess if I will have downtime.

 

Thanks again for your time!

 

Highlighted
Collaborator

Re: ISIS area authentication addition

Hi,

 

   I explained above what will happen and how to do it, if you want to perform HELLO/LSP authentication on IS-IS. As for the provided config, just the "area password" is configured on one side, which means it is not enforced, either ingress or egress, unless you're hitting a bug. Try removing it and see if there is something int he RIB.

   Otherwise, troubleshot regularly, see if adjacency is build first, Level1/Level2 as you need, if prefixes are injected by each device into ISIS and if this is the case, it should be advertised. Look in ISIS database.

 

Regards,

Cristian Matei.

Highlighted

Re: ISIS area authentication addition

Thank you!  I will let you know my findings in the maintenance window.