cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
252
Views
0
Helpful
4
Replies
Beginner

IS-IS authentication

While reading the vol 1 by Paluch and Kocharians the following question on IS-IS caught my attention:

 

Which statements are true about authentication in IS-IS?

Among many the following option is non marked as valid:

 

"Authentication password for L2 LSP+CSNP+PSNP must match across the area."

 

whereas 

 

"Authentication password for L2 LSP+CSNP+PSNP must match across the
domain."

 

is marked as valid.

 

I agree on the second and I would think that first is correct too just because a L2 domain spans many L2 areas, hence if a pwd must be the same in a set (domain), then that's valid also in a subset, i.e. an area.

 

What might I be missing here?

 

TIA

 

 

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Hall of Fame Cisco Employee

Re: IS-IS authentication

Hi Alex,

That question is my fault - blame me :)

In all honesty, it was not meant as a trick question, just the wording -or the context - turns out to be less than perfect.

With all other IGPs, the authentication is always done on a per-neighborship basis that ultimately occurs between routers adjacent over the same Layer2 domain, and with OSPF, also remotely if taking a virtual link into account. As long as you maintain the same credentials for all neighbors over the same Layer2 domain, your RIP/EIGRP/OSPF will work properly and yet be fully authenticated.

To have the same functionality with IS-IS - working properly across the entire routing domain while being fully authenticated - requires additional considerations, and that is where this question is coming in. To have IS-IS that fully works across the entire domain, we need to keep in mind that IIHs are authenticated on a per-neighborship scope, Level-1 LSPs and SNPs are authenticated on an area-wide scope, and Level-2 LSPs and SNPs are authenticated on a domain-wide scope. If we don't abide by these rules when configuring IS-IS authentication, we'll get into trouble. That was the crux of the question: Which of those statements about IS-IS authentication is true if you want to deploy it properly so that the operation of the your network is secured but not impaired?

Admittedly, it should be written more clearly.

Many thanks for asking here!

Best regards,
Peter

View solution in original post

4 REPLIES 4
Highlighted
VIP Mentor

Re: IS-IS authentication

Hello,

 

I think it is a trick question. There is no such thing as L2 area authentication, hence the option is invalid:

 

--> When area authentication is configured, the password is carried in the L1 LSPs, CSNPs and PSNPS

Highlighted
VIP Mentor

Re: IS-IS authentication

Hello

Would make sense I suppose has the domain authentication is as it stated domain wide however area authentication well an isis router can be in different areas and have various interfaces iL1 or L1/l2 peering as such have these interfaces or the areas can have differing interface /area level authentication



kind regards
Paul

Please rate and mark posts accordingly if you have found any of the information provided useful.
It will hopefully assist others with similar issues in the future
Highlighted
Hall of Fame Cisco Employee

Re: IS-IS authentication

Hi Alex,

That question is my fault - blame me :)

In all honesty, it was not meant as a trick question, just the wording -or the context - turns out to be less than perfect.

With all other IGPs, the authentication is always done on a per-neighborship basis that ultimately occurs between routers adjacent over the same Layer2 domain, and with OSPF, also remotely if taking a virtual link into account. As long as you maintain the same credentials for all neighbors over the same Layer2 domain, your RIP/EIGRP/OSPF will work properly and yet be fully authenticated.

To have the same functionality with IS-IS - working properly across the entire routing domain while being fully authenticated - requires additional considerations, and that is where this question is coming in. To have IS-IS that fully works across the entire domain, we need to keep in mind that IIHs are authenticated on a per-neighborship scope, Level-1 LSPs and SNPs are authenticated on an area-wide scope, and Level-2 LSPs and SNPs are authenticated on a domain-wide scope. If we don't abide by these rules when configuring IS-IS authentication, we'll get into trouble. That was the crux of the question: Which of those statements about IS-IS authentication is true if you want to deploy it properly so that the operation of the your network is secured but not impaired?

Admittedly, it should be written more clearly.

Many thanks for asking here!

Best regards,
Peter

View solution in original post

Highlighted
Beginner

Re: IS-IS authentication

Hi Peter,

 

thank you very much for having found the time to reply to me.
Considering that while learning new stuff you are always challenged by things you don't understand but if unveiled and explained they consolidate your knowledge I truly appreciate your explanation.
So I think I should have read that question as "... just match across the area" and in that case of course the statement is not true because we speak of L2 messages.

Needless to say that I'm always very pleased to read your interventions whenever there is need for extra boost in understanding a topic :-)

 

Thanks again,

Alex

CreatePlease to create content