10-29-2019 07:12 AM
While reading the vol 1 by Paluch and Kocharians the following question on IS-IS caught my attention:
Which statements are true about authentication in IS-IS?
Among many the following option is non marked as valid:
"Authentication password for L2 LSP+CSNP+PSNP must match across the area."
whereas
"Authentication password for L2 LSP+CSNP+PSNP must match across the
domain."
is marked as valid.
I agree on the second and I would think that first is correct too just because a L2 domain spans many L2 areas, hence if a pwd must be the same in a set (domain), then that's valid also in a subset, i.e. an area.
What might I be missing here?
TIA
Solved! Go to Solution.
10-30-2019 04:42 AM
Hi Alex,
That question is my fault - blame me :)
In all honesty, it was not meant as a trick question, just the wording -or the context - turns out to be less than perfect.
With all other IGPs, the authentication is always done on a per-neighborship basis that ultimately occurs between routers adjacent over the same Layer2 domain, and with OSPF, also remotely if taking a virtual link into account. As long as you maintain the same credentials for all neighbors over the same Layer2 domain, your RIP/EIGRP/OSPF will work properly and yet be fully authenticated.
To have the same functionality with IS-IS - working properly across the entire routing domain while being fully authenticated - requires additional considerations, and that is where this question is coming in. To have IS-IS that fully works across the entire domain, we need to keep in mind that IIHs are authenticated on a per-neighborship scope, Level-1 LSPs and SNPs are authenticated on an area-wide scope, and Level-2 LSPs and SNPs are authenticated on a domain-wide scope. If we don't abide by these rules when configuring IS-IS authentication, we'll get into trouble. That was the crux of the question: Which of those statements about IS-IS authentication is true if you want to deploy it properly so that the operation of the your network is secured but not impaired?
Admittedly, it should be written more clearly.
Many thanks for asking here!
Best regards,
Peter
10-29-2019 07:30 AM
Hello,
I think it is a trick question. There is no such thing as L2 area authentication, hence the option is invalid:
--> When area authentication is configured, the password is carried in the L1 LSPs, CSNPs and PSNPS
10-29-2019 08:41 AM - edited 10-29-2019 08:48 AM
Hello
Would make sense I suppose has the domain authentication is as it stated domain wide however area authentication well an isis router can be in different areas and have various interfaces iL1 or L1/l2 peering as such have these interfaces or the areas can have differing interface /area level authentication
10-30-2019 04:42 AM
Hi Alex,
That question is my fault - blame me :)
In all honesty, it was not meant as a trick question, just the wording -or the context - turns out to be less than perfect.
With all other IGPs, the authentication is always done on a per-neighborship basis that ultimately occurs between routers adjacent over the same Layer2 domain, and with OSPF, also remotely if taking a virtual link into account. As long as you maintain the same credentials for all neighbors over the same Layer2 domain, your RIP/EIGRP/OSPF will work properly and yet be fully authenticated.
To have the same functionality with IS-IS - working properly across the entire routing domain while being fully authenticated - requires additional considerations, and that is where this question is coming in. To have IS-IS that fully works across the entire domain, we need to keep in mind that IIHs are authenticated on a per-neighborship scope, Level-1 LSPs and SNPs are authenticated on an area-wide scope, and Level-2 LSPs and SNPs are authenticated on a domain-wide scope. If we don't abide by these rules when configuring IS-IS authentication, we'll get into trouble. That was the crux of the question: Which of those statements about IS-IS authentication is true if you want to deploy it properly so that the operation of the your network is secured but not impaired?
Admittedly, it should be written more clearly.
Many thanks for asking here!
Best regards,
Peter
10-30-2019 03:37 PM
Hi Peter,
thank you very much for having found the time to reply to me.
Considering that while learning new stuff you are always challenged by things you don't understand but if unveiled and explained they consolidate your knowledge I truly appreciate your explanation.
So I think I should have read that question as "... just match across the area" and in that case of course the statement is not true because we speak of L2 messages.
Needless to say that I'm always very pleased to read your interventions whenever there is need for extra boost in understanding a topic :-)
Thanks again,
Alex
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide