Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
913
Views
0
Helpful
4
Replies

IS-IS authentication

Go to solution
Alex Mac
Level 1
Level 1

‎10-29-2019 07:12 AM

While reading the vol 1 by Paluch and Kocharians the following question on IS-IS caught my attention:

 

Which statements are true about authentication in IS-IS?

Among many the following option is non marked as valid:

 

"Authentication password for L2 LSP+CSNP+PSNP must match across the area."

 

whereas 

 

"Authentication password for L2 LSP+CSNP+PSNP must match across the
domain."

 

is marked as valid.

 

I agree on the second and I would think that first is correct too just because a L2 domain spans many L2 areas, hence if a pwd must be the same in a set (domain), then that's valid also in a subset, i.e. an area.

 

What might I be missing here?

 

TIA

 

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Peter Paluch
Cisco Employee
Cisco Employee

‎10-30-2019 04:42 AM

Hi Alex,

That question is my fault - blame me :)

In all honesty, it was not meant as a trick question, just the wording -or the context - turns out to be less than perfect.

With all other IGPs, the authentication is always done on a per-neighborship basis that ultimately occurs between routers adjacent over the same Layer2 domain, and with OSPF, also remotely if taking a virtual link into account. As long as you maintain the same credentials for all neighbors over the same Layer2 domain, your RIP/EIGRP/OSPF will work properly and yet be fully authenticated.

To have the same functionality with IS-IS - working properly across the entire routing domain while being fully authenticated - requires additional considerations, and that is where this question is coming in. To have IS-IS that fully works across the entire domain, we need to keep in mind that IIHs are authenticated on a per-neighborship scope, Level-1 LSPs and SNPs are authenticated on an area-wide scope, and Level-2 LSPs and SNPs are authenticated on a domain-wide scope. If we don't abide by these rules when configuring IS-IS authentication, we'll get into trouble. That was the crux of the question: Which of those statements about IS-IS authentication is true if you want to deploy it properly so that the operation of the your network is secured but not impaired?

Admittedly, it should be written more clearly.

Many thanks for asking here!

Best regards,
Peter

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Georg Pauwen
VIP
VIP

‎10-29-2019 07:30 AM

Hello,

 

I think it is a trick question. There is no such thing as L2 area authentication, hence the option is invalid:

 

--> When area authentication is configured, the password is carried in the L1 LSPs, CSNPs and PSNPS

0 Helpful

Go to solution
paul driver
VIP
VIP

‎10-29-2019 08:41 AM - edited ‎10-29-2019 08:48 AM

Hello

Would make sense I suppose has the domain authentication is as it stated domain wide however area authentication well an isis router can be in different areas and have various interfaces iL1 or L1/l2 peering as such have these interfaces or the areas can have differing interface /area level authentication


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

Go to solution
Peter Paluch
Cisco Employee
Cisco Employee

‎10-30-2019 04:42 AM

Hi Alex,

That question is my fault - blame me :)

In all honesty, it was not meant as a trick question, just the wording -or the context - turns out to be less than perfect.

With all other IGPs, the authentication is always done on a per-neighborship basis that ultimately occurs between routers adjacent over the same Layer2 domain, and with OSPF, also remotely if taking a virtual link into account. As long as you maintain the same credentials for all neighbors over the same Layer2 domain, your RIP/EIGRP/OSPF will work properly and yet be fully authenticated.

To have the same functionality with IS-IS - working properly across the entire routing domain while being fully authenticated - requires additional considerations, and that is where this question is coming in. To have IS-IS that fully works across the entire domain, we need to keep in mind that IIHs are authenticated on a per-neighborship scope, Level-1 LSPs and SNPs are authenticated on an area-wide scope, and Level-2 LSPs and SNPs are authenticated on a domain-wide scope. If we don't abide by these rules when configuring IS-IS authentication, we'll get into trouble. That was the crux of the question: Which of those statements about IS-IS authentication is true if you want to deploy it properly so that the operation of the your network is secured but not impaired?

Admittedly, it should be written more clearly.

Many thanks for asking here!

Best regards,
Peter

0 Helpful

Go to solution
Alex Mac
Level 1
Level 1
In response to Peter Paluch

‎10-30-2019 03:37 PM

Hi Peter,

 

thank you very much for having found the time to reply to me.
Considering that while learning new stuff you are always challenged by things you don't understand but if unveiled and explained they consolidate your knowledge I truly appreciate your explanation.
So I think I should have read that question as "... just match across the area" and in that case of course the statement is not true because we speak of L2 messages.

Needless to say that I'm always very pleased to read your interventions whenever there is need for extra boost in understanding a topic :-)

 

Thanks again,

Alex

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card