Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1520
Views
0
Helpful
2
Replies

Override IS-IS LSP password on interface

aacole
Level 5
Level 5

‎06-14-2013 11:58 AM

I have a router which uses a Keychain for authentication, configured under the ISIS process, and i want to disable this on one interface.

Therefore all ISIS interfaces use this keychain. I now need to add another interface into the ISIS process, but this one needs the LSP password authentication disabling 

under the interface settings.

The issue is that the router network uses all ASR9000 series kit, and all ISIS instancies are authenticated by the keychain. Now we need to add an ASR1001 router onto a new link, but cannot get the ISIS authentication to operate on that path. I wish to disable the authentication on this path, I'm away from site so dont have access to the routers, and the manuals don't indicate how to override the process setting at an interface level.

I'm back on site Monday morning to continue with this, can anyone tell me the commands for this?

The code version is 4.3.0

Labels:
0 Helpful
2 Replies 2

xthuijs
Cisco Employee
Cisco Employee

‎06-17-2013 11:34 AM

Dont believe that is possible unfortunately.

you could use the lsp-password accept mode to only do incoming authentication, but that may break some security.

also I would recommend to use the commit confirmed

I'll try to see if there are other alternatives for this and will update the post if there are any.

regards

xander

0 Helpful

Samil Lama
Level 1
Level 1

‎06-17-2013 11:45 AM

Hello aacole,

IS-IS Authentication can be configured under interface configuration (isis password ), under IS-IS process for an area (area-password ) or for an entire IS-IS domain (domain-password )

These three could be combined depending on your need. In this case, you have some options for disabling IS-IS Authentication in the link between the ASR9000 and ASR1001:

1-Disable IS-IS Domain Authentication on all routers: no domain-password under IS-IS process.

2-Option A: Disable IS-IS Area-Authentication on all routers within the area: no area-password under IS-IS process. Later you could configure IS-IS Interface-Authentication in the desired secured interfaces, excluding the link between ASR9000-ASR1001

2-Option B: Configure Multiarea IS-IS and disable IS-IS Area-Authentication in the area of the ASR1001. For this you'll need to configure ASR1001 in a different area and merge the areas by configuring multiple network entity titles (NETs) in the ASR9000

Note: Step one could be skipped if you configure the new ASR1001 on a separate VRF.

Here are some helpful references:

Configuring IS-IS Interface Authentication

http://www.cisco.com/en/US/docs/ios/12_2/ip/configuration/guide/1cfisis.html#wp1001158

Configuring Multiarea IS-IS

http://www.cisco.com/en/US/products/ps6599/products_data_sheet09186a00800e9780.html

IS-IS Support for an IS-IS Instance per VRF for IP.

http://www.cisco.com/en/US/docs/ios/12_0s/feature/guide/vrf_isis.html#wp1053917

Regards.

0 Helpful
Customers Also Viewed These Support Documents