Configuring isis-spb authentication, Configuring isis-spb adjacency authentication, Configuring isis-spb area authentication – H3C Technologies H3C S12500 Series Switches User Manual
Page 39
31
Configuring ISIS-SPB authentication
ISIS-SPB authentication helps improve security in an SPBM network. It includes adjacency authentication
and area authentication.
Configuring ISIS-SPB adjacency authentication
ISIS-SPB adjacency authentication guarantees that SPBM nodes establish adjacencies only with
trustworthy neighbors.
SPBM nodes send adjacency authentication information (including the authentication method and
password) in ISIS-SPB hello packets. The recipient establishes or maintains an adjacency with the sender
only if the received authentication settings match its local authentication settings.
For two devices to establish an adjacency, you must configure the same authentication method and
password on them.
To prevent loss of adjacencies, use the following procedure when you modify adjacency authentication
settings:
1.
Disable adjacency authentication for incoming ISIS-SPB hello packets on the neighbor devices.
2.
Modify the authentication settings on the local end.
3.
Modify the authentication settings on the remote end.
4.
Enable adjacency authentication for incoming ISIS-SPB hello packets on the neighbor devices.
To configure ISIS-SPB adjacency authentication:
Step Command
Remarks
1.
Enter system view.
system-view
N/A
2.
Enter Layer 2 Ethernet
interface view or Layer 2
aggregate interface view.
interface interface-type
interface-number
N/A
3.
Set an adjacency
authentication method and
password.
spbm authentication-mode { md5 |
simple } { cipher cipher-string | plain
plain-string }
By default, adjacency
authentication is disabled. No
authentication method or
password is configured.
4.
(Optional.) Disable
adjacency authentication for
incoming IS-IS hello packets.
spbm authentication send-only
By default, the device
authenticates incoming IS-IS hello
packets if adjacency
authentication is enabled.
Configuring ISIS-SPB area authentication
ISIS-SPB area authentication guarantees that SPBM nodes learn topology data only from trustworthy
neighbors.
ISIS-SPB sends area authentication information (including the authentication method and password) in
topology advertisement packets (LSP, CSNP, and PSNP). The recipients accept a topology advertisement
packet only if the authentication settings in the packet match their local authentication settings.
For correct authentication, make sure the authentication method and password is the same across the
SPBM network.
To prevent temporary drops of topology advertisement packets, use the following procedure when you
modify authentication settings: