ISIS area authentication problem

Latest reply: Aug 22, 2019 03:04:31 104 2 2 2

Problem Description

Topology

isis2

Symptom

When R3 with ISIS configuration has been connected to the existing network, PC1 and PC2 cannot communicate with each other.

 

Handling Process 

1. ISIS configurationR3, R1 and R2 are similar.:

#

isis 1

 is-level level-2

 network-entity 10.0030.0300.3003.00

#

interface GigabitEthernet0/0/0

 ip address 10.0.0.3 255.255.255.0

 isis enable 1

 isis circuit-level level-2

 isis authentication-mode md5 cipher XXXXXX

#

 

2. display ISIS peer and display ISIS route, it can be seen that ISIS peering is being established but no ISIS routes are received,

3. display ISIS interface, it shows that the R3 is selected as the DIS.

4. display ISIS peer, it could be observed that there are some ISIS error messages regarding authentication.

[R1]dis isis error

                    Statistics of error packets for ISIS(1)

                    ---------------------------------------

LSP packet errors:

Longer LSP           : 0         Smaller LSP           : 0          

Mismatched Level        : 0         Invalid Sysid             : 0          

Zero Sequence Number    : 0         Illegal IS Type            : 0          

Zero Checksum         : 0         Incorrect Checksum          : 0          

Bad Authentication      : 6         Bad Auth Count            : 0          

More Protocol TLV       : 0         Bad Nbr TLV              : 0        

5. After changing the ISIS domain authentication password of R3, the fault is rectified.

 

Root Cause

When the new IS-IS router is connected to the live network and the circuit type is broadcast, the DIS election will be triggered. In this case, all ISIS routers on the network have a default dis-priority of 64. Because the G0/0/0 of R3 has the highest MAC address, R3 becomes the DIS on the network segment. As it has the incorrect domain authentication password, it established ISIS peering but did not accept any routing information. As a result, other IS-IS routers on the network also clear the IS-IS routing table because they could not accept routing updates from R3.


Solution

Increase the DIS priority of existing ISIS routers so that the newly added router will not become DIS and cause network failure.


Suggestions and Summary

There are two levels of ISIS password configuration:
- Hello packet level (configured under interface)

CommandISIS authentication-mode

- LSDB level (configured under ISIS process)

Commandarea-authentication-mode (Level-1 area authentication)

domain-authentication-mode (Level-2 area authentication)

When connecting new ISIS router on the broadcast network with a password, extreme caution needs to be taken as whole ISIS routing can be impacted when the wrong LSDB password is set.

 


  • x
  • convention:

wissal
MVE Created Aug 21, 2019 15:59:34 Helpful(0) Helpful(0)

Thanks for sharing
  • x
  • convention:

Telecommunications%20engineer%2C%20currently%20senior%20project%20manager%20at%20an%20operator%2C%20partner%20of%20Huawei%2C%20in%20the%20radio%20access%20network%20department%2C%20for%2020%20years%20I%20managed%20several%20types%20of%20projects%2C%20for%20the%20different%20nodes%20of%20the%20network.
chenhui
Admin Created Aug 22, 2019 03:04:31 Helpful(0) Helpful(0)

excellent. :D
  • x
  • convention:

Reply

Reply
You need to log in to reply to the post Login | Register

Notice Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " Privacy."
If the attachment button is not available, update the Adobe Flash Player to the latest version!
Login and enjoy all the member benefits

Login and enjoy all the member benefits

Login