[j-nsp] ISIS Authentication Problems
Mark Tinka
mtinka at globaltransit.net
Fri Mar 9 06:39:27 EST 2012
On Thursday, March 08, 2012 11:22:48 AM John Neiberger
wrote:
> I think some mixture of those commands would have helped,
> but I think I also just spotted the real culprit. The
> CRS that is working has the following configured:
>
> lsp-password hmac-md5 encrypted ##encrypted stuff##
>
> So, on the CRS I was working on, I need to enable md5 on
> LSPs. I had no idea it was done separately.
Yes, the CRS does this differently.
In 'router isis' mode, you need to:
o Enable the 'lsp-password hmac-md5' command at the
global level.
o Enable the 'hello-password hmac-md5' at the
interface level.
This is the case also when forming IS-IS adjacencies with
other IOS and IOS XE devices.
The other thing to look out for when running IOS XR and
Junos side-by-side is authentication of RSVP messages.
Your IOS XR authentication configuration would need to look
like this:
key chain your-key-chain-name
key 1
accept-lifetime 00:00:00 january 01 2000 infinite
key-string password <your-password-here>
send-lifetime 00:00:00 january 01 2000 infinite
cryptographic-algorithm HMAC-MD5
The 'accept-lifetime' and 'send-lifetime' commands are
required because of an inter-op issue between IOS XR and
Junos, which IOS and IOS XE don't have.
IOS XR would need to implement the changes that IOS and IOS
XE did in order to inter-op with Junos without having these
problems, or needing those commands in the first place.
Without those commands, authentication between IOS XR and
Junos won't work.
Cheers,
Mark.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part.
URL: <https://puck.nether.net/pipermail/juniper-nsp/attachments/20120309/8b409b12/attachment.sig>
More information about the juniper-nsp
mailing list