[j-nsp] ISIS authentication issue

[John Neiberger]

The plan is eventually to add LSP authentication on the Cisco side, but
that would entail touching every Cisco router in the area, which is kind of
a pain at the moment. We were hoping to find a way to get this adjacency to
the MX960 up before we tweak the rest of the area. I think we'll try your
first suggestion to see if it at least gets us through for now and then we
can tweak it all again once we've added LSP authentication to all the Cisco
routers in the area.

Thanks,
John


On Wed, Jun 12, 2013 at 11:16 AM, Olivier Benghozi <
olivier.benghozi at wifirst.fr> wrote:

> Maybe you could try to remove the authentication settings in the [proto
> isis level] config on the MX, and add instead some hello-authentication-*
> in the [proto isis interface blahblah level X] ?
>
> Or better, configure the CRS to also authenticate LSP with lsp-password
> hmac-md5 blah level X, of course ?
>
> --
> regards,
> Olivier Benghozi
>
> Le 12 juin 2013 à 17:08, John Neiberger <jneiberger at gmail.com> a écrit :
> > We've got an MX960 connected to a Cisco CRS, both of which are configured
> > for ISIS authentication. However, the CRS is currently configured for
> only
> > hello authentication. It appears that Junos enables both hello
> > authentication and CSNP/PSNP authentication by default. This is allowing
> > the adjacency to come up but the MX960 drops subsequent CSNP/PSNP packets
> > because they are not authenticated. I wanted to disable this, so at the
> > same level we configured ISIS authentication I added the following:
> >
> > no-psnp-authentication
> > no-csnp-authentication
> >
> > However, that didn't work and I can't figure out why. The MX960 continued
> > to drop CSNP and PSNP packets because of authentication. I suspect that I
> > might have needed to clear the adjacency with that neighbor but I really
> > don't know. I expected it to start working immediately.
>
>