FabricPath Authentication
This chapter describes how to set the FabricPath Intermediate System-to-Intermediate System (IS-IS) authentication parameters on the Cisco Nexus 5500 Series switches.
This chapter includes the following sections:
- FabricPath IS-IS Authentication Parameters
- Setting the FabricPath IS-IS Authentication Parameters Globally
- Setting the FabricPath IS-IS Authentication Parameters Per Interface
- Additional Information About FabricPath IS-IS Authentication
Note
For information about the prerequisites, guidelines and limitations, and licensing requirements for FabricPath, see Chapter1, “Overview”
FabricPath IS-IS Authentication Parameters
FabricPath allows the authentication of IS-IS hello protocol data units (PDUs) and IS-IS Link State Packets (LSP). While authentication for the IS-IS LSPs is configured globally under the fabricpath domain default command configuration, that for the IS-IS hello PDUs is configured under the interface command configuration. The configuration structure is identical for both IS-IS hello PDUs and IS-IS LSPs.
Setting the FabricPath IS-IS Authentication Parameters Globally
Although the FabricPath Layer 2 IS-IS protocol works automatically after you enable FabricPath, you can optionally configure the global parameters.
|
|
|
|
|---|---|---|
Enters the global FabricPath Layer 2 IS-IS configuration mode. |
||
(Optional) Configures an authentication check when the switch receives a PDU. The authentication check is On by default. (To turn off the authentication check, enter the no form of this command.) |
||
authentication key-chain auth-key-chain-name switch(config-fabricpath-isis)# switch(config-fabricpath-isis)# An example of creating a key-chain is as follows: |
(Optional) Configures the authentication key chain. (To clear this parameter, enter the no form of this command.) The auth-key-chain-name is the name of a key chain. A maximum of 63 alphanumeric characters is allowed. See the Cisco Nexus 5500 Series NX-OS Security Configuration Guide, Release 6.0 for information about key chains. |
|
authentication-type {cleartext | md5} |
(Optional) Configures the authentication type. (To clear this parameter, enter the no form of this command.) |
Setting the FabricPath IS-IS Authentication Parameters Per Interface
Although the FabricPath Layer 2 IS-IS protocol works automatically after you enable FabricPath, you can optionally configure the interface parameters.
|
|
|
|
|---|---|---|
interface {ethernet mod/slot | port-channel channel-number } |
Enters the interface configuration mode and specifies the interfaces that you want to configure. The slot can be from 1 to 3. The following list defines the slots available:
The port number within a particular slot can be from 1 to 128. The port channel number assigned to the EtherChannel logical interface can be from 1 to 4096. |
|
fabricpath isis authentication-check |
(Optional) Enables an authentication check on the incoming FabricPath Layer 2 IS-IS PDUs for the interface. The authentication check is On by default. (To turn off the authentication check, enter the no form of this command.) |
|
fabricpath isis authentication key-chain auth-key-chain-name switch(config-if)# fabricpath isis authentication key-chain trees An example of creating a key-chain is as follows: |
(Optional) Assigns a password to authenticate hello PDUs. (To remove the password, enter the no form of this command.) The auth-key-chain-name is the name of a key chain. A maximum of 63 alphanumeric characters is allowed. See the Cisco Nexus 5500 Series NX-OS Security Configuration Guide, Release 6.0 for information about key chains. |
|
fabricpath isis authentication-type {cleartext | md5} |
(Optional) Specifies the authentication type for an interface for FabricPath Layer 2 IS-IS hello PDUs. (To remove the authentication type, enter the no form of this command.) |
Additional Information About FabricPath IS-IS Authentication
The authentication-check command enables authentication and the no authentication-check command disables authentication without interrupting the FabricPath setup. The no authentication-check command informs IS-IS to send PDUs or LSPs with authentication, but not to verify the authentication of the received PDUs or LSPs. In the first step of the configuration roll-out, the authentication process allows the sending of the authenticated hello PDUs and LSPs in the entire fabric without disrupting the service. In the second step, the security mechanism is activated by applying the authentication-check command on all the fabric nodes and interfaces.
Note ● If you use LSP authentication on a FabricPath, you must also enable LSP authentication on all the FabricPath nodes. Otherwise, the FabricPath will not function properly.
Feedback