No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CX11x, CX31x, CX710 (Earlier Than V6.03), and CX91x Series Switch Modules V100R001C10 Configuration Guide 12

The documents describe the configuration of various services supported by the CX11x&CX31x&CX91x series switch modules The description covers configuration examples and function configurations.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring a Keychain

Configuring a Keychain

You can configure the keychain to periodically change authentication keys and algorithms to ensure data transmission security.

Pre-configuration Tasks

Before configuring the keychain, complete the following task:

  • Powering on all the devices and performing self-check

Creating a Keychain

Context

A keychain must be created before applications are authenticated and encrypted. Deleting the keychain in use may interrupt communication. Exercise caution when you delete the keychain.

Transmission Control Protocol (TCP) applications are connected using TCP authentication. TCP uses enhanced TCP authentication options to send TCP authentication packets. Vendors use different kind-values to represent the enhanced TCP authentication option and different IDs to represent different algorithms. When a keychain is applied to a TCP application, you must configure the kind value and the mapping between the TCP algorithm and algorithm ID based on the peer configuration so that devices of different vendors can communicate.

Procedure

  1. Run:

    system-view

    The system view is displayed.

  2. Run:

    keychain keychain-name mode { absolute | periodic { daily | weekly | monthly | yearly } }

    A keychain is created and the keychain view is displayed.

  3. (Optional) Configure parameters in TCP authentication.
    1. Run:

      tcp-kind kind-value

      The TCP kind value of the keychain is configured.

    2. Run:

      tcp-algorithm-id { hmac-md5 | hmac-sha-256 | hmac-sha1-12 | hmac-sha1-20 | md5 | sha-1 | sha-256 } algorithm-id

      The mapping between the TCP algorithm and algorithm ID is configured.

  4. (Optional) Run:

    receive-tolerance { value | infinite }

    The receive tolerance time is configured.

    NOTE:

    You are advised to set the receive tolerance time to advance the start receive time and delay the end receive time so that packets are not lost due to time asynchronization on the network.

  5. Run:

    commit

    The configuration is committed.

Configuring a Key

Context

A key is the authentication rule of a keychain. A key includes an algorithm, a key string, active send time, active receive time, and the key status. A keychain supports a maximum of 64 keys.

There is only one key ID in a keychain. Keys in different keychain may use the same key ID. Only one send key takes effect in a keychain, otherwise applications cannot determine which send key is used to encrypt packets. However, multiple receive keys may take effect in a keychain. A receive key that has the same key ID with the receiving packet is used for decryption.

If the key on the sending end changes, the key on the receiving end also needs to be changed. A delay may occur when the receiving end and the sending end change keys due to time asynchronization on the network. Packets may be lost during the delay. The receive tolerance time can be configured to prevent packet loss during the key change. The receive tolerance time only takes effect on keys on the receiving end. The receive tolerance time advances the start receive time and delays the end receive time.

If no key is configured in a period, no send key is active in that period. Therefore, applications do not send authentication packets to each other. A default send key can be configured to prevent this situation. All keys can be specified as the default send key. A keychain has only one default send key. When no other send keys are active, the default send key takes effect.

Procedure

  1. Run:

    system-view

    The system view is displayed.

  2. Run:

    keychain keychain-name

    The keychain view is displayed.

  3. Run:

    key-id key-id

    A key-id is configured and the key-id view is displayed to configure a key.

  4. Run:

    algorithm { hmac-md5 | hmac-sha-256 | hmac-sha1-12 | hmac-sha1-20 | md5 | sha-1 | sha-256 }

    An algorithm is configured.

    NOTE:

    Different protocols support different algorithms.

    RIP supports MD5. BGP and BGP4+ support MD5. IS-IS supports HMAC-MD5. OSPF supports MD5 and HMAC-MD5. MSDP supports MD5. TRILL supports HMAC-MD5.

  5. Run:

    key-string { plain plain-text | [ cipher ] cipher-text }

    A key string is configured.

  6. Configure the send time. Different time modes use different commands to configure the send time. Table 12-30 shows commands to configure the send time based on different time modes.

    Table 12-30 Configuring the send time

    Time Mode

    Command to Configure the Send Time

    absolute

    send-time utc start-time start-date { duration { duration-value | infinite } | to end-time end-date }

    periodic daily

    send-time daily start-time to end-time

    periodic weekly

    send-time day { start-day-name to end-day-name | day-name &<1-7> }

    periodic monthly

    send-time date { start-date-value to end-date-value | date-value &<1-31> }

    periodic yearly

    send-time month { start-month-name to end-month-name | month-name &<1-12> }

    NOTE:

    You are advised to enable network time protocol (NTP) to keep time consistency.

  7. Configure the receive time. Different time modes use different commands to configure the receive time. Table 12-31 shows commands to configure the receive time based on different time modes.

    Table 12-31 Configure the receive time

    Time Mode

    Command to Configure Receive Time

    absolute

    receive-time utc start-time start-date { duration { duration-value | infinite } | to end-time end-date }

    periodic daily

    receive-time daily start-time to end-time

    periodic weekly

    receive-time day { start-day-name to end-day-name | day-name &<1-7> }

    periodic monthly

    receive-time date { start-date-value to end-date-value | date-value &<1-31> }

    periodic yearly

    receive-time month { start-month-name to end-month-name | month-name &<1-12> }

  8. (Optional) Run:

    default send-key-id

    The key is configured as the default key for sending packets.

  9. Run:

    commit

    The configuration is committed.

Applying the Keychain

Context

The keychain only takes effect after it is applied to an application.

This section uses RIP as an example to describe how to apply the keychain to applications. Different applications may use different commands to apply the Keychain. Table 12-32 lists the commands used by different applications.
Table 12-32 Protocols that support the keychain authentication

Protocol

Reference

RIP

For details, see rip authentication-mode in the CX11x, CX31x, CX710, and CX91x Series Switch Modules V100R001C10 Command Reference.

MSDP

For details, see peer keychain(MSDP) in the CX11x, CX31x, CX710, and CX91x Series Switch Modules V100R001C10 Command Reference.

OSPF

For details, see authentication-mode(OSPF area) and ospf authentication-mode in the CX11x, CX31x, CX710, and CX91x Series Switch Modules V100R001C10 Command Reference.

IS-IS

For details, see area-authentication-mode and isis authentication-mode in the CX11x, CX31x, CX710, and CX91x Series Switch Modules V100R001C10 Command Reference.

BGP\BGP4+

For details, see peer keychain(BGP) in the CX11x, CX31x, CX710, and CX91x Series Switch Modules V100R001C10 Command Reference.

TRILL

For details, see area-authentication-mode(TRILL) and trill authentication-mode in the CX11x, CX31x, CX710, and CX91x Series Switch Modules V100R001C10 Command Reference.

Procedure

  1. Run:

    system-view

    The system view is displayed.

  2. Run:

    interface interface-type interface-number

    The interface view is displayed.

  3. On an Ethernet interface, run:

    undo portswitch

    The interface is switched to Layer 3 mode.

    By default, an Ethernet interface works in Layer 2 mode.

    If an Ethernet interface already has Layer 2 configuration, this command fails to be executed on the interface. Before running this command on the interface, delete all the Layer 2 configuration of the interface.

    NOTE:

    If many Ethernet interfaces need to be switched to Layer 3 mode, run the undo portswitch batch interface-type { interface-number1 [ to interface-number2 ] } &<1-10> command in the system view to switch these interfaces to Layer 3 mode in batches.

  4. Run:

    rip authentication-mode md5 nonstandard { keychain keychain-name | { plain plain-text | [ cipher ] password-key } key-id }

    The keychain used by RIP is configured.

  5. Run:

    commit

    The configuration is committed.

Checking the Configuration

Procedure

  • Run the display keychain keychain-name command to check the keychain configuration.
  • Run the display keychain keychain-name key-id key-id command to check the key-id configuration.
Translation
Download
Updated: 2019-08-09

Document ID: EDOC1000041694

Views: 58676

Downloads: 3621

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next