No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CX11x, CX31x, CX710 (Earlier Than V6.03), and CX91x Series Switch Modules V100R001C10 Configuration Guide 12

The documents describe the configuration of various services supported by the CX11x&CX31x&CX91x series switch modules The description covers configuration examples and function configurations.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Example for Configuring a Keychain

Example for Configuring a Keychain

This chapter describes configuration examples of Keychain including networking requirements, configuration roadmap, and configuration procedure.

Example for Applying the Keychain to RIP

Networking Requirements

As shown in Figure 12-72, Switch ModuleA and Switch ModuleB are connected using RIP-2.

The RIP connection needs to be retained during data transmission.

Figure 12-72 Networking diagram of applying the keychain to RIP
Configuration Roadmap

To ensure stable RIP connections, RIP protocol packets must be correctly transmitted. You are advised to authenticate and encrypt the packets to ensure transmission security. In addition, to prevent unauthorized users from forging algorithms and key strings used in authentication and encryption, you are advised to dynamically change algorithms and key strings to ensure secure RIP packet transmission. Therefore, the keychain protocol is used to ensure stability of RIP connections.

The configuration roadmap is as follows:

  1. Configure basic RIP functions.

  2. Configure a keychain.

  3. Apply the keychain to RIP.

Procedure

  1. Configure basic RIP functions.

    # Configure Switch Module A.

    <HUAWEI> system-view
    [~HUAWEI] sysname Switch ModuleA
    [*HUAWEI] commit
    [~Switch ModuleA] rip 1
    [*Switch ModuleA-rip-1] version 2
    [*Switch ModuleA-rip-1] network 192.168.1.0
    [*Switch ModuleA-rip-1] commit
    [~Switch ModuleA-rip-1] quit

    # Configure Switch Module B.

    <HUAWEI> system-view
    [~HUAWEI] sysname Switch ModuleB
    [*HUAWEI] commit
    [~Switch ModuleB] rip 1
    [*Switch ModuleB-rip-1] version 2
    [*Switch ModuleB-rip-1] network 192.168.1.0
    [*Switch ModuleB-rip-1] commit
    [~Switch ModuleB-rip-1] quit

  2. Configure a keychain.

    # Configure Switch Module A.

    [~Switch ModuleA] keychain huawei mode absolute
    [*Switch ModuleA-keychain-huawei] receive-tolerance 100
    [*Switch ModuleA-keychain-huawei] key-id 1
    [*Switch ModuleA-keychain-huawei-keyid-1] algorithm md5
    [*Switch ModuleA-keychain-huawei-keyid-1] key-string cipher Huawei@1234
    [*Switch ModuleA-keychain-huawei-keyid-1] send-time utc 0:00 2012-3-12 to 23:59 2012-3-12
    [*Switch ModuleA-keychain-huawei-keyid-1] receive-time utc 0:00 2012-3-12 to 23:59 2012-3-12
    [*Switch ModuleA-keychain-huawei-keyid-1] default send-key-id
    [*Switch ModuleA-keychain-huawei-keyid-1] commit
    [~Switch ModuleA-keychain-huawei-keyid-1] quit
    [~Switch ModuleA-keychain-huawei] quit

    # Configure Switch Module B.

    [~Switch ModuleB] keychain huawei mode absolute
    [*Switch ModuleB-keychain-huawei] receive-tolerance 100
    [*Switch ModuleB-keychain-huawei] key-id 1
    [*Switch ModuleB-keychain-huawei-keyid-1] algorithm md5
    [*Switch ModuleB-keychain-huawei-keyid-1] key-string cipher Huawei@1234
    [*Switch ModuleB-keychain-huawei-keyid-1] send-time utc 0:00 2012-3-12 to 23:59 2012-3-12
    [*Switch ModuleB-keychain-huawei-keyid-1] receive-time utc 0:00 2012-3-12 to 23:59 2012-3-12
    [*Switch ModuleA-keychain-huawei-keyid-1] default send-key-id
    [*Switch ModuleB-keychain-huawei-keyid-1] commit
    [~Switch ModuleB-keychain-huawei-keyid-1] quit
    [~Switch ModuleB-keychain-huawei] quit

  3. Apply the keychain to RIP.

    # Configure Switch Module A.

    [~Switch ModuleA] vlan 10
    [*Switch ModuleA-vlan10] quit
    [*Switch ModuleA] interface 10ge 1/17/1
    [*Switch ModuleA-10GE1/17/1] port link-type trunk
    [*Switch ModuleA-10GE1/17/1] port trunk allow-pass vlan 10
    [*Switch ModuleA-10GE1/17/1] quit
    [*Switch ModuleA] interface vlanif 10
    [*Switch ModuleA-Vlanif10] ip address 192.168.1.1 24
    [*Switch ModuleA-Vlanif10] rip authentication-mode md5 nonstandard keychain huawei
    [*Switch ModuleA-Vlanif10] commit
    [~Switch ModuleA-Vlanif10] quit
    [~Switch ModuleA] quit

    # Configure Switch Module B.

    [~Switch ModuleB] vlan 10
    [*Switch ModuleB-vlan10] quit
    [*Switch ModuleB] interface 10ge 1/17/1
    [*Switch ModuleB-10GE1/17/1] port link-type trunk
    [*Switch ModuleB-10GE1/17/1] port trunk allow-pass vlan 10
    [*Switch ModuleB-10GE1/17/1] quit
    [*Switch ModuleB] interface vlanif 10
    [*Switch ModuleB-Vlanif10] ip address 192.168.1.2 24
    [*Switch ModuleB-Vlanif10] rip authentication-mode md5 nonstandard keychain huawei
    [*Switch ModuleB-Vlanif10] commit
    [~Switch ModuleB-Vlanif10] quit
    [~Switch ModuleB] quit

  4. Verify the configuration.

    Run the display keychain keychain-name command to check the key-id status of the keychain.

    <Switch ModuleA> display keychain huawei
     Keychain information:
     ----------------------
     Keychain name             : huawei
       Timer mode              : Absolute
       Receive tolerance(min)  : 100
       TCP kind                : 254
       TCP algorithm ID        :
         HMAC-MD5              : 5
         HMAC-SHA1-12          : 2
         HMAC-SHA1-20          : 6
         MD5                   : 3
         SHA1                  : 4
         HMAC-SHA-256          : 7
         SHA-256               : 8
     Number of key ID          : 1
     Active send key ID        : 1
     Active receive key ID     : 01
     Default send key ID       : Not configured
    
     Key ID information:
     ----------------------
     Key ID                    : 1
       Key string              : ******
       Algorithm               : MD5
       Send timer              :
         Start time            : 2012-03-12 00:00
         End time              : 2012-03-12 23:59
         Status                : Active
       Receive timer           :
         Start time            : 2012-03-12 00:00
         End time              : 2012-03-12 23:59
         Status                : Active
                                          

    After the keychain is applied to RIP, run the display rip process-id interface verbose command to check the authentication mode of RIP packets. The display on Switch Module A is used as an example.

    <Switch ModuleA> display rip 1 interface verbose
     Vlanif10(192.168.1.1)
      State           : UP          MTU    : 500
      Metricin        : 0
      Metricout       : 1
      Input           : Enabled     Output : Enabled
      Protocol        : RIPv2 Multicast
      Send version    : RIPv2 Multicast Packets
      Receive version : RIPv2 Multicast and Broadcast Packets
      Poison-reverse                : Disabled
      Split-Horizon                 : Enabled
      Authentication type           : MD5 (Non-standard - Keychain: huawei)
         Last Sequence Number Sent  : 0x0
      Replay Protection             : Disabled 
      Max Packet Length             : 512          

Configuration Files
  • Configuration file of Switch Module A

    #
    sysname Switch ModuleA
    #
    vlan batch 10
    #
    keychain huawei mode absolute
     receive-tolerance 100
     #
     key-id 1
      algorithm md5
      key-string cipher @%@%)q'gCwwh203F<9F"eh!G$(3L@%@%
      send-time utc 00:00 2012-03-12 to 23:59 2012-03-12
      receive-time utc 00:00 2012-03-12 to 23:59 2012-03-12
      default send-key-id 
    #
    interface Vlanif10
     ip address 192.168.1.1 255.255.255.0
     rip authentication-mode md5 nonstandard keychain huawei
    #
    interface 10GE1/17/1
     port link-type trunk
     port trunk allow-pass vlan 10
    #
    rip 1
     version 2
     network 192.168.1.0
    #
    return
  • Configuration file of Switch Module B

    #
    sysname Switch ModuleB
    #
    vlan batch 10
    #
    keychain huawei mode absolute
     receive-tolerance 100
     #
     key-id 1
      algorithm md5
      key-string cipher @%@%Jd<)UdM9[XwN^xLs~auJVAlq@%@%
      send-time utc 00:00 2012-03-12 to 23:59 2012-03-12
      receive-time utc 00:00 2012-03-12 to 23:59 2012-03-12
      default send-key-id 
    #
    interface Vlanif10
     ip address 192.168.1.2 255.255.255.0
     rip authentication-mode md5 nonstandard keychain huawei
    #
    interface 10GE1/17/1
     port link-type trunk
     port trunk allow-pass vlan 10
    #
    rip 1
     version 2
     network 192.168.1.0
    #
    return

Example for Applying the Keychain to BGP

Networking Requirements

As shown in Figure 12-73, Switch ModuleA and Switch ModuleB are connected using BGP.

The BGP connection needs to be retained during data transmission.

Figure 12-73 Networking diagram of applying the keychain to BGP
Configuration Roadmap

The configuration roadmap is as follows:

  1. Configure the basic keychain functions.

  2. Configure a keychain for Switch Module to authenticate BGP.

Procedure

  1. Configure a keychain.

    # Configure Switch Module A.

    <HUAWEI> system-view
    [~HUAWEI] sysname Switch ModuleA
    [*HUAWEI] commit
    [~Switch ModuleA] keychain huawei mode periodic weekly
    [*Switch ModuleA-keychain-huawei] tcp-kind 182
    [*Switch ModuleA-keychain-huawei] tcp-algorithm-id md5 17
    [*Switch ModuleA-keychain-huawei] receive-tolerance 100
    [*Switch ModuleA-keychain-huawei] key-id 1
    [*Switch ModuleA-keychain-huawei-keyid-1] algorithm md5
    [*Switch ModuleA-keychain-huawei-keyid-1] key-string cipher Huawei@1234
    [*Switch ModuleA-keychain-huawei-keyid-1] send-time day fri sat
    [*Switch ModuleA-keychain-huawei-keyid-1] receive-time day fri sat
    [*Switch ModuleA-keychain-huawei-keyid-1] commit
    [~Switch ModuleA-keychain-huawei-keyid-1] quit
    [~Switch ModuleA-keychain-huawei] quit

    # Configure Switch Module B.

    <HUAWEI> system-view
    [~HUAWEI] sysname Switch ModuleB
    [*HUAWEI] commit
    [~Switch ModuleB] keychain huawei mode periodic weekly
    [*Switch ModuleB-keychain-huawei] tcp-kind 182
    [*Switch ModuleB-keychain-huawei] tcp-algorithm-id md5 17
    [*Switch ModuleB-keychain-huawei] receive-tolerance 100
    [*Switch ModuleB-keychain-huawei] key-id 1
    [*Switch ModuleB-keychain-huawei-keyid-1] algorithm md5
    [*Switch ModuleB-keychain-huawei-keyid-1] key-string cipher Huawei@1234
    [*Switch ModuleB-keychain-huawei-keyid-1] send-time day fri sat
    [*Switch ModuleB-keychain-huawei-keyid-1] receive-time day fri sat
    [*Switch ModuleB-keychain-huawei-keyid-1] commit
    [~Switch ModuleB-keychain-huawei-keyid-1] quit
    [~Switch ModuleB-keychain-huawei] quit

  2. Apply the keychain to BGP for authentication and encryption.

    # Configure Switch Module A.

    [~Switch ModuleA] vlan 10
    [*Switch ModuleA-vlan10] quit
    [*Switch ModuleA] interface 10ge 1/17/1
    [*Switch ModuleA-10GE1/17/1] port link-type trunk
    [*Switch ModuleA-10GE1/17/1] port trunk allow-pass vlan 10
    [*Switch ModuleA-10GE1/17/1] quit
    [*Switch ModuleA] interface vlanif 10
    [*Switch ModuleA-Vlanif10] ip address 192.168.1.1 24
    [*Switch ModuleA-Vlanif10] commit
    [~Switch ModuleA-Vlanif10] quit
    [~Switch ModuleA] bgp 1
    [*Switch ModuleA-bgp] router-id 1.1.1.1
    [*Switch ModuleA-bgp] peer 192.168.1.2 as-number 1
    [*Switch ModuleA-bgp] peer 192.168.1.2 keychain huawei
    [*Switch ModuleA-bgp] commit
    [~Switch ModuleA-bgp] quit
    [~Switch ModuleA] quit

    # Configure Switch Module B.

    [~Switch ModuleB] vlan 10
    [*Switch ModuleB-vlan10] quit
    [*Switch ModuleB] interface 10ge 1/17/1
    [*Switch ModuleB-10GE1/17/1] port link-type trunk
    [*Switch ModuleB-10GE1/17/1] port trunk allow-pass vlan 10
    [*Switch ModuleB-10GE1/17/1] quit
    [*Switch ModuleB] interface vlanif 10
    [*Switch ModuleB-Vlanif10] ip address 192.168.1.2 24
    [*Switch ModuleB-Vlanif10] commit
    [~Switch ModuleB-Vlanif10] quit
    [~Switch ModuleB] bgp 1
    [*Switch ModuleB-bgp] router-id 2.2.2.2
    [*Switch ModuleB-bgp] peer 192.168.1.1 as-number 1
    [*Switch ModuleB-bgp] peer 192.168.1.1 keychain huawei 
    [*Switch ModuleB-bgp] commit
    [~Switch ModuleB-bgp] quit
    [~Switch ModuleB] quit

  3. Verify the configuration.

    Run the display keychain keychain-name command to check the key-id status of the keychain.

    <Switch ModuleA> display keychain huawei
     Keychain information:
     ---------------------
     Keychain name             : huawei
       Timer mode              : Weekly periodic
       Receive tolerance(min)  : 100
       TCP kind                : 182
       TCP algorithm ID        :
         HMAC-MD5              : 5
         HMAC-SHA1-12          : 2
         HMAC-SHA1-20          : 6
         MD5                   : 17
         SHA1                  : 4
         HMAC-SHA-256          : 7
         SHA-256               : 8
     Number of key ID          : 1
     Active send key ID        : 1
     Active receive key ID     : 01
     Default send key ID       : Not configured
    
    
     Key ID information:
     -------------------
     Key ID                    : 1
       Key string              : ******
       Algorithm               : MD5
       Send timer              :
         Day(s)                : Fri Sat
         Status                : Active
       Receive timer           :
         Day(s)                : Fri Sat
         Status                : Active
    

    After the keychain is applied to BGP, run the display bgp peer ipv4-address verbose command to check authentication information about the BGP peer. The display on Switch Module A is used as an example.

    <Switch ModuleA> display bgp peer 192.168.1.2 verbose
     BGP Peer is 192.168.1.2,  remote AS 1
     Type: IBGP link
     BGP version 4, Remote router ID 2.2.2.2
     Update-group ID: 3
     BGP current state: Established, Up for 00h03m40s
     BGP current event: RecvKeepalive
     BGP last state: OpenConfirm
     BGP Peer Up count: 1
     Received total routes: 0
     Received active routes total: 0
     Advertised total routes: 0
     Port: Local - 179        Remote - 53183
     Configured: Connect-retry Time: 32 sec
     Configured: Active Hold Time: 180 sec   Keepalive Time:60 sec
     Received  : Active Hold Time: 180 sec
     Negotiated: Active Hold Time: 180 sec   Keepalive Time:60 sec
     Peer optional capabilities:
      Peer supports bgp multi-protocol extension
      Peer supports bgp route refresh capability
      Peer supports bgp 4-byte-as capability
      Address family IPv4 Unicast: advertised and received
     Received: 
                      Total  messages                7
                      Update messages                1
                      Open messages                  1
                      KeepAlive messages             5
                      Notification messages          0
                      Refresh messages               0
     Sent    : 
                      Total  messages                7
                      Update messages                1
                      Open messages                  1
                      KeepAlive messages             5
                      Notification messages          0
                      Refresh messages               0
     Authentication type configured: Keychain(huawei)
      Last keepalive received: 2014-05-26 16:55:58+00:00
      Last keepalive sent    : 2014-05-26 16:55:58+00:00
      Last update received   : 2014-05-26 16:52:27+00:00
      Last update sent       : 2014-05-26 16:52:27+00:00
      No refresh received since peer has been configured
      No refresh sent since peer has been configured
     Minimum route advertisement interval is 15 seconds
     Optional capabilities:
     Route refresh capability has been enabled
     4-byte-as capability has been enabled
     Peer Preferred Value: 0
     Routing policy configured:
     No routing policy is configured

Configuration Files
  • Configuration file of Switch Module A

    #
    sysname Switch ModuleA
    #
    vlan batch 10
    #
    keychain huawei mode periodic weekly
     receive-tolerance 100
     tcp-kind 182
     tcp-algorithm-id md5 17
     #
     key-id 1
      algorithm md5
      key-string cipher @%@%)q'gCwwh203F<9F"eh!G$(3L@%@%
      send-time day fri sat
      receive-time day fri sat
    #
    interface Vlanif10
     ip address 192.168.1.1 255.255.255.0
    #
    interface 10GE1/17/1
     port link-type trunk
     port trunk allow-pass vlan 10
    #
    bgp 1
     router-id 1.1.1.1
     peer 192.168.1.2 as-number 1
     peer 192.168.1.2 keychain huawei
     #
     ipv4-family unicast
      peer 192.168.1.2 enable
    #
    return
  • Configuration file of Switch Module B

    #
    sysname Switch ModuleB
    #
    vlan batch 10
    #
    keychain huawei mode periodic weekly
     receive-tolerance 100
     tcp-kind 182
     tcp-algorithm-id md5 17
     #
     key-id 1
      algorithm md5
      key-string cipher @%@%Jd<)UdM9[XwN^xLs~auJVAlq@%@%
      send-time day fri sat
      receive-time day fri sat
    #
    interface Vlanif10
     ip address 192.168.1.2 255.255.255.0
    #
    interface 10GE1/17/1
     port link-type trunk
     port trunk allow-pass vlan 10
    #
    bgp 1
     router-id 2.2.2.2
     peer 192.168.1.1 as-number 1
     peer 192.168.1.1 keychain huawei
     #
     ipv4-family unicast
      peer 192.168.1.1 enable
    #
    return
Translation
Download
Updated: 2019-08-09

Document ID: EDOC1000041694

Views: 59659

Downloads: 3623

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next