No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Configuration Guide - Security

S1720, S2700, S5700, and S6720 V200R011C10

This document describes the configurations of Security, including ACL, local attack defense, MFF, attack defense, traffic suppression and storm control, ARP security, Port security, DHCP snooping, ND snooping, PPPoE+, IPSG, SAVI, URPF, keychain, MPAC, separating the management plane from the service plane, security risks, PKI.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Example for Applying the Keychain to BGP

Example for Applying the Keychain to BGP

Networking Requirements

As shown in Figure 15-9, SwitchA and SwitchB are connected using BGP.

The BGP connection needs to be retained during data transmission.

Figure 15-9  Networking diagram of applying the keychain to BGP

Configuration Roadmap

The configuration roadmap is as follows:

  1. Configure the basic keychain functions.

  2. Configure a keychain for Switch to authenticate BGP.

Procedure

  1. Configure a keychain.

    # Configure Switch A.

    <HUAWEI> system-view
    [HUAWEI] sysname SwitchA
    [SwitchA] keychain huawei mode periodic weekly
    [SwitchA-keychain-huawei] tcp-kind 182
    [SwitchA-keychain-huawei] tcp-algorithm-id hmac-sha-256 17
    [SwitchA-keychain-huawei] receive-tolerance 100
    [SwitchA-keychain-huawei] key-id 1
    [SwitchA-keychain-huawei-keyid-1] algorithm hmac-sha-256
    [SwitchA-keychain-huawei-keyid-1] key-string cipher Huawei@1234
    [SwitchA-keychain-huawei-keyid-1] send-time day mon to sat
    [SwitchA-keychain-huawei-keyid-1] receive-time day mon to sat
    [SwitchA-keychain-huawei-keyid-1] default send-key-id
    [SwitchA-keychain-huawei-keyid-1] quit
    [SwitchA-keychain-huawei] quit

    # Configure Switch B.

    <HUAWEI> system-view
    [HUAWEI] sysname SwitchB
    [SwitchB] keychain huawei mode periodic weekly
    [SwitchB-keychain-huawei] tcp-kind 182
    [SwitchB-keychain-huawei] tcp-algorithm-id hmac-sha-256 17
    [SwitchB-keychain-huawei] receive-tolerance 100
    [SwitchB-keychain-huawei] key-id 1
    [SwitchB-keychain-huawei-keyid-1] algorithm hmac-sha-256
    [SwitchB-keychain-huawei-keyid-1] key-string cipher Huawei@1234
    [SwitchB-keychain-huawei-keyid-1] send-time day mon to sat
    [SwitchB-keychain-huawei-keyid-1] receive-time day mon to sat
    [SwitchB-keychain-huawei-keyid-1] default send-key-id
    [SwitchB-keychain-huawei-keyid-1] quit
    [SwitchB-keychain-huawei] quit

  2. Apply the keychain to BGP for authentication and encryption.

    # Configure Switch A.

    [SwitchA] vlan 10
    [SwitchA-vlan10] quit
    [SwitchA] interface gigabitethernet 0/0/1
    [SwitchA-GigabitEthernet0/0/1] port link-type hybrid
    [SwitchA-GigabitEthernet0/0/1] port hybrid pvid vlan 10
    [SwitchA-GigabitEthernet0/0/1] port hybrid untagged vlan 10
    [SwitchA-GigabitEthernet0/0/1] quit
    [SwitchA] interface vlanif 10
    [SwitchA-Vlanif10] ip address 192.168.1.1 24
    [SwitchA-Vlanif10] quit
    [SwitchA] bgp 1
    [SwitchA-bgp] router-id 1.1.1.1
    [SwitchA-bgp] peer 192.168.1.2 as-number 1
    [SwitchA-bgp] peer 192.168.1.2 keychain huawei
    [SwitchA-bgp] quit
    [SwitchA] quit

    # Configure Switch B.

    [SwitchB] vlan 10
    [SwitchB-vlan10] quit
    [SwitchB] interface gigabitethernet 0/0/1
    [SwitchB-GigabitEthernet0/0/1] port link-type hybrid
    [SwitchB-GigabitEthernet0/0/1] port hybrid pvid vlan 10
    [SwitchB-GigabitEthernet0/0/1] port hybrid untagged vlan 10
    [SwitchB-GigabitEthernet0/0/1] quit
    [SwitchB] interface vlanif 10
    [SwitchB-Vlanif10] ip address 192.168.1.2 24
    [SwitchB-Vlanif10] quit
    [SwitchB] bgp 1
    [SwitchB-bgp] router-id 2.2.2.2
    [SwitchB-bgp] peer 192.168.1.1 as-number 1
    [SwitchB-bgp] peer 192.168.1.1 keychain huawei 
    [SwitchB-bgp] quit
    [SwitchB] quit

  3. Verify the configuration.

    # Run the display keychain keychain-name command to check the key-id status of the keychain.

    <SwitchA> display keychain huawei
     Keychain Information:
     ---------------------
     Keychain Name             : huawei
       Timer Mode              : Weekly periodic
       Time Type               : Lmt
       Receive Tolerance(min)  : 100
       TCP Kind                : 182
       TCP Algorithm IDs       :
         HMAC-MD5              : 5
         HMAC-SHA1-12          : 2
         HMAC-SHA1-20          : 6
         HMAC-SHA-256          : 17
         SHA-256               : 8
         MD5                   : 3
         SHA1                  : 4
     Number of Key IDs         : 1
     Active Send Key ID        : 1
     Active Receive Key IDs    : 01
     Default send Key ID       : 1
     Default send Key Status   : Inactive 
    
    
     Key ID Information:
     -------------------
     Key ID                    : 1
       Key string              : ******
       Algorithm               : HMAC-SHA-256
       SEND TIMER              :
         Day(s)                : Mon Tue Wed Thu Fri Sat
         Status                : Active
       RECEIVE TIMER           :
         Day(s)                : Mon Tue Wed Thu Fri Sat
         Status                : Active
    

    # When the network runs stably, run the display bgp peer ipv4-address verbose command to check authentication information about the BGP peer. The display on Switch A is used as an example.

    <SwitchA> display bgp peer 192.168.1.2 verbose
            
            BGP Peer is 192.168.1.2,  remote AS 1                       
            Type: IBGP link                                       
            BGP version 4, Remote router ID 2.2.2.2              
            Update-group ID: 1                                          
            BGP current state: Established, Up for 00h05m17s
            BGP current event: RecvKeepalive
            BGP last state: OpenConfirm                                       
            BGP Peer Up count: 1                                       
            Received total routes: 0                                      
            Received active routes total: 0                              
            Advertised total routes: 0                         
            Port:  Local - 179      Remote - 55828
            Configured: Connect-retry Time: 32 sec                        
            Configured: Min Hold Time: 0 sec                             
            Configured: Active Hold Time: 180 sec   Keepalive Time:60 sec               
            Received  : Active Hold Time: 180 sec                          
            Negotiated: Active Hold Time: 180 sec   Keepalive Time:60 sec            
            Peer optional capabilities:                           
            Peer supports bgp multi-protocol extension                         
            Peer supports bgp route refresh capability                        
            Peer supports bgp 4-byte-as capability                  
            Address family IPv4 Unicast: advertised and received                 
     Received: Total 7 messages                                      
                     Update messages                0
                     Open messages                  1
                     KeepAlive messages             6
                     Notification messages          0
                     Refresh messages               0
     Sent: Total 9 messages
                     Update messages                0
                     Open messages                  2
                     KeepAlive messages             7
                     Notification messages          0
                     Refresh messages               0
     Authentication type configured: Keychain(huawei)             
     Last keepalive received: 2014-11-04 11:02:39+00:00
     Last keepalive sent    : 2014-11-04 11:02:39+00:00
     Minimum route advertisement interval is 15 seconds           
     Optional capabilities:                                       
     Route refresh capability has been enabled                    
     4-byte-as capability has been enabled                        
     Peer Preferred Value: 0                                      
     Routing policy configured:                                   
     No routing policy is configured               

Configuration Files

  • Switch A configuration file

    #
    sysname SwitchA
    #
    vlan batch 10
    #
    keychain huawei mode periodic weekly
     receive-tolerance 100
     tcp-kind 182
     tcp-algorithm-id hmac-sha-256 17
     key-id 1
      algorithm hmac-sha-256
      key-string cipher %^%#Vj-D<jJ%aNGasyD!w#hVP]6xEn`_l(7bf6%m;P3P%^%#
      send-time day mon to sat
      receive-time day mon to sat
      default send-key-id 
    #
    interface Vlanif10
     ip address 192.168.1.1 255.255.255.0
    #
    interface GigabitEthernet0/0/1
     port link-type hybrid
     port hybrid pvid vlan 10
     port hybrid untagged vlan 10
    #
    bgp 1
     router-id 1.1.1.1
     peer 192.168.1.2 as-number 1
     peer 192.168.1.2 keychain huawei
     #
     ipv4-family unicast
      undo synchronization
      peer 192.168.1.2 enable
    #
    return
  • Configuration file of Switch B

    #
    sysname SwitchB
    #
    vlan batch 10
    #
    keychain huawei mode periodic weekly
     receive-tolerance 100
     tcp-kind 182
     tcp-algorithm-id hmac-sha-256 17
     key-id 1
      algorithm hmac-sha-256
      key-string cipher %^%#Dvqg<X&x>"h`1&Q\1RAT>0\TVnbc<FJyVlAy=p<#%^%#
      send-time day mon to sat
      receive-time day mon to sat
      default send-key-id 
    #
    interface Vlanif10
     ip address 192.168.1.2 255.255.255.0
    #
    interface GigabitEthernet0/0/1
     port link-type hybrid
     port hybrid pvid vlan 10
     port hybrid untagged vlan 10
    #
    bgp 1
     router-id 2.2.2.2
     peer 192.168.1.1 as-number 1
     peer 192.168.1.1 keychain huawei
     #
     ipv4-family unicast
      undo synchronization
      peer 192.168.1.1 enable
    #
    return
Translation
Download
Updated: 2019-03-28

Document ID: EDOC1000178177

Views: 222764

Downloads: 720

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next