No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Configuration Guide - DCN and Server Management

CloudEngine 8800, 7800, 6800, and 5800 V200R003C00

This document describes the configurations of Trill, FCoE, DCB, and NLB Server Cluster Association.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Improving TRILL Network Security

Improving TRILL Network Security

Pre-configuration Task

Before configuring TRILL authentication, complete the following task:

Configuration Procedure

You can choose one or more configuration tasks as required.

Configuring TRILL Packet Authentication

Context

In most cases, RBs do not encapsulate authentication information into TRILL packets before sending them or authenticate received TRILL packets. Therefore, networks are open to attacks. To improve network security, configure TRILL authentication.

In TRILL packet authentication, LSPs and SNPs carry authentication information. After receiving the packets, the remote RB authenticates them and discards those that fail the authentication.

RBs in the same area must share the same authentication mode and password so that TRILL packets can be properly flooded. Whether packets pass the authentication does not affect the establishment of neighbor relationships.

If plain is selected during the configuration of the TRILL packet authentication mode, the password is saved in the configuration file in plain text. This brings security risks. It is recommended that you select cipher to save the password in cipher text.

Simple and MD5 authentication has potential risks. HMAC-SHA256 cipher text authentication is recommended.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run trill

    The TRILL view is displayed.

  3. Run area-authentication-mode { { simple | md5 | hmac-sha256 key-id key-id } { [ cipher ] password-key | plain password } | keychain keychain-name } [ snp-packet { authentication-avoid | send-only } | all-send-only ]

    The LSP authentication is configured.

    The authentication involves the following situations:

    • The RB encapsulates the authentication information into LSPs and SNPs to be sent and checks whether the received packets pass authentication. The RB then discards the packets that do not pass the authentication. In this case, the parameter snp-packet all-send-only does not need to be configured.

    • The RB encapsulates authentication information into LSPs to be sent and checks whether the received LSPs pass the authentication. The RB neither encapsulates the SNPs to be sent with authentication information nor checks whether the received SNPs pass the authentication. In this case, the parameter snp-packet authentication-avoid needs to be specified.

    • The RB encapsulates the LSPs and SNPs to be sent with authentication information; however, it checks the authentication result of only the received LSPs, not SNPs. In this case, the parameter snp-packet send-only needs to be configured.

    • The RB encapsulates the LSPs and SNPs to be sent with authentication information, but does not check whether the received LSPs or SNPs pass the authentication. In this case, the parameter all-send-only needs to be specified.

    NOTE:

    If keychain authentication is used, the encryption algorithm must be configured to HMAC-MD5 algorithm.

  4. Run commit

    The configuration is committed.

Configuring TRILL Interface Authentication

Context

In TRILL interface authentication, authentication information is configured on a TRILL interface, and Hello packets sent through the interface are encapsulated with the information. Only the authenticated Hello packets can be received.

If TRILL interface authentication is configured on both ends, they must share the same authentication mode and password so that neighbor relationships can be established between them.

If plain is selected during the configuration of the TRILL interface authentication mode, the password is saved in the configuration file in plain text. This brings security risks. It is recommended that you select cipher to save the password in cipher text.

Simple and MD5 authentication has potential risks. HMAC-SHA256 cipher text authentication is recommended.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run interface interface-type interface-number

    The interface view is displayed.

  3. Run trill authentication-mode { { simple | md5 | hmac-sha256 key-id key-id } { [ cipher ] password-key | plain password } | keychain keychain-name } [ send-only ]

    The authentication mode and password are configured on the interface.

    • Configure send-only if the TRILL interface needs to encapsulate authentication information into Hello packets to be sent and does not need to check whether the received packets pass the authentication.

    • Do not configure send-only if the TRILL interface needs to encapsulate authentication information into Hello packets to be sent and check whether the received packets pass the authentication. In addition, configure the same authentication information for all TRILL interfaces in the same VLAN to ensure normal communication.

    NOTE:

    If keychain authentication is used, the encryption algorithm must be configured to HMAC-MD5 algorithm.

  4. Run commit

    The configuration is committed.

Verifying the TRILL Network Security Configuration

Procedure

  • Run the display trill lsdb verbose command to view the verbose LSDB information.
Translation
Download
Updated: 2019-05-08

Document ID: EDOC1100004349

Views: 30450

Downloads: 120

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next