No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CLI-based Configuration Guide - Security

AR100, AR120, AR150, AR160, AR200, AR1200, AR2200, AR3200, and AR3600 V200R010

This document provides the basic concepts, configuration procedures, and configuration examples in different application scenarios of the network management feature supported by the device.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Example for Applying the Keychain to BGP

Example for Applying the Keychain to BGP

Networking Requirements

As shown in Figure 19-9, RouterA and RouterB are connected using BGP.

The BGP connection needs to be retained during data transmission.

Figure 19-9  Networking diagram of applying the keychain to BGP

Configuration Roadmap

The configuration roadmap is as follows:

  1. Configure the basic keychain functions.

  2. Configure a keychain for Router to authenticate BGP.

Procedure

  1. Configure a keychain.

    # Configure Router A.

    <Huawei> system-view
    [Huawei] sysname RouterA
    [RouterA] keychain huawei mode periodic weekly
    [RouterA-keychain-huawei] tcp-kind 182
    [RouterA-keychain-huawei] tcp-algorithm-id sha-256 17
    [RouterA-keychain-huawei] receive-tolerance 100
    [RouterA-keychain-huawei] key-id 1
    [RouterA-keychain-huawei-keyid-1] algorithm sha-256
    [RouterA-keychain-huawei-keyid-1] key-string cipher Huawei@1234
    [RouterA-keychain-huawei-keyid-1] send-time day fri sat
    [RouterA-keychain-huawei-keyid-1] receive-time day fri sat
    [RouterA-keychain-huawei-keyid-1] default send-key-id
    [RouterA-keychain-huawei-keyid-1] quit
    [RouterA-keychain-huawei] quit
    

    # Configure Router B.

    <Huawei> system-view
    [Huawei] sysname RouterB
    [RouterB] keychain huawei mode periodic weekly
    [RouterB-keychain-huawei] tcp-kind 182
    [RouterB-keychain-huawei] tcp-algorithm-id sha-256 17
    [RouterB-keychain-huawei] receive-tolerance 100
    [RouterB-keychain-huawei] key-id 1
    [RouterB-keychain-huawei-keyid-1] algorithm sha-256
    [RouterB-keychain-huawei-keyid-1] key-string cipher Huawei@1234
    [RouterB-keychain-huawei-keyid-1] send-time day fri sat
    [RouterB-keychain-huawei-keyid-1] receive-time day fri sat
    [RouterB-keychain-huawei-keyid-1] default send-key-id
    [RouterB-keychain-huawei-keyid-1] quit
    [RouterB-keychain-huawei] quit
    

  2. Apply the keychain to BGP for authentication and encryption.

    # Configure Router A.

    [RouterA] interface gigabitethernet 1/0/0
    [RouterA-GigabitEthernet1/0/0] ip address 192.168.1.1 24
    [RouterA-GigabitEthernet1/0/0] quit
    [RouterA] bgp 1
    [RouterA-bgp] router-id 1.1.1.1
    [RouterA-bgp] peer 192.168.1.2 as-number 1
    [RouterA-bgp] peer 192.168.1.2 keychain huawei
    [RouterA-bgp] quit
    [RouterA] quit
    

    # Configure Router B.

    [RouterB] interface gigabitethernet 1/0/0
    [RouterB-GigabitEthernet1/0/0] ip address 192.168.1.2 24
    [RouterB-GigabitEthernet1/0/0] quit
    [RouterB] bgp 1
    [RouterB-bgp] router-id 2.2.2.2
    [RouterB-bgp] peer 192.168.1.1 as-number 1
    [RouterB-bgp] peer 192.168.1.1 keychain huawei 
    [RouterB-bgp] quit
    [RouterB] quit
    

  3. Verify the configuration.

    # Run the display keychain keychain-name command to check the key-id status of the keychain.

    <RouterA> display keychain huawei
     Keychain Information:
     ---------------------
     Keychain Name             : huawei
       Timer Mode              : Weekly periodic
       Receive Tolerance(min)  : 100
       TCP Kind                : 182
       TCP Algorithm IDs       :
         HMAC-MD5              : 5
         HMAC-SHA1-12          : 2
         HMAC-SHA1-20          : 6
         HMAC-SHA-256          : 7
         SHA-256               : 17
         MD5                   : 8
         SHA1                  : 4
     Number of Key IDs         : 1
     Active Send Key ID        : 1
     Active Receive Key IDs    : 01
     Default send Key ID       : Not configured
    
    
     Key ID Information:
     -------------------
     Key ID                    : 1
       Key string              : ******
       Algorithm               : SHA-256
       SEND TIMER              :
         Day(s)                : Fri Sat
         Status                : Active
       RECEIVE TIMER           :
         Day(s)                : Fri Sat
         Status                : Active
    

    # After the keychain is applied to BGP, run the display bgp peer ipv4-address verbose command to check authentication information about the BGP peer. The display on Router A is used as an example.

    <RouterA> display bgp peer 192.168.1.2 verbose
            BGP Peer is 192.168.1.2,  remote AS 1
            Type: IBGP link
            BGP version 4, Remote router ID 2.2.2.2
            Update-group ID: 1
            BGP current state: Established, Up for 00h43m34s
            BGP current event: RecvKeepalive
            BGP last state: OpenConfirm
            BGP Peer Up count: 1
            Received total routes: 0
            Received active routes total: 0
            Received mac routes: 0
            Advertised total routes: 0
            Port:  Local - 179      Remote - 55828
            Configured: Active Hold Time: 180 sec   Keepalive Time:60 sec
            Received  : Active Hold Time: 180 sec
            Negotiated: Active Hold Time: 180 sec   Keepalive Time:60 sec
            Peer optional capabilities:
            Peer supports bgp multi-protocol extension
            Peer supports bgp route refresh capability
            Peer supports bgp 4-byte-as capability
            Address family IPv4 Unicast: advertised and received
     Received: Total 45 messages
                     Update messages                0
                     Open messages                  1
                     KeepAlive messages             44
                     Notification messages          0
                     Refresh messages               0
     Sent: Total 48 messages
                     Update messages                0
                     Open messages                  2
                     KeepAlive messages             46
                     Notification messages          0
                     Refresh messages               0
     Authentication type configured: Keychain(huawei)
     Last keepalive received: 2012/04/20 11:37:27
     Last keepalive sent    : 2012/04/20 11:37:27
     Minimum route advertisement interval is 15 seconds
     Optional capabilities:
     Route refresh capability has been enabled
     4-byte-as capability has been enabled
     Peer Preferred Value: 0
     Routing policy configured:
     No routing policy is configured

Configuration Files

  • Router A configuration file

    #
     sysname RouterA
    #
    keychain huawei mode periodic weekly
     receive-tolerance 100
     tcp-kind 182
     tcp-algorithm-id sha-256 17
     key-id 1
      algorithm sha-256
      key-string cipher %#%#j8P<=eo2u$q}YxHvZ/"8M:=n!+K>xX1;D~L'`d78%#%#
      send-time day fri sat
      receive-time day fri sat
      default send-key-id 
    #
    interface GigabitEthernet1/0/0
     ip address 192.168.1.1 255.255.255.0
    #
    bgp 1
     router-id 1.1.1.1
     peer 192.168.1.2 as-number 1
     peer 192.168.1.2 keychain huawei
     #
     ipv4-family unicast
      undo synchronization
      peer 192.168.1.2 enable
    #
    return
  • Configuration file of Router B

    #
     sysname RouterB
    #
    keychain huawei mode periodic weekly
     receive-tolerance 100
     tcp-kind 182
     tcp-algorithm-id sha-256 17
     key-id 1
      algorithm sha-256
      key-string cipher %#%#j8P<=eo2u$q}YxHvZ/"8M:=n!+K>xX1;D~L'`d78%#%#
      send-time day fri sat
      receive-time day fri sat
      default send-key-id 
    #
    interface GigabitEthernet1/0/0
     ip address 192.168.1.2 255.255.255.0
    #
    bgp 1
     router-id 2.2.2.2
     peer 192.168.1.1 as-number 1
     peer 192.168.1.1 keychain huawei
     #
     ipv4-family unicast
      undo synchronization
      peer 192.168.1.1 enable
    #
    return
Translation
Download
Updated: 2019-08-07

Document ID: EDOC1100034077

Views: 135313

Downloads: 244

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next