No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

NE40E V800R010C10SPC500 Configuration Guide - IP Multicast 01

This is NE40E V800R010C10SPC500 Configuration Guide - IP Multicast
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring IPv6 PIM IPsec

Configuring IPv6 PIM IPsec

If you want to encrypt and authenticate sent and received IPv6 PIM messages, configure IPv6 PIM IP Security (IPSec). IPv6 PIM IPsec protects a device against attacks launched using forged IPv6 PIM messages.

Usage Scenario

IPv6 PIM IPsec provides a complete set of security protection mechanisms to authenticate the sent and received IPv6 PIM messages, protecting devices against attacks launched using forged IPv6 PIM messages.

IPv6 PIM IPsec configured in the interface view has the same effect as that configured in the IPv6 PIM view, but their application scopes are different:

  • IPv6 PIM IPsec configured in the interface view: applies only to the current interface.
  • IPv6 PIM IPsec configured in the IPv6 PIM view: applies to all interfaces.

IPv6 PIM IPsec configured in the interface view takes precedence over IPv6 PIM IPsec configured in the IPv6 PIM view. If no IPv6 PIM IPsec configuration exists in the interface view, the interface uses the IPv6 PIM IPsec configuration in the IPv6 PIM view.

Pre-configuration Tasks

Before configuring IPv6 PIM IPsec, complete the following tasks:

Procedure

  • Configure IPv6 PIM IPsec in the IPv6 PIM view.
    • Configure IPsec authentication for IPv6 PIM messages.

    1. Run system-view

      The system view is displayed.

    2. Run pim-ipv6

      The IPv6 PIM view is displayed.

    3. Run ipsec [ unicast-message ] sa sa-name

      IPv6 PIM IPsec is configured globally, enabling the device to authenticate the sent and received IPv6 PIM messages based on the specified SA policy. If you specify unicast-message in the command, the device authenticates only the sent and received IPv6 PIM unicast messages based on the specified SA policy.

    4. Run commit

      The configuration is committed.

    • Configure IPsec authentication for IPv6 PIM Hello messages.

    1. Run system-view

      The system view is displayed.

    2. Run pim-ipv6

      The IPv6 PIM view is displayed.

    3. Run hello ipsec sa sa-name

      IPv6 PIM IPsec is configured globally, enabling the device to authenticate the sent and received IPv6 PIM Hello messages based on the specified SA policy.

    4. Run commit

      The configuration is committed.

    NOTE:

    If the ipsec sa and hello ipsec sa commands are both configured, the command configured later overrides the command configured earlier.

  • Configure IPv6 PIM IPsec in the interface view.
    • Configure IPsec authentication for IPv6 PIM messages.

    1. Run system-view

      The system view is displayed.

    2. Run interface interface-type interface-number

      The interface view is displayed.

    3. Run pim ipv6 ipsec sa sa-name

      IPv6 PIM IPsec is configured on the interface, enabling the interface to authenticate the sent and received IPv6 PIM messages based on the specified SA policy.

    4. Run commit

      The configuration is committed.

    • Configure IPsec authentication for IPv6 PIM Hello messages.

    1. Run system-view

      The system view is displayed.

    2. Run interface interface-type interface-number

      The interface view is displayed.

    3. Run pim ipv6 hello ipsec sa sa-name

      IPv6 PIM IPsec is configured on the interface, enabling the interface to authenticate the sent and received IPv6 PIM Hello messages based on the specified SA policy.

    4. Run commit

      The configuration is committed.

    NOTE:

    If the pim ipv6 ipsec sa and pim ipv6 hello ipsec sa commands are both configured, the command configured later overrides the command configured earlier.

Checking the Configurations

Run the display pim ipv6 interface interface-type interface-number verbose command to check the detailed IPv6 PIM IPsec configuration on an interface.

# Display the IPv6 PIM IPsec configuration on GE1/0/0. The command output shows that IPv6 PIM IPsec has been configured on GE1/0/0, the SA policy is named 1, and IPsec authentication applies only to IPv6 PIM Hello messages.

<HUAWEI> display pim ipv6 interface gigabitethernet 1/0/0 verbose
 VPN-Instance: public net
 Interface: GigabitEthernet1/0/0, FE80::2E0:3FFF:FE27:AE01
     PIM version: 2
     PIM mode: Sparse
     PIM state: up
     PIM DR: FE80::2E0:3FFF:FE27:AE01 (local)
     PIM DR Priority (configured): 1
     PIM neighbor count: 0
     PIM hello interval: 30 s
     PIM LAN delay (negotiated): 500 ms
     PIM LAN delay (configured): 500 ms
     PIM hello override interval (negotiated): 2500 ms
     PIM hello override interval (configured): 2500 ms
     PIM Silent: disabled
     PIM neighbor tracking (negotiated): disabled
     PIM neighbor tracking (configured): disabled
     PIM generation ID: 0X18FF94EC
     PIM require-GenID: disabled
     PIM hello hold interval: 105 s
     PIM assert hold interval: 180 s
     PIM triggered hello delay: 5 s
     PIM J/P interval: 60 s
     PIM J/P hold interval: 210 s
     PIM state-refresh capability on link: non-capable
     PIM BSR domain border: disabled
     PIM BFD: enabled
     PIM BFD min-tx-interval: 100 ms
     PIM BFD min-rx-interval: 100 ms
     PIM BFD detect-multiplier: 5
     PIM dr-switch-delay timer: not configured
     Number of routers on link not using DR priority: 0
     Number of routers on link not using LAN delay: 0
     Number of routers on link not using neighbor tracking: 1
     ACL of PIM neighbor policy: myacl6
     ACL of PIM ASM join policy: 2000
     ACL of PIM SSM join policy: -
     ACL of PIM join policy: -
     PIM ipsec: enabled (sa-name: 1)
Translation
Download
Updated: 2019-01-03

Document ID: EDOC1100055017

Views: 39677

Downloads: 97

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next