No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

NE40E V800R010C10SPC500 Configuration Guide - IP Multicast 01

This is NE40E V800R010C10SPC500 Configuration Guide - IP Multicast
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring IGMP IPSec

Configuring IGMP IPSec

If you want to authenticate the sent and received IGMP messages, configure IGMP IP Security (IPSec). IGMP IPSec protects a device against attacks launched using forged IGMP messages.

Usage Scenario

IGMP IPSec provides a complete set of security protection mechanisms to authenticate the sent and received IGMP messages, protecting devices against attacks launched using forged IGMP messages.

IGMP IPSec configured in the interface view has the same function as that configured in the IGMP view, but their application scopes are different:

  • IGMP IPSec configured in the interface view: applies only to the current interface.
  • IGMP IPSec configured in the IGMP view: applies to all interfaces.

IGMP IPSec configured in the interface view takes precedence over IGMP IPSec configured in the IGMP view. If no IGMP IPSec configuration exists in the interface view, the interface uses the IGMP IPSec configuration in the IGMP view.

Pre-configuration Tasks

Before configuring IGMP IPSec, complete the following tasks:

Procedure

  • Configure IGMP IPSec in the IGMP view.
    • Configure IPSec authentication for IGMP messages.
    1. Run system-view

      The system view is displayed.

    2. Run igmp [ vpn-instance vpn-instance-name ]

      The IGMP view is displayed.

    3. Run ipsec sa sa-name

      IGMP IPSec is configured globally, enabling the device to authenticate the sent and received IGMP messages based on the specified SA.

    4. Run commit

      The configuration is committed.

    • Configure IPSec authentication for IGMP Query messages.
    1. Run system-view

      The system view is displayed.

    2. Run igmp [ vpn-instance vpn-instance-name ]

      The IGMP view is displayed.

    3. Run query ipsec sa sa-name

      IGMP IPSec is configured globally, enabling the device to authenticate the sent and received IGMP Query messages based on the specified SA.

    4. Run commit

      The configuration is committed.

    NOTE:

    If the ipsec sa and query ipsec sa commands are both configured, the command configured later overrides the command configured earlier.

  • Configure IGMP IPSec in the interface view.
    • Configure IPSec authentication for IGMP messages.
    1. Run system-view

      The system view is displayed.

    2. Run interface interface-type interface-number

      The interface view is displayed.

    3. Run igmp ipsec sa sa-name

      IGMP IPSec is configured on an interface, enabling the interface to authenticate the sent and received IGMP messages based on the specified SA.

    4. Run commit

      The configuration is committed.

    • Configure IPSec authentication for IGMP Query messages.
    1. Run system-view

      The system view is displayed.

    2. Run interface interface-type interface-number

      The interface view is displayed.

    3. Run igmp query ipsec sa sa-name

      IGMP IPSec is configured on an interface, enabling the interface to authenticate the sent and received IGMP Query messages based on the specified SA.

    4. Run commit

      The configuration is committed.

    NOTE:

    If the igmp ipsec sa and igmp query ipsec sa commands are both configured, the command configured later overrides the command configured earlier.

Checking the Configurations

Run the display igmp [ vpn-instance vpn-instance-name ] interface [ interface-type interface-number | up | down ] verbose command to check the detailed IGMP IPSec configuration on an interface.

# Display the IGMP IPSec configuration on GE1/0/0. The command output shows that IGMP IPSec has been configured on GE1/0/0 and the SA is named sa1.

<HUAWEI> display igmp interface gigabitethernet 1/0/0 verbose
Interface information of VPN-Instance: public net
 Gigabitethernet1/0/0(192.168.101.1):
   IGMP is enabled
   Current IGMP version is 2
   IGMP state: up
   IGMP group policy: none
   IGMP limit: -
   IGMP access-limit: 5  except: 2002
   Value of query interval for IGMP (negotiated): -
   Value of query interval for IGMP (configured): 60 s
   Value of other querier timeout for IGMP: 0 s
   Value of maximum query response time for IGMP: 10 s
   Value of last member query time: 2 s
   Value of last member query interval: 1 s
   Value of startup query interval: 15 s
   Value of startup query count: 2
   General query timer expiry (hours:minutes:seconds): 00:00:44
   Querier for IGMP: 192.168.101.1 (this router)
   IGMP activity: 4 joins, 0 leaves
   Robustness (negotiated): -
   Robustness (configured): 2
   Require-router-alert: disabled
   Send-router-alert: enabled
   Ip-source-policy: ab
   Query ip-source-policy: 2000
   Prompt-leave: disabled
   SSM-Mapping: enabled
   Startup-query-timer-expiry: off
   Other-querier-present-timer-expiry: off
   IGMP ipsec: enabled(sa-name: sa1)
  Total 2 IGMP Groups reported 
Translation
Download
Updated: 2019-01-03

Document ID: EDOC1100055017

Views: 39873

Downloads: 97

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next