No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

NE20E-S V800R010C10SPC500 Configuration Guide - MPLS 01

This is NE20E-S V800R010C10SPC500 Configuration Guide - MPLS
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring an RSVP Authentication Mode

Configuring an RSVP Authentication Mode

RSVP authentication modes are configured between RSVP neighboring nodes or between the interfaces of RSVP neighboring nodes. The keys on both ends to be authenticated must be the same; otherwise, RSVP authentication fails, and RSVP neighboring nodes discard received packets.

Context

RSVP authentication in the key mode is used to prevent an unauthorized node from establishing an RSVP neighbor relationship with a local node. It can also prevent a remote node from constructing forged packets to establish an RSVP neighbor relationship with the local node.

The NE20E supports three RSVP key authentication modes, as shown in Figure 3-8.
Figure 3-8 RSVP key authentication networking

  • Local interface-based authentication

    Local interface-based authentication is performed between interfaces connecting a point of local Repair (PLR) and a merge point (MP) in an inter-domain MPLS TE FRR scenario.

    • Local interface-based authentication is recommended on a network configured with inter-domain MPLS TE FRR.
    • Local interface- or neighbor interface-based authentication can be used on a network that is not configured with inter-domain MPLS TE FRR.
  • Neighbor node-based authentication

    Neighbor node-based authentication takes effect on an entire device. It is usually performed between a PLR and an MP based on LSR IDs.

    This authentication mode is recommended on a network with non-inter-domain MPLS TE FRR.

  • Neighbor interface-based authentication

    Neighbor interface-based authentication is performed between interfaces connecting two LSRs. For example, neighbor interface-based authentication is performed between interfaces connecting LSRA and LSRB shown in the Figure 3-8.

    Local interface- or neighbor address-based authentication can be used on a network that is not configured with inter-domain MPLS TE FRR.

Each pair of RSVP neighbors must use the same key; otherwise, RSVP authentication fails, and all received RSVP messages are discarded.

Table 3-7 describes differences between local interface-, neighbor node-, and neighbor address-based authentication modes.

Table 3-7 Principle for RSVP authentication mode selection

RSVP Key Authentication

Local Interface-based Authentication

Neighbor Node-based Authentication

Neighbor Interface-based Authentication

Authentication mode

Local interface-based authentication

RSVP neighbor-based authentication

RSVP neighbor interface-based authentication

Priority

High

Medium

Low

Applicable environment

Any network

Non-inter-area network

Networks on which MPLS TE FRR is enabled and primary CR-LSPs are in the FRR Inuse state

Advantages

N/A

Simplex configuration

N/A

Procedure

  • Configure RSVP key authentication in neighbor address-based mode.
    1. Run system-view

      The system view is displayed.

    2. Run interface interface-type interface-number

      The view of the interface on which the MPLS TE tunnel is established is displayed.

    3. Run mpls rsvp-te authentication { { cipher | plain } auth-key | keychain keychain-name }

      The key for RSVP authentication is configured.

      HMAC-MD5 or keychain authentication can be configured based on the selected parameter:

      • cipher: HMAC-MD5 authentication is used, and a key is displayed in ciphertext.

      • plain: HMAC-MD5 authentication is used, and a key is displayed in simple text.

      • keychain: Keychain authentication is used, and a globally configured keychain is referenced.

      If you configure a simple password, it will be saved in the configuration file in plaintext that has a high security risk. Therefore, configuring a ciphertext password is recommended. To improve the device security, periodically change the password.

      Configuration must be complete on the two directly connected interfaces within three update periods. If configuration is not complete after three update periods elapse, the session goes Down.

    4. Run commit

      The configuration is committed.

  • Configure RSVP key authentication in neighbor-based mode.
    1. Run system-view

      The system view is displayed.

    2. Run mpls

      The MPLS view is displayed.

    3. Run mpls rsvp-te peer peer-address

      The RSVP neighbor view is displayed.

    4. Run mpls rsvp-te authentication { { cipher | plain } auth-key | keychain keychain-name }

      The key for RSVP authentication is configured.

      HMAC-MD5 or keychain authentication can be configured based on the selected parameter:

      • cipher: HMAC-MD5 authentication is used, and a key is displayed in ciphertext.

      • plain: HMAC-MD5 authentication is used, and a key is displayed in simple text.

      • keychain: Keychain authentication is used, and a globally configured keychain is referenced.

      If you configure a simple password, it will be saved in the configuration file in plaintext that has a high security risk. Therefore, configuring a ciphertext password is recommended. To improve the device security, periodically change the password.

      Configuration must be complete on the two neighboring nodes within three update periods. If configuration is not complete after three update periods elapse, the session goes Down.

    5. (Optional) Run mpls rsvp-te challenge-lost peer-address

      The maximum number of allowable discarded challenge messages that are sent by the supplicant to the authenticator during RSVP authentication is set.

    6. (Optional) Run mpls rsvp-te retrans-timer challenge retransmission-interval

      The interval at which challenge messages are retransmitted is set.

    7. Run commit

      The configuration is committed.

Translation
Download
Updated: 2019-01-03

Document ID: EDOC1100055103

Views: 20054

Downloads: 35

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next