No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

ME60 V800R010C10SPC500 Configuration Guide - IP Routing 01

This is ME60 V800R010C10SPC500 Configuration Guide - IP Routing
Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Example for Configuring BGP Keychain Authentication

Example for Configuring BGP Keychain Authentication

By configuring keychain authentication between BGP peers, you can enhance the security of BGP connections.

Networking Requirements

On the network shown in Figure 10-53, Device A belongs to AS 100, and Device B belongs to AS 200. BGP runs on the network, and BGP keychain authentication is used to protect EBGP connections against attacks.

Figure 10-53 Networking diagram of configuring BGP keychain authentication
NOTE:

Interfaces 1 in this example is GE 1/0/0.



Precautions

When configuring BGP keychain authentication, pay attention to the following:

  • You need to configure keychain authentication on both BGP peers, and ensure that encryption algorithms and passwords configured for keychain authentication on both peers are the same. Otherwise, TCP connections cannot be established between BGP peers, and BGP messages cannot be exchanged.

Configuration Roadmap

The configuration roadmap is as follows:

  1. Establish an EBGP connection between Device A and Device B.

  2. Configure keychain authentication on Device A and Device B.

Data Preparation

To complete the configuration, you need the following data:

  • Router IDs and AS numbers of Device A and Device B

  • Name of keychain authentication between Device A and Device B

Procedure

  1. Configure an IP address for each interface. For configuration details, see Configuration Files in this section.
  2. Establish an EBGP connection.

    # Configure Device A.

    [~DeviceA] bgp 100
    [*DeviceA-bgp] router-id 1.1.1.1
    [*DeviceA-bgp] peer 200.1.1.2 as-number 200
    [*DeviceA-bgp] commit
    [~DeviceA-bgp] quit

    # Configure Device B.

    [~DeviceB] bgp 200
    [*DeviceB-bgp] router-id 2.2.2.2
    [*DeviceB-bgp] peer 200.1.1.1 as-number 100
    [*DeviceB-bgp] commit
    [~DeviceB-bgp] quit

  3. Configure keychain authentication.

    # Configure Device A.

    [~DeviceA] keychain Huawei mode absolute
    [*DeviceA-keychain] tcp-kind 179
    [*DeviceA-keychain] tcp-algorithm-id md5 17
    [*DeviceA-keychain] receive-tolerance 100
    [*DeviceA-keychain] key-id 1
    [*DeviceA-keychain-keyid-1] algorithm md5
    [*DeviceA-keychain-keyid-1] key-string hello
    [*DeviceA-keychain-keyid-1] send-time 11:00 2009-12-24 to 12:00 2009-12-24
    [*DeviceA-keychain-keyid-1] receive-time 11:00 2009-12-24 to 12:00 2009-12-24
    [*DeviceA-keychain-keyid-1] commit
    [~DeviceA-keychain-keyid-1] quit
    [~DeviceA-keychain] quit

    # Configure Device B.

    [~DeviceB] keychain Huawei mode absolute
    [*DeviceB-keychain] tcp-kind 179
    [*DeviceB-keychain] tcp-algorithm-id md5 17
    [*DeviceB-keychain] receive-tolerance 100
    [*DeviceB-keychain] key-id 1
    [*DeviceB-keychain-keyid-1] algorithm md5
    [*DeviceB-keychain-keyid-1] key-string hello
    [*DeviceB-keychain-keyid-1] send-time 11:00 2009-12-24 to 12:00 2009-12-24
    [*DeviceB-keychain-keyid-1] receive-time 11:00 2009-12-24 to 12:00 2009-12-24
    [*DeviceB-keychain-keyid-1] commit
    [~DeviceB-keychain-keyid-1] quit
    [~DeviceB-keychain] quit

  4. Apply keychain authentication on the EBGP connection between Device A and Device B.

    # Configure Device A.

    [~DeviceA] bgp 100
    [*DeviceA-bgp] peer 200.1.1.2 keychain Huawei
    [*DeviceA-bgp] commit
    [~DeviceA-bgp] quit

    # Configure Device B.

    [~DeviceB] bgp 200
    [*DeviceB-bgp] peer 200.1.1.1 keychain Huawei
    [*DeviceB-bgp] commit
    [~DeviceB-bgp] quit

  5. Verify the configuration.

    # On Device A, check the BGP connection status after keychain authentication is configured.

    <DeviceA> display bgp peer
     BGP local router ID : 200.1.1.1
     Local AS number : 100
     Total number of peers : 1         Peers in established state : 1
    
      Peer            V          AS  MsgRcvd  MsgSent  OutQ  Up/Down       State  PrefRcv
      200.1.1.2       4         200       21       24     0 00:00:23      Established    0

    You can view that the status of the BGP connection is Established after keychain authentication is configured.

Configuration Files

  • Configuration file of Device A

    #
    sysname DeviceA
    #
    keychain Huawei mode absolute
     receive-tolerance 100
     tcp-kind 179
     tcp-algorithm-id md5 17
     #
     key-id 1
      algorithm md5
      key-string cipher %#%#e^1}%%w;/C[M)OQc7"j+,2)}%#%#
      send-time 11:00 2009-12-24 to 12:00 2009-12-24
      receive-time 11:00 2009-12-24 to 12:00 2009-12-24
    #
    interface GigabitEthernet1/0/0
     undo shutdown  
     ip address 200.1.1.1 255.255.255.0
    #
    bgp 100
     router-id 1.1.1.1
     peer 200.1.1.2 as-number 200
     peer 200.1.1.2 keychain Huawei
     #              
     ipv4-family unicast
      undo synchronization
      peer 200.1.1.2 enable
    #
    return
  • Configuration file of Device B

    #
    sysname DeviceB
    #
    keychain Huawei mode absolute
     receive-tolerance 100
     tcp-kind 179
     tcp-algorithm-id md5 17
     #
     key-id 1
      algorithm md5
      key-string cipher %#%#ub(70WJ"^=i(kxPK@*fK,)}t%#%#
      send-time 11:00 2009-12-24 to 12:00 2009-12-24
      receive-time 11:00 2009-12-24 to 12:00 2009-12-24
    #
    interface GigabitEthernet1/0/0
     undo shutdown  
     ip address 200.1.1.2 255.255.255.0
    #
    bgp 200
     router-id 2.2.2.2
     peer 200.1.1.1 as-number 100
     peer 200.1.1.1 keychain Huawei
     #              
     ipv4-family unicast
      undo synchronization
      peer 200.1.1.1 enable
    #
    return
Translation
Download
Updated: 2019-01-04

Document ID: EDOC1100059437

Views: 20395

Downloads: 15

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next