No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Configuration Guide - IP Multicast

S7700 and S9700 V200R013C00

This document describes the configurations of IP multicast, including IP multicast basics, IGMP, MLD, IPv4 PIM, IPv6 PIM, MSDP, multicast VPN, layer 3 multicast CAC, IPv4 multicast route management, IPv6 multicast route management, IGMP snooping, MLD snooping, static multicast MAC address, multicast VLAN replication, layer 2 multicast CAC, multicast network management.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring PIM IPSec

Configuring PIM IPSec

PIM IPSec enables a device to encrypt and authenticate PIM messages it sends and receives, preventing attacks from forged PIM messages.

Pre-configuration Tasks

Before configuring PIM IPSec, complete the following tasks:

Configuration Procedure

Configure PIM IPSec in the following sequence.

Configuring an IPSec Session for Encryption

Context

Internet Protocol Security (IPSec) can be configured to prevent data theft and spoofing during data transmission in a network.

A security association (SA) must be established so that IPSec can protect transmitted data. An SA is a unidirectional logical connection set up for security purpose and specifies the elements used by two IPSec peers (two parties that use the IPSec protocol to protect data transmitted between them). The elements of an SA include the following:

  • Security protocol
  • Authentication or encryption algorithm supported by the security protocol
  • Data encapsulation mode
  • Security parameter index (SPI) of the SA
  • Authentication key or encryption key of the SA

The first three elements are specified in an IPSec proposal. To configure IPSec functions, first configure an IPSec proposal on the IPSec peers, and then configure an SA.

Procedure

  1. Configure an IPSec proposal.
    1. Run system-view

      The system view is displayed.

    2. Run ipsec proposal proposal-name

      An IPSec proposal is created and the IPSec proposal view is displayed.

    3. Run transform { ah | esp }

      A security protocol is specified for the IPSec proposal.

      By default, the security protocol used by an IPSec proposal is the Encapsulation Security Protocol (ESP).

    4. An authentication or encryption algorithm is configured.

      • If AH is used, you can only configure the AH-specific authentication algorithm because AH only authenticates packets.

        Run the ah authentication-algorithm { md5 | sha1 | sha2-256 } command to specify the authentication algorithm for the AH protocol.

        By default, the AH protocol uses the Secure Hash Algorithm-256 (SHA2-256) authentication algorithm.

      • When ESP is specified, ESP can encrypt/authenticate, or encrypt and authenticate packets. Configure the ESP-specific authentication or encryption algorithm.
        • Run the esp authentication-algorithm { md5 | sha1 | sha2-256 } command to specify the authentication algorithm for the ESP protocol.

          By default, the authentication algorithm Secure Hash Algorithm-256 (SHA-256) is used for ESP.

        • Run the esp encryption-algorithm { des | 3des | aes [ 128 | 192 | 256 ] } command to specify the encryption algorithm for the ESP protocol.

          By default, the encryption algorithm Advanced Encryption Standard-256 (AES-256) is used for ESP.

      The MD5, SHA-1, DES, and 3DES algorithms are not recommended because they cannot meet your security defense requirements.

    5. Run encapsulation-mode { transport | tunnel }

      A data encapsulation mode is specified for the security protocol.

      By default, the data encapsulation mode is tunnel.

      NOTE:

      In transport mode, the packet encryption device and decryption device must be the originator and receiver of packets.

    6. Run quit

      Return to the system view.

  2. Configure an IPSec SA.
    1. Run ipsec sa sa-name

      An IPSec SA is created and the IPSec SA view is displayed.

      By default, no IPSec SA exists in the system.

    2. Run proposal proposal-name

      The IPSec proposal is bound to the IPSec SA.

      By default, an IPSec policy does not reference any IPSec proposal.

      NOTE:

      An IPSec can use only one IPSec proposal. To bind a new IPSec proposal to the IPSec SA, delete the original IPSec proposal.

    3. Run sa spi { inbound | outbound } { ah | esp } spi-number

      An SPI is configured for the SA.

      NOTE:
      • An SPI uniquely identifies an SA. Each SA must be configured with an inbound SPI and an outbound SPI. The outbound SPI on the local end must be the same as the inbound SPI on the remote end.
      • The security protocol (AH or ESP) you select when configuring the SPI must be the same as that used in the IPSec proposal bound to the SA.

    4. Configure a key according to the security protocol used in the IPSec proposal bound to the SA.

      • If the AH protocol is used, you can configure an authentication key that is a hexadecimal number or a character string.
        • Run the sa authentication-hex { inbound | outbound } ah [ cipher ] hex-cipher-key command to configure a hexadecimal authentication key.

        • Run the sa string-key { inbound | outbound } ah [ cipher ] string-cipher-key command to configure a character string as the authentication key.

      • If the ESP protocol is used, you can run one of the following commands to configure the authentication key or the encryption key. You can also configure both the authentication key and encryption key. If the two keys are configured at the same time, they can only be hexadecimal keys.
        • Run the sa authentication-hex { inbound | outbound } esp [ cipher ] hex-cipher-key command to configure a hexadecimal authentication key.

        • Run the sa string-key { inbound | outbound } esp [ cipher ] string-cipher-key command to configure a character string as the authentication key.

        • Run the sa encryption-hex { inbound | outbound } esp [ cipher ] hex-cipher-key command to configure a hexadecimal encryption key.

      NOTE:
      • The security protocol (AH or ESP) you select when configuring the key must be the same as that used in the IPSec proposal bound to the SA.
      • The outbound key on the local end must be the same as the inbound key on the remote end.
      • The IPSec peers must use the authentication or encryption key in the same format. For example, if the key on one end is a character string but the key on the other end is a hexadecimal number, the IPSec tunnel cannot be set up.
      • If you configure multiple keys in different formats, the last configured key takes effect.

  3. Verify the configuration.
    1. Run the display ipsec sa [ name sa-name ] [ brief ] command to check information about the SA.
    2. Run the display ipsec proposal [ name proposal-name ] command to check information about the security proposal.
    3. Run the display ipsec statistics [ sa-name sa-name slot slot-number ] command to check statistics about packets processed by IPSec.

Configuring PIM IPSec

Context

On a multicast network, if multicast devices are attacked by forged PIM messages, multicast data forwarding between multicast devices will be interrupted. To protect multicast devices against such attacks, configure PIM IPSec on the multicast devices to encrypt and authenticate PIM protocol messages they send and receive.

When a Huawei device connects to a non-Huawei device that can only encrypt and authenticate PIM Hello messages, configure the Huawei device to encrypt and authenticate only PIM Hello messages.

A device running PIM IPSec processes PIM protocol messages as follows:
  • Encapsulates PIM protocol messages with an IPSec header before sending the messages.
  • Drops PIM protocol messages that are not protected by IPSec or fail the authentication.

If PIM IPSec is not configured on a device, the device drops PIM protocol messages that are protected by IPSec.

NOTE:
  • PIM IPSec can be configured in the PIM view or interface view. The configuration made in the PIM view takes effect globally, and the configuration made in the interface view takes effect only on that interface. If PIM IPSec is configured in both the PIM view and interface view, the configuration in the interface view takes precedence. If PIM IPSec is not configured on an interface, the interface uses the configuration made in the PIM view.

  • To ensure normal multicast service forwarding, configure PIM IPSec on all PIM devices.

  • After PIM IPSec is enabled on a switch, all PIM packets sent from the switch are encrypted. The intermediate devices, including those running IGMP snooping, cannot interpret these PIM packets.

Procedure

  • Configure PIM IPSec globally.
    1. Run system-view

      The system view is displayed.

    2. Run pim [ vpn-instance vpn-instance-name ]

      The PIM view is displayed.

    3. Configure authentication for PIM messages.

      You can configure the switch to authenticate all PIM unicast and multicast messages or to authenticate only PIM Hello messages. Two IPSec peers must be configured with the same authentication behavior for PIM messages.

      • Run the ipsec [ unicast-message ] sa sa-name command to authenticate PIM messages sent and received by the device based on a specified SA.

        If you specify the unicast-message keyword in the command, the switch authenticates only PIM unicast messages. If you do not specify this keyword, the switch authenticates only PIM multicast messages.

      • Run the hello ipsec sa sa-name command to authenticate PIM Hello messages sent and received in a specified SA.

      If the ipsec sa sa-name and hello ipsec sa sa-name commands are both configured, the command configured later overrides the earlier configuration.

  • Configure PIM IPSec on an interface.
    1. Run system-view

      The system view is displayed.

    2. Run interface interface-type interface-number

      The interface view is displayed.

    3. (Optional) On an Ethernet interface, run undo portswitch

      The interface is switched to Layer 3 mode.

      By default, an Ethernet interface works in Layer 2 mode.

    4. Configure authentication for PIM messages.

      You can configure authentication for all the PIM messages or only PIM Hello messages on an interface. Two IPSec peers must be configured with the same authentication behavior for PIM messages.

      • Run the pim ipsec sa sa-name command to authenticate PIM messages sent and received on the interface based on a specified SA.

      • Run the pim hello ipsec sa sa-name command to authenticate PIM Hello messages sent and received in a specified SA.

      If the pim ipsec sa sa-name and pim hello ipsec sa sa-name commands are both configured, the command configured later overrides the command configured earlier.

Verifying the PIM IPSec Configuration

Context

After configuring PIM IPSec, you can run the following commands in any view to check the configuration of IPSec proposal, SA, and PIM IPSec, and IPSec packet statistics.

Procedure

  • Run the display ipsec proposal [ name proposal-name ] command to check information about an IPSec proposal.
  • Run the display ipsec sa [ sa-name ] [ brief ] command to check information about an IPSec SA.
  • Run the display ipsec statistics [ sa-name sa-name slot slot-number ] command to check IPSec packet statistics.
  • Run the display pim [ vpn-instance vpn-instance-name | all-instance ] interface [ interface-type interface-number | up | down ] [ verbose ] command to check the PIM IPSec configuration on an interface.
Translation
Download
Updated: 2019-04-08

Document ID: EDOC1100065742

Views: 46953

Downloads: 46

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next