No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CLI-based Configuration Guide - Reliability

AR100, AR120, AR160, AR1200, AR2200, AR3200, and AR3600 V300R003

This document provides guidance for configuring reliability services, including interface backup, BFD, VRRP, and EFM.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Example for Configuring BFD Encryption Authentication

Example for Configuring BFD Encryption Authentication

Networking Requirements

As shown in Figure 6-28, RouterA is directly connected to RouterB through a Layer 3 physical link. The customer wants only authenticated devices to access the network. Data packets from a device can be forwarded only after BFD encryption authentication is successful on an interface. If BFD encryption authentication fails, data packets from the connected interface are discarded.

Figure 6-28  Networking diagram for configuring BFD encryption authentication

Configuration Roadmap

The configuration roadmap is as follows:

  1. Configure a Layer 3 physical link to directly connect RouterA and RouterB.
  2. Configure BFD sessions on both RouterA and RouterB to implement encryption authentication between them.

Procedure

  1. Assign IP addresses to the interfaces for directly connecting RouterA and RouterB.

    # Assign an IP address to the interface on RouterA.

    <Huawei> system-view
    [Huawei] sysname RouterA
    [RouterA] interface Ethernet 2/0/0
    [RouterA-Ethernet2/0/0] undo portswitch   //If the current interface is a Layer 3 interface, skip this command.
    [RouterA-Ethernet2/0/0] ip address 10.1.1.1 24
    [RouterA-Ethernet2/0/0] quit

    # Assign an IP address to the interface on RouterB.

    <Huawei> system-view
    [Huawei] sysname RouterB
    [RouterB] interface Ethernet 2/0/0
    [RouterB-Ethernet2/0/0] undo portswitch   //If the current interface is a Layer 3 interface, skip this command.
    [RouterB-Ethernet2/0/0] ip address 10.1.1.2 24
    [RouterB-Ethernet2/0/0] quit

  2. Configure BFD encryption authentication for RouterA.

    # Enable BFD on RouterA.

    [RouterA] bfd
    [RouterA-bfd] quit

    # Associate the BFD session status with the interface status on RouterA and configure BFD session authentication information.

    [RouterA] bfd atob bind peer-ip default-ip interface ethernet 2/0/0
    [RouterA-bfd-session-atob] discriminator local 1
    [RouterA-bfd-session-atob] discriminator remote 2
    [RouterA-bfd-session-atob] process-interface-status
    [RouterA-bfd-session-atob] authentication-mode met-sha1 key-id 1 cipher test123 nego-packet timeout-interval 20
    Warning: Adding, modifying or deleting authentication information of the BFD session may cause the service associated with
     the BFD session to be deactivated. Are you sure you want to continue?[Y/N]Y
    [RouterA-bfd-session-atob] commit
    [RouterA-bfd-session-atob] quit

  3. Configure BFD encryption authentication for RouterB.

    # Enable BFD on RouterB.

    [RouterB] bfd
    [RouterB-bfd] quit

    # Associate the BFD session status with the interface status on RouterB and configure BFD session authentication information.

    [RouterB] bfd btoa bind peer-ip default-ip interface ethernet 2/0/0
    [RouterB-bfd-session-btoa] discriminator local 2
    [RouterB-bfd-session-btoa] discriminator remote 1
    [RouterB-bfd-session-btoa] process-interface-status
    [RouterB-bfd-session-btoa] authentication-mode met-sha1 key-id 1 cipher test123 nego-packet timeout-interval 20
    Warning: Adding, modifying or deleting authentication information of the BFD session may cause the service associated with
     the BFD session to be deactivated. Are you sure you want to continue?[Y/N]Y
    [RouterB-bfd-session-btoa] commit
    [RouterB-bfd-session-btoa] quit

  4. Verify the configuration.

    # After the configuration is complete, run the display bfd session all verbose command on RouterA and RouterB. You can see that a BFD session with encryption authentication is set up and is in Up state. In addition, RouterA and RouterB can ping each other.

    # Take the display on RouterA as an example.

    [RouterA] display bfd session all verbose
    -------------------------------------------------------------------------------- 
    Session MIndex : 64        (One Hop) State : Up        Name : atob                                                                     
    --------------------------------------------------------------------------------                                                    
      Local Discriminator    : 1                Remote Discriminator   : 2                                                              
      Session Detect Mode    : Asynchronous Mode Without Echo Function                                                                  
      BFD Bind Type          : Interface(ethernet2/0/0)                                                                          
      Bind Session Type      : Static                                                                                                   
      Bind Peer IP Address   : 224.0.0.184                                                                                              
      NextHop Ip Address     : 224.0.0.184                                                                                              
      Bind Interface         : ethernet2/0/0                                                                                     
      FSM Board Id           : 0                TOS-EXP                : 7                                                              
      Min Tx Interval (ms)   : 1000             Min Rx Interval (ms)   : 1000                                                           
      Actual Tx Interval (ms): 1000             Actual Rx Interval (ms): 1000                                                           
      Local Detect Multi     : 3                Detect Interval (ms)   : 3000                                                           
      Echo Passive           : Disable          Acl Number             : -                                                              
      Destination Port       : 3784             TTL                    : 255                                                            
      Proc Interface Status  : Enable           Process PST            : Disable                                                        
      WTR Interval (ms)      : -                                                                                                        
      Active Multi           : 3                DSCP                   : -                                                              
      Auth Key ID            : 1                Auth Timer             : 20                                                             
      Meticulous Auth        : True             Auth Type              : MSHA1                                                          
      Xmit Auth Seq          : 0x52d5f66a       Rcv Auth Seq           : 0xdde6e687                                                     
      Error Packet Info      : Correct Pkt                                                                                              
      Last Local Diagnostic  : Neighbor Signaled Session Down                                                                           
      Bind Application       : IFNET                                                                                                    
      Session TX TmrID       : -                Session Detect TmrID   : -                                                              
      Session Init TmrID     : -                Session WTR TmrID      : -                                                              
      Session Echo Tx TmrID  : -                                                                                                        
      PDT Index              : FSM-0 | RCV-0 | IF-0 | TOKEN-0                                                                           
      Session Description    : -                                                                                                        
    --------------------------------------------------------------------------------                                                    
                                                                                                                                        
         Total UP/DOWN Session Number : 1/0
    [RouterA] ping 10.1.1.2
      PING 10.1.1.2: 56  data bytes, press CTRL_C to break
        Reply from 10.1.1.2: bytes=56 Sequence=1 ttl=255 time=1 ms
        Reply from 10.1.1.2: bytes=56 Sequence=2 ttl=255 time=1 ms
        Reply from 10.1.1.2: bytes=56 Sequence=3 ttl=255 time=1 ms
        Reply from 10.1.1.2: bytes=56 Sequence=4 ttl=255 time=1 ms
        Reply from 10.1.1.2: bytes=56 Sequence=5 ttl=255 time=1 ms
    
      --- 10.1.1.2 ping statistics ---
        5 packet(s) transmitted
        5 packet(s) received
        0.00% packet loss
        round-trip min/avg/max = 1/1/1 ms

    # Change the value of ciper of BFD sessions in the encryption authentication configuration on RouterA to be different from that on the peer end to simulate a BFD authentication failure.

    [RouterA] bfd atob
    [RouterA-bfd-session-atob] authentication-mode met-sha1 key-id 1 cipher test nego-packet timeout-interval 20
    [RouterA-bfd-session-atob] quit
    

    # After the configuration is complete, run the display bfd session all verbose command on RouterA and RouterB. You can see that a BFD session with encryption authentication is set up and is in Down state. In addition, RouterA and RouterB cannot ping each other. Take the display on RouterA as an example.

    [RouterA] display bfd session all verbose
    -------------------------------------------------------------------------------- 
    Session MIndex : 64        (One Hop) State : Down      Name : atob                                                                     
    --------------------------------------------------------------------------------                                                    
      Local Discriminator    : 1                Remote Discriminator   : 2                                                              
      Session Detect Mode    : Asynchronous Mode Without Echo Function                                                                  
      BFD Bind Type          : Interface(ethernet2/0/0)                                                                          
      Bind Session Type      : Static                                                                                                   
      Bind Peer IP Address   : 224.0.0.184                                                                                              
      NextHop Ip Address     : 224.0.0.184                                                                                              
      Bind Interface         : ethernet2/0/0                                                                                     
      FSM Board Id           : 0                TOS-EXP                : 7                                                              
      Min Tx Interval (ms)   : 1000             Min Rx Interval (ms)   : 1000                                                           
      Actual Tx Interval (ms): 13500            Actual Rx Interval (ms): 13500                                                          
      Local Detect Multi     : 3                Detect Interval (ms)   : -                                                              
      Echo Passive           : Disable          Acl Number             : -                                                              
      Destination Port       : 3784             TTL                    : 255                                                            
      Proc Interface Status  : Enable           Process PST            : Disable                                                        
      WTR Interval (ms)      : -                                                                                                        
      Active Multi           : 3                DSCP                   : -                                                              
      Auth Key ID            : 1                Auth Timer             : 20                                                             
      Meticulous Auth        : True             Auth Type              : MSHA1                                                          
      Xmit Auth Seq          : 0x7fa7e46e       Rcv Auth Seq           : 0x9b57b2ef                                                     
      Error Packet Info      : Authentication failed                                                                                    
      Last Local Diagnostic  : Control Detection Time Expired                                                                           
      Bind Application       : IFNET                                                                                                    
      Session TX TmrID       : 421              Session Detect TmrID   : -                                                              
      Session Init TmrID     : -                Session WTR TmrID      : -                                                              
      Session Echo Tx TmrID  : -                                                                                                        
      PDT Index              : FSM-0 | RCV-0 | IF-0 | TOKEN-0                                                                           
      Session Description    : -                                                                                                        
    --------------------------------------------------------------------------------                                                    
                                                                                                                                        
         Total UP/DOWN Session Number : 0/1
    [RouterA] ping 10.1.1.2
      PING 10.1.1.2: 56  data bytes, press CTRL_C to break
        Request time out
        Request time out
        Request time out
        Request time out
        Request time out
    
      --- 10.1.1.2 ping statistics ---
        5 packet(s) transmitted
        0 packet(s) received
        100.00% packet loss

Configuration Files

  • Configuration file of RouterA

    #
     sysname RouterA
    #
    interface ethernet2/0/0
     undo portswitch
     ip address 10.1.1.1 255.255.255.0
    #
    bfd 
    # 
    bfd atob bind peer-ip default-ip interface Ethernet2/0/0
     discriminator local 1
     discriminator remote 2 
     process-interface-status
     authentication-mode met-sha1 key-id 1 cipher test123 nego-packet timeout-interval 20
     commit
    #
    return
  • Configuration file of RouterB

    #
     sysname RouterB
    #
    interface ethernet2/0/0
     undo portswitch
     ip address 10.1.1.2 255.255.255.0
    #
    bfd 
    # 
    bfd btoa bind peer-ip default-ip interface ethernet2/0/0
     discriminator local 2
     discriminator remote 1 
     process-interface-status
     authentication-mode met-sha1 key-id 1 cipher test123 nego-packet timeout-interval 20
     commit
    # 
    return
Translation
Download
Updated: 2019-03-06

Document ID: EDOC1100069338

Views: 15291

Downloads: 54

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next