No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Configuration Guide - IP Multicast

CloudEngine 12800 and 12800E V200R005C10

This document describes the configurations of IP multicast, including IP multicast basics, IGMP, MLD, PIM (IPv4), PIM (IPv6), MSDP, multicast VPN, multicast route management (IPv4), multicast route management (IPv6), IGMP snooping, MLD snooping, static multicast MAC address, multicast VLAN, multicast network management.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring IPv6 PIM IPSec

Configuring IPv6 PIM IPSec

Pre-configuration Tasks

Enabling IPv6 Bidir-PIM

Configuration Procedure

Perform the configuration tasks in the listed sequence.

Configuring Basic IPSec Functions

Context

IPsec can be configured to prevent protocol packets from being intercepted or faked on a simple network.

A security association (SA) must be established so that IPSec can protect protocol packets. An SA is a unidirectional logical connection set up for security purpose and specifies the elements used by two IPSec peers (two parties that use the IPSec protocol to protect protocol packets between them). The elements of an SA include the following:

  • Security protocol
  • Authentication or encryption algorithm supported by the security protocol
  • Protocol packet encapsulation mode
  • Security parameter index (SPI) of the SA
  • Authentication key or encryption key of the SA

The first three elements are specified in an IPSec proposal. To configure IPSec functions, first configure an IPSec proposal on the IPSec peers, and then configure an SA.

Procedure

  1. Configure an IPSec proposal.
    1. Run system-view

      The system view is displayed.

    2. Run ipsec proposal proposal-name

      An IPSec proposal is created and the IPSec proposal view is displayed.

    3. Run transform { ah | esp }

      A security protocol is specified for the IPSec proposal.

      By default, the security protocol used by an IPSec proposal is the Encapsulation Security Protocol (ESP).

    4. An authentication or encryption algorithm is configured.

      • If AH is used, you can only configure the AH-specific authentication algorithm because AH only authenticates packets.

        Run the ah authentication-algorithm { md5 | sha1 | sha2-256 | sha2-384 | sha2-512 } command to specify the authentication algorithm for the AH protocol.

        By default, no authentication algorithm is used for AH.

      • When ESP is specified, ESP can authenticate, or encrypt and authenticate packets. Configure the ESP-specific authentication or encryption algorithm.
        • Run the esp authentication-algorithm { md5 | sha1 | sha2-256 | sha2-384 | sha2-512 } command to specify the authentication algorithm for the ESP protocol.

          By default, no authentication algorithm is used for ESP.

        • Run the esp encryption-algorithm { 3des | aes { 128 | 192 | 256 } | des | null } command to specify the encryption algorithm for the ESP protocol.

          By default, no encryption algorithm is used for ESP. If encryption is not required, specify null.

    5. Run encapsulation-mode transport

      A packet encapsulation mode is specified for the security protocol.

      By default, the packet encapsulation mode is tunnel.

      NOTE:

      Currently, only the transport mode is supported on the device.

      In transport mode, the packet encryption device and decryption device must be the originator and receiver of packets.

      The MD5, SHA-1, DES and 3DES algorithms are not recommended because they cannot meet your security defense requirements.

    6. Run quit

      Return to the system view.

    7. Run commit

      The configuration is committed.

  2. Configure an IPSec SA.
    1. Run ipsec sa sa-name

      An IPSec SA is created and the IPSec SA view is displayed.

      By default, no IPSec SA exists in the system.

    2. Run proposal proposal-name

      The IPSec proposal is bound to the IPSec SA.

      By default, an IPSec policy does not reference any IPSec proposal.

      NOTE:

      An IPSec can use only one IPSec proposal. To bind a new IPSec proposal to the IPSec SA, delete the original IPSec proposal.

    3. Run sa spi { inbound | outbound } { ah | esp } spi-number

      An SPI is configured for the SA.

      NOTE:
      • An SPI uniquely identifies an SA. Each SA must be configured with an inbound SPI and an outbound SPI. The outbound SPI on the local end must be the same as the inbound SPI on the remote end.
      • The security protocol (AH or ESP) you select when configuring the SPI must be the same as that used in the IPSec proposal bound to the SA.

    4. Configure a key according to the security protocol used in the IPSec proposal bound to the SA.

      • If the AH protocol is used, you can configure an authentication key that is a hexadecimal number or a character string.
        • Run the sa authentication-hex { inbound | outbound } ah [ cipher ] hex-string command to configure a hexadecimal authentication key.

        • Run the sa string-key { inbound | outbound } ah [ cipher ] string-key command to configure a character string as the authentication key.

      • If the ESP protocol is used, you can run one of the following commands to configure the authentication key or the encryption key. You can also configure both the authentication key and encryption key. If the two keys are configured at the same time, they can only be hexadecimal keys.
        • Run the sa authentication-hex { inbound | outbound } esp [ cipher ] hex-string command to configure a hexadecimal authentication key.

        • Run the sa string-key { inbound | outbound } esp [ cipher ] string-key command to configure a character string as the authentication key.

        • Run the sa encryption-hex { inbound | outbound } esp [ cipher ] hex-string command to configure a hexadecimal encryption key.

      NOTE:
      • The security protocol (AH or ESP) you select when configuring the key must be the same as that used in the IPSec proposal bound to the SA.
      • The outbound key on the local end must be the same as the inbound key on the remote end.
      • The IPSec peers must use the authentication or encryption key in the same format. For example, if the key on one end is a character string but the key on the other end is a hexadecimal number, the IPSec tunnel cannot be set up.
      • If you configure multiple keys in different formats, the last configured key takes effect.

    5. Run quit

      Return to the system view.

    6. Run commit

      The configuration is committed.

Configuring IPv6 PIM IPSec

Context

On a multicast network, multicast devices may be attacked by forged IPv6 PIM protocol messages. As a result, multicast data forwarding between multicast devices is interrupted. To protect multicast devices against such attacks, configure IPv6 PIM IPSec on the multicast devices to encrypt and authenticate IPv6 PIM protocol messages they send and receive.

When a Huawei device connects to a non-Huawei device that can only encrypt and authenticate IPv6 PIM Hello messages, configure the Huawei device to encrypt and authenticate only IPv6 PIM Hello messages.

A device running IPv6 PIM IPSec processes IPv6 PIM protocol messages as follows:
  • Encapsulates IPv6 PIM protocol messages with an IPSec header before sending the messages.
  • Drops IPv6 PIM protocol messages that are not protected by IPSec or fail the authentication.

If IPv6 PIM IPSec is not configured on a device, the device drops IPv6 PIM protocol messages that are protected by IPSec.

NOTE:
  • IPv6 PIM IPSec can be configured in the PIM-IPv6 view or interface view. The configuration made in the PIM-IPv6 view takes effect globally, and the configuration made in the interface view takes effect only on that interface. If IPv6 PIM IPSec is configured in both the PIM-IPv6 view and interface view, the configuration in the interface view takes precedence. If IPv6 PIM IPSec is not configured on an interface, the interface uses the configuration made in the PIM-IPv6 view.

  • To ensure normal multicast service forwarding, you are advised to configure IPv6 PIM IPSec on all the devices running IPv6 PIM.

Procedure

  • Configure global IPv6 PIM IPSec.
    1. Run system-view

      The system view is displayed.

    2. Run pim ipv6

      The PIM-IPv6 view is displayed.

    3. Configure authentication for IPv6 PIM messages.

      You can configure the device to authenticate all the IPv6 PIM unicast and multicast messages or to authenticate only IPv6 PIM Hello messages. Two IPSec peers must be configured with the same authentication behavior for IPv6 PIM messages. That is, both the IPSec peers authenticate all the IPv6 PIM messages or authenticate only IPv6 PIM Hello messages.

      • Run the [ unicast-message ] ipsec sa sa-name command to authenticate IPv6 PIM messages sent and received by the device based on a specified SA.

        You can configure one or both of the ipsec sa sa-name and unicast-message ipsec sa sa-name commands on a device. The following rules apply:
        • If only ipsec sa sa-name is configured, the device authenticates only PIM (IPv6) multicast messages using IPSec.

        • If only unicast-message ipsec sa sa-name is configured, the device authenticates only PIM (IPv6) unicast messages using IPSec.

        • If the two commands are configured simultaneously, they both take effect. That is, the device authenticates both PIM (IPv6) unicast and multicast messages using IPSec.

      • Run the hello ipsec sa sa-name command to authenticate IPv6 PIM Hello messages sent and received by the device based on a specified SA.

      NOTE:

      If the ipsec sa sa-name and hello ipsec sa sa-name commands are both configured, the command configured later overrides the command configured earlier.

    4. Run commit

      The configuration is committed.

  • Configuring IPv6 PIM IPSec on an interface
    1. Run system-view

      The system view is displayed.

    2. Run interface interface-type interface-number

      The interface view is displayed.

    3. On an Ethernet interface, run undo portswitch

      The interface is switched to Layer 3 mode.

      By default, an Ethernet interface works in Layer 2 mode.

      The mode switching function takes effect when the interface only has attribute configurations (for example, shutdown and description configurations). Alternatively, if configuration information supported by both Layer 2 and Layer 3 interfaces exists (for example, mode lacp and lacp system-id configurations), no configuration that is not supported after the working mode of the interface is switched can exist. If unsupported configurations exist on the interface, delete the configurations first and then run the undo portswitch command.

      NOTE:

      If many Ethernet interfaces need to be switched to Layer 3 mode, run the undo portswitch batch interface-type { interface-number1 [ to interface-number2 ] } &<1-10> command in the system view to switch these interfaces to Layer 3 mode in batches.

    4. Configure authentication for IPv6 PIM messages.

      You can configure authentication for all the IPv6 PIM messages or only IPv6 PIM Hello messages on an interface. Two IPSec peers must be configured with the same authentication behavior for IPv6 PIM messages. That is, both the IPSec peers authenticate all the IPv6 PIM messages or authenticate only IPv6 PIM Hello messages. If you run both the following two commands, the last configured one takes effect.

      • Run the pim ipv6 ipsec sa sa-name command to authenticate IPv6 PIM messages sent and received on the interface based on a specified SA.

      • Run the pim ipv6 hello ipsec sa sa-name command to authenticate IPv6 PIM Hello messages sent and received on the interface based on a specified SA.

      NOTE:

      If the pim ipv6 ipsec sa sa-name and pim ipv6 hello ipsec sa sa-name commands are both configured, the command configured later overrides the command configured earlier.

    5. Run commit

      The configuration is committed.

Verifying the IPv6 PIM IPSec Configuration

Context

After configuring IPv6 PIM IPSec, you can run the following commands in any view to check the configuration of IPSec proposal, SA, and IPv6 PIM IPSec, and IPSec packet statistics.

Procedure

  • Run the display ipsec proposal [ name proposal-name | brief ] command to check information about an IPSec proposal.
  • Run the display ipsec sa [ name sa-name ] [ brief ] command to check information about an IPSec SA.
  • Run the display ipsec statistics [ sa-name sa-name ] [ slot slot-number ] command to check IPSec packet statistics.
  • Run the display pim ipv6 interface [ interface-type interface-number | up | down ] [ verbose ] command to check the IPv6 PIM IPSec configuration on an interface.
Translation
Download
Updated: 2019-04-20

Document ID: EDOC1100074724

Views: 40808

Downloads: 13

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next