Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document.
Note: Even the most advanced machine translation cannot match the quality of professional translators.
Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Example for Applying the Keychain to BGP
Networking Requirements
As shown in Figure 17-9, SwitchA and SwitchB are connected using BGP.
The BGP connection needs to be retained during data transmission.
Configuration Roadmap
The configuration roadmap is as follows:
Configure the basic keychain functions.
Configure a keychain for Switch to authenticate BGP.
Procedure
- Configure a keychain.
# Configure Switch A.
<HUAWEI> system-view[~HUAWEI] sysname SwitchA
[*HUAWEI] commit
[~SwitchA] keychain switch mode periodic weekly
[*SwitchA-keychain-switch] tcp-kind 182
[*SwitchA-keychain-switch] tcp-algorithm-id md5 17
[*SwitchA-keychain-switch] receive-tolerance 100
[*SwitchA-keychain-switch] key-id 1
[*SwitchA-keychain-switch-keyid-1] algorithm md5
[*SwitchA-keychain-switch-keyid-1] key-string cipher Huawei@1234
[*SwitchA-keychain-switch-keyid-1] send-time day fri sat
[*SwitchA-keychain-switch-keyid-1] receive-time day fri sat [*SwitchA-keychain-switch-keyid-1] default send-key-id
[*SwitchA-keychain-switch-keyid-1] commit
[~SwitchA-keychain-switch-keyid-1] quit
[~SwitchA-keychain-switch] quit
# Configure Switch B.
<HUAWEI> system-view[~HUAWEI] sysname SwitchB
[*HUAWEI] commit
[~SwitchB] keychain switch mode periodic weekly
[*SwitchB-keychain-switch] tcp-kind 182
[*SwitchB-keychain-switch] tcp-algorithm-id md5 17
[*SwitchB-keychain-switch] receive-tolerance 100
[*SwitchB-keychain-switch] key-id 1
[*SwitchB-keychain-switch-keyid-1] algorithm md5
[*SwitchB-keychain-switch-keyid-1] key-string cipher Huawei@1234
[*SwitchB-keychain-switch-keyid-1] send-time day fri sat
[*SwitchB-keychain-switch-keyid-1] receive-time day fri sat [*SwitchB-keychain-switch-keyid-1] default send-key-id
[*SwitchB-keychain-switch-keyid-1] commit
[~SwitchB-keychain-switch-keyid-1] quit
[~SwitchB-keychain-switch] quit
- Apply the keychain to BGP for authentication and encryption.
# Configure Switch A.
[~SwitchA] vlan 10
[*SwitchA-vlan10] quit
[*SwitchA] interface 10ge 1/0/1
[*SwitchA-10GE1/0/1] port link-type trunk
[*SwitchA-10GE1/0/1] port trunk allow-pass vlan 10
[*SwitchA-10GE1/0/1] quit
[*SwitchA] interface vlanif 10
[*SwitchA-Vlanif10] ip address 192.168.1.1 24
[*SwitchA-Vlanif10] commit
[~SwitchA-Vlanif10] quit
[~SwitchA] bgp 1
[*SwitchA-bgp] router-id 1.1.1.1
[*SwitchA-bgp] peer 192.168.1.2 as-number 1
[*SwitchA-bgp] peer 192.168.1.2 keychain switch
[*SwitchA-bgp] commit
[~SwitchA-bgp] quit [~SwitchA] quit
# Configure Switch B.
[~SwitchB] vlan 10
[*SwitchB-vlan10] quit
[*SwitchB] interface 10ge 1/0/1
[*SwitchB-10GE1/0/1] port link-type trunk
[*SwitchB-10GE1/0/1] port trunk allow-pass vlan 10
[*SwitchB-10GE1/0/1] quit
[*SwitchB] interface vlanif 10
[*SwitchB-Vlanif10] ip address 192.168.1.2 24
[*SwitchB-Vlanif10] commit
[~SwitchB-Vlanif10] quit
[~SwitchB] bgp 1
[*SwitchB-bgp] router-id 2.2.2.2
[*SwitchB-bgp] peer 192.168.1.1 as-number 1
[*SwitchB-bgp] peer 192.168.1.1 keychain switch
[*SwitchB-bgp] commit
[~SwitchB-bgp] quit [~SwitchB] quit
- Verify the configuration.
# Run the display keychain keychain-name command to check the key-id status of the keychain.
<SwitchA> display keychain switch Keychain information: --------------------- Keychain name : switch Timer mode : Weekly periodic Receive tolerance(min) : 100 TCP kind : 182 TCP algorithm ID : HMAC-MD5 : 5 HMAC-SHA1-12 : 2 HMAC-SHA1-20 : 6 MD5 : 17 SHA1 : 4 HMAC-SHA-256 : 7 SHA-256 : 8 Number of key ID : 1 Active send key ID : 1 Active receive key ID : 01 Default send key ID : Not configured Key ID information: ------------------- Key ID : 1 Key string : ****** Algorithm : MD5 Send timer : Day(s) : Fri Sat Status : Active Receive timer : Day(s) : Fri Sat Status : Active# After the keychain is applied to BGP, run the display bgp peer ipv4-address verbose command to check authentication information about the BGP peer. The display on Switch A is used as an example.
<SwitchA> display bgp peer 192.168.1.2 verbose BGP Peer is 192.168.1.2, remote AS 1 Type: IBGP link BGP version 4, Remote router ID 2.2.2.2 Update-group ID: 3 BGP current state: Established, Up for 00h03m40s BGP current event: RecvKeepalive BGP last state: OpenConfirm BGP Peer Up count: 1 Received total routes: 0 Received active routes total: 0 Advertised total routes: 0 Port: Local - 179 Remote - 53183 Configured: Connect-retry Time: 32 sec Configured: Active Hold Time: 180 sec Keepalive Time:60 sec Received : Active Hold Time: 180 sec Negotiated: Active Hold Time: 180 sec Keepalive Time:60 sec Peer optional capabilities: Peer supports bgp multi-protocol extension Peer supports bgp route refresh capability Peer supports bgp 4-byte-as capability Address family IPv4 Unicast: advertised and received Received: Total messages 7 Update messages 1 Open messages 1 KeepAlive messages 5 Notification messages 0 Refresh messages 0 Sent : Total messages 7 Update messages 1 Open messages 1 KeepAlive messages 5 Notification messages 0 Refresh messages 0 Authentication type configured: Keychain(switch) Last keepalive received: 2014-05-26 16:55:58+00:00 Last keepalive sent : 2014-05-26 16:55:58+00:00 Last update received : 2014-05-26 16:52:27+00:00 Last update sent : 2014-05-26 16:52:27+00:00 No refresh received since peer has been configured No refresh sent since peer has been configured Minimum route advertisement interval is 15 seconds Optional capabilities: Route refresh capability has been enabled 4-byte-as capability has been enabled Peer Preferred Value: 0 Routing policy configured: No routing policy is configured
Configuration Files
Switch A configuration file
# sysname SwitchA # vlan batch 10 # keychain switch mode periodic weekly receive-tolerance 100 tcp-kind 182 tcp-algorithm-id md5 17 # key-id 1 algorithm md5 key-string cipher %^%#w$Kk$.2,EF:O(u%(HzjXPW\L6'1"`SwCQJ<M|vA:%^%# send-time day fri sat receive-time day fri sat default send-key-id # interface Vlanif10 ip address 192.168.1.1 255.255.255.0 # interface 10GE1/0/1 port link-type trunk port trunk allow-pass vlan 10 # bgp 1 router-id 1.1.1.1 peer 192.168.1.2 as-number 1 peer 192.168.1.2 keychain switch # ipv4-family unicast peer 192.168.1.2 enable # return
Configuration file of Switch B
# sysname SwitchB # vlan batch 10 # keychain switch mode periodic weekly receive-tolerance 100 tcp-kind 182 tcp-algorithm-id md5 17 # key-id 1 algorithm md5 key-string cipher %^%#w$Kk$.2,EF:O(u%(HzjXPW\L6'1"`SwCQJ<M|vA:%^%# send-time day fri sat receive-time day fri sat default send-key-id # interface Vlanif10 ip address 192.168.1.2 255.255.255.0 # interface 10GE1/0/1 port link-type trunk port trunk allow-pass vlan 10 # bgp 1 router-id 2.2.2.2 peer 192.168.1.1 as-number 1 peer 192.168.1.1 keychain switch # ipv4-family unicast peer 192.168.1.1 enable # return