所选语种没有对应资源,请选择:

本站点使用Cookies,继续浏览表示您同意我们使用Cookies。Cookies和隐私政策>

提示

尊敬的用户,您的IE浏览器版本过低,为获取更好的浏览体验,请升级您的IE浏览器。

升级

S1720, S2700, S5700, S6720 V200R012(C00&C20) 配置指南-安全

本文档介绍了安全的配置,具体包括ACL配置、本机防攻击配置、MFF配置、攻击防范配置、流量抑制及风暴控制配置、ARP安全配置、端口安全配置、DHCP Snooping配置、ND Snooping配置、PPPoE+配置、IPSG配置、SAVI配置、URPF配置、Keychain配置、MPAC配置、PKI配置、业务与管理隔离配置、安全风险查询配置
评分并提供意见反馈 :
华为采用机器翻译与人工审校相结合的方式将此文档翻译成不同语言,希望能帮助您更容易理解此文档的内容。 请注意:即使是最好的机器翻译,其准确度也不及专业翻译人员的水平。 华为对于翻译的准确性不承担任何责任,并建议您参考英文文档(已提供链接)。
配置BGP应用Keychain认证示例

配置BGP应用Keychain认证示例

组网需求

图14-9所示,网络中的SwitchA和SwitchB之间通过BGP互通。

要求在数据传输过程中,BGP连接始终稳定,不会因为非法用户的攻击而断开连接。

图14-9  BGP应用Keychain认证组网图

配置思路

采用如下思路配置BGP的Keychain认证:

  1. 配置Keychain的基本功能。

  2. 配置Switch应用Keychain认证BGP。

操作步骤

  1. 配置Keychain认证。

    # 配置SwitchA。

    <HUAWEI> system-view
    [HUAWEI] sysname SwitchA
    [SwitchA] keychain huawei mode periodic weekly
    [SwitchA-keychain-huawei] tcp-kind 182
    [SwitchA-keychain-huawei] tcp-algorithm-id hmac-sha-256 17
    [SwitchA-keychain-huawei] receive-tolerance 100
    [SwitchA-keychain-huawei] key-id 1
    [SwitchA-keychain-huawei-keyid-1] algorithm hmac-sha-256
    [SwitchA-keychain-huawei-keyid-1] key-string cipher Huawei@1234
    [SwitchA-keychain-huawei-keyid-1] send-time day mon to sat
    [SwitchA-keychain-huawei-keyid-1] receive-time day mon to sat
    [SwitchA-keychain-huawei-keyid-1] default send-key-id
    [SwitchA-keychain-huawei-keyid-1] quit
    [SwitchA-keychain-huawei] quit

    # 配置SwitchB。

    <HUAWEI> system-view
    [HUAWEI] sysname SwitchB
    [SwitchB] keychain huawei mode periodic weekly
    [SwitchB-keychain-huawei] tcp-kind 182
    [SwitchB-keychain-huawei] tcp-algorithm-id hmac-sha-256 17
    [SwitchB-keychain-huawei] receive-tolerance 100
    [SwitchB-keychain-huawei] key-id 1
    [SwitchB-keychain-huawei-keyid-1] algorithm hmac-sha-256
    [SwitchB-keychain-huawei-keyid-1] key-string cipher Huawei@1234
    [SwitchB-keychain-huawei-keyid-1] send-time day mon to sat
    [SwitchB-keychain-huawei-keyid-1] receive-time day mon to sat
    [SwitchB-keychain-huawei-keyid-1] default send-key-id
    [SwitchB-keychain-huawei-keyid-1] quit
    [SwitchB-keychain-huawei] quit

  2. 配置BGP应用Keychain进行认证和加密

    # 配置SwitchA

    [SwitchA] vlan 10
    [SwitchA-vlan10] quit
    [SwitchA] interface gigabitethernet 0/0/1
    [SwitchA-GigabitEthernet0/0/1] port link-type hybrid
    [SwitchA-GigabitEthernet0/0/1] port hybrid pvid vlan 10
    [SwitchA-GigabitEthernet0/0/1] port hybrid untagged vlan 10
    [SwitchA-GigabitEthernet0/0/1] quit
    [SwitchA] interface vlanif 10
    [SwitchA-Vlanif10] ip address 192.168.1.1 24
    [SwitchA-Vlanif10] quit
    [SwitchA] bgp 1
    [SwitchA-bgp] router-id 1.1.1.1
    [SwitchA-bgp] peer 192.168.1.2 as-number 1
    [SwitchA-bgp] peer 192.168.1.2 keychain huawei
    [SwitchA-bgp] quit
    [SwitchA] quit

    # 配置SwitchB。

    [SwitchB] vlan 10
    [SwitchB-vlan10] quit
    [SwitchB] interface gigabitethernet 0/0/1
    [SwitchB-GigabitEthernet0/0/1] port link-type hybrid
    [SwitchB-GigabitEthernet0/0/1] port hybrid pvid vlan 10
    [SwitchB-GigabitEthernet0/0/1] port hybrid untagged vlan 10
    [SwitchB-GigabitEthernet0/0/1] quit
    [SwitchB] interface vlanif 10
    [SwitchB-Vlanif10] ip address 192.168.1.2 24
    [SwitchB-Vlanif10] quit
    [SwitchB] bgp 1
    [SwitchB-bgp] router-id 2.2.2.2
    [SwitchB-bgp] peer 192.168.1.1 as-number 1
    [SwitchB-bgp] peer 192.168.1.1 keychain huawei 
    [SwitchB-bgp] quit
    [SwitchB] quit

  3. 验证配置结果

    # 执行display keychain keychain-name命令,查看Keychain中key-id的当前状态,如下所示:

    <SwitchA> display keychain huawei
     Keychain Information:
     ---------------------
     Keychain Name             : huawei
       Timer Mode              : Weekly periodic
       Time Type               : Lmt
       Receive Tolerance(min)  : 100
       TCP Kind                : 182
       TCP Algorithm IDs       :
         HMAC-MD5              : 5
         HMAC-SHA1-12          : 2
         HMAC-SHA1-20          : 6
         HMAC-SHA-256          : 17
         SHA-256               : 8
         MD5                   : 3
         SHA1                  : 4
     Number of Key IDs         : 1
     Active Send Key ID        : 1
     Active Receive Key IDs    : 01
     Default send Key ID       : 1
     Default send Key Status   : Inactive 
    
    
     Key ID Information:
     -------------------
     Key ID                    : 1
       Key string              : ******
       Algorithm               : HMAC-SHA-256
       SEND TIMER              :
         Day(s)                : Mon Tue Wed Thu Fri Sat
         Status                : Active
       RECEIVE TIMER           :
         Day(s)                : Mon Tue Wed Thu Fri Sat
         Status                : Active
    

    # 在网络稳定后,执行命令display bgp peer ipv4-address verbose,查看BGP对等体的认证信息。以SwitchA为例。

    <SwitchA> display bgp peer 192.168.1.2 verbose
            
            BGP Peer is 192.168.1.2,  remote AS 1                       
            Type: IBGP link                                       
            BGP version 4, Remote router ID 2.2.2.2              
            Update-group ID: 1                                          
            BGP current state: Established, Up for 00h05m17s
            BGP current event: RecvKeepalive
            BGP last state: OpenConfirm                                       
            BGP Peer Up count: 1                                       
            Received total routes: 0                                      
            Received active routes total: 0                              
            Received mac routes: 0
            Advertised total routes: 0                         
            Port:  Local - 179      Remote - 55828
            Configured: Connect-retry Time: 32 sec                        
            Configured: Min Hold Time: 0 sec                             
            Configured: Active Hold Time: 180 sec   Keepalive Time:60 sec               
            Received  : Active Hold Time: 180 sec                          
            Negotiated: Active Hold Time: 180 sec   Keepalive Time:60 sec            
            Peer optional capabilities:                           
            Peer supports bgp multi-protocol extension                         
            Peer supports bgp route refresh capability                        
            Peer supports bgp 4-byte-as capability                  
            Address family IPv4 Unicast: advertised and received                 
     Received: Total 7 messages                                      
                     Update messages                0
                     Open messages                  1
                     KeepAlive messages             6
                     Notification messages          0
                     Refresh messages               0
     Sent: Total 9 messages
                     Update messages                0
                     Open messages                  2
                     KeepAlive messages             7
                     Notification messages          0
                     Refresh messages               0
     Authentication type configured: Keychain(huawei)             
     Last keepalive received: 2014-11-04 11:02:39+00:00
     Last keepalive sent    : 2014-11-04 11:02:39+00:00
     Minimum route advertisement interval is 15 seconds           
     Optional capabilities:                                       
     Route refresh capability has been enabled                    
     4-byte-as capability has been enabled                        
     Peer Preferred Value: 0                                      
     Routing policy configured:                                   
     No routing policy is configured               

配置文件

  • SwitchA的配置文件

    #
    sysname SwitchA
    #
    vlan batch 10
    #
    keychain huawei mode periodic weekly
     receive-tolerance 100
     tcp-kind 182
     tcp-algorithm-id hmac-sha-256 17
     key-id 1
      algorithm hmac-sha-256
      key-string cipher %^%#Vj-D<jJ%aNGasyD!w#hVP]6xEn`_l(7bf6%m;P3P%^%#
      send-time day mon to sat
      receive-time day mon to sat
      default send-key-id 
    #
    interface Vlanif10
     ip address 192.168.1.1 255.255.255.0
    #
    interface GigabitEthernet0/0/1
     port link-type hybrid
     port hybrid pvid vlan 10
     port hybrid untagged vlan 10
    #
    bgp 1
     router-id 1.1.1.1
     peer 192.168.1.2 as-number 1
     peer 192.168.1.2 keychain huawei
     #
     ipv4-family unicast
      undo synchronization
      peer 192.168.1.2 enable
    #
    return
  • SwitchB的配置文件

    #
    sysname SwitchB
    #
    vlan batch 10
    #
    keychain huawei mode periodic weekly
     receive-tolerance 100
     tcp-kind 182
     tcp-algorithm-id hmac-sha-256 17
     key-id 1
      algorithm hmac-sha-256
      key-string cipher %^%#Dvqg<X&x>"h`1&Q\1RAT>0\TVnbc<FJyVlAy=p<#%^%#
      send-time day mon to sat
      receive-time day mon to sat
      default send-key-id 
    #
    interface Vlanif10
     ip address 192.168.1.2 255.255.255.0
    #
    interface GigabitEthernet0/0/1
     port link-type hybrid
     port hybrid pvid vlan 10
     port hybrid untagged vlan 10
    #
    bgp 1
     router-id 2.2.2.2
     peer 192.168.1.1 as-number 1
     peer 192.168.1.1 keychain huawei
     #
     ipv4-family unicast
      undo synchronization
      peer 192.168.1.1 enable
    #
    return
翻译
下载文档
更新时间:2018-12-24

文档编号:EDOC1100038434

浏览量:33510

下载量:969

平均得分:
本文档适用于这些产品
相关版本
相关文档
Share
上一页 下一页