评分并提供意见反馈 :
华为采用机器翻译与人工审校相结合的方式将此文档翻译成不同语言,希望能帮助您更容易理解此文档的内容。 请注意:即使是最好的机器翻译,其准确度也不及专业翻译人员的水平。 华为对于翻译的准确性不承担任何责任,并建议您参考英文文档(已提供链接)。
配置RIP应用Keychain认证示例
配置思路
为了保证RIP连接稳定,需要保证RIP协议数据能够稳定正确的传输,建议采用认证和加密的方法,保证RIP协议数据传输的安全性。同时为了防止非法用户通过非法手段窃取认证和加密的算法和密钥,建议采用动态更改认证加密算法和密钥的方法实现RIP数据协议传输的安全。综上,采用Keychain协议来保证RIP连接的稳定。
采用如下思路配置Keychain对RIP协议进行保护:
配置RIP基本功能。
配置Keychain功能。
配置RIP应用Keychain。
操作步骤
- 配置RIP基本功能
# 配置SwitchA。
<HUAWEI> system-view [~HUAWEI] sysname SwitchA [*HUAWEI] commit [~SwitchA] rip 1 [*SwitchA-rip-1] version 2 [*SwitchA-rip-1] network 192.168.1.0 [*SwitchA-rip-1] commit [~SwitchA-rip-1] quit
# 配置SwitchB。
<HUAWEI> system-view [~HUAWEI] sysname SwitchB [*HUAWEI] commit [~SwitchB] rip 1 [*SwitchB-rip-1] version 2 [*SwitchB-rip-1] network 192.168.1.0 [*SwitchB-rip-1] commit [~SwitchB-rip-1] quit
- 配置Keychain功能
# 配置SwitchA。
[~SwitchA] keychain switch mode absolute
[*SwitchA-keychain-switch] receive-tolerance 100
[*SwitchA-keychain-switch] key-id 1
[*SwitchA-keychain-switch-keyid-1] algorithm md5
[*SwitchA-keychain-switch-keyid-1] key-string cipher Huawei@1234
[*SwitchA-keychain-switch-keyid-1] send-time 0:00 2012-3-12 to 23:59 2012-3-12
[*SwitchA-keychain-switch-keyid-1] receive-time 0:00 2012-3-12 to 23:59 2012-3-12 [*SwitchA-keychain-switch-keyid-1] default send-key-id
[*SwitchA-keychain-switch-keyid-1] commit
[~SwitchA-keychain-switch-keyid-1] quit
[~SwitchA-keychain-switch] quit
# 配置SwitchB。
[~SwitchB] keychain switch mode absolute
[*SwitchB-keychain-switch] receive-tolerance 100
[*SwitchB-keychain-switch] key-id 1
[*SwitchB-keychain-switch-keyid-1] algorithm md5
[*SwitchB-keychain-switch-keyid-1] key-string cipher Huawei@1234
[*SwitchB-keychain-switch-keyid-1] send-time 0:00 2012-3-12 to 23:59 2012-3-12
[*SwitchB-keychain-switch-keyid-1] receive-time 0:00 2012-3-12 to 23:59 2012-3-12 [*SwitchB-keychain-switch-keyid-1] default send-key-id
[*SwitchB-keychain-switch-keyid-1] commit
[~SwitchB-keychain-switch-keyid-1] quit
[~SwitchB-keychain-switch] quit
- 配置RIP应用Keychain
# 配置SwitchA。
[~SwitchA] vlan 10
[*SwitchA-vlan10] quit
[*SwitchA] interface 10ge 1/0/1
[*SwitchA-10GE1/0/1] port link-type trunk
[*SwitchA-10GE1/0/1] port trunk allow-pass vlan 10
[*SwitchA-10GE1/0/1] quit
[*SwitchA] interface vlanif 10
[*SwitchA-Vlanif10] ip address 192.168.1.1 24
[*SwitchA-Vlanif10] rip authentication-mode md5 nonstandard keychain switch
[*SwitchA-Vlanif10] commit
[~SwitchA-Vlanif10] quit [~SwitchA] quit
# 配置SwitchB。
[~SwitchB] vlan 10
[*SwitchB-vlan10] quit
[*SwitchB] interface 10ge 1/0/1
[*SwitchB-10GE1/0/1] port link-type trunk
[*SwitchB-10GE1/0/1] port trunk allow-pass vlan 10
[*SwitchB-10GE1/0/1] quit
[*SwitchB] interface vlanif 10
[*SwitchB-Vlanif10] ip address 192.168.1.2 24
[*SwitchB-Vlanif10] rip authentication-mode md5 nonstandard keychain switch
[*SwitchB-Vlanif10] commit
[~SwitchB-Vlanif10] quit [~SwitchB] quit
- 验证配置结果
# 执行命令display keychain keychain-name命令,查看Keychain中Key-id的当前状态,如下所示:
<SwitchA> display keychain switch Keychain information: ---------------------- Keychain name : switch Timer mode : Absolute Receive tolerance(min) : 100 TCP kind : 254 TCP algorithm ID : HMAC-MD5 : 5 HMAC-SHA1-12 : 2 HMAC-SHA1-20 : 6 MD5 : 3 SHA1 : 4 HMAC-SHA-256 : 7 SHA-256 : 8 Number of key ID : 1 Active send key ID : 1 Active receive key ID : 01 Default send key ID : Not configured Key ID information: ---------------------- Key ID : 1 Key string : ****** Algorithm : MD5 Send timer : Start time : 2012-03-12 00:00 End time : 2012-03-12 23:59 Status : Active Receive timer : Start time : 2012-03-12 00:00 End time : 2012-03-12 23:59 Status : Active# RIP应用Keychain配置成功后,可以执行命令display rip process-id interface verbose,查看RIP报文的认证方式。以SwitchA为例。
<SwitchA> display rip 1 interface verbose Vlanif10(192.168.1.1) State : UP MTU : 500 Metricin : 0 Metricout : 1 Input : Enabled Output : Enabled Protocol : RIPv2 Multicast Send version : RIPv2 Multicast Packets Receive version : RIPv2 Multicast and Broadcast Packets Poison-reverse : Disabled Split-Horizon : Enabled Authentication type : MD5 (Non-standard - Keychain: switch) Last Sequence Number Sent : 0x0 Replay Protection : Disabled Max Packet Length : 512
配置文件
SwitchA的配置文件
# sysname SwitchA # vlan batch 10 # keychain switch mode absolute receive-tolerance 100 # key-id 1 algorithm md5 key-string cipher %^%#w$Kk$.2,EF:O(u%(HzjXPW\L6'1"`SwCQJ<M|vA:%^%# send-time 00:00 2012-03-12 to 23:59 2012-03-12 receive-time 00:00 2012-03-12 to 23:59 2012-03-12 default send-key-id # interface Vlanif10 ip address 192.168.1.1 255.255.255.0 rip authentication-mode md5 nonstandard keychain switch # interface 10GE1/0/1 port link-type trunk port trunk allow-pass vlan 10 # rip 1 version 2 network 192.168.1.0 # return
SwitchB的配置文件
# sysname SwitchB # vlan batch 10 # keychain switch mode absolute receive-tolerance 100 # key-id 1 algorithm md5 key-string cipher %^%#w$Kk$.2,EF:O(u%(HzjXPW\L6'1"`SwCQJ<M|vA:%^%# send-time 00:00 2012-03-12 to 23:59 2012-03-12 receive-time 00:00 2012-03-12 to 23:59 2012-03-12 default send-key-id # interface Vlanif10 ip address 192.168.1.2 255.255.255.0 rip authentication-mode md5 nonstandard keychain switch # interface 10GE1/0/1 port link-type trunk port trunk allow-pass vlan 10 # rip 1 version 2 network 192.168.1.0 # return
