Example for Applying the Keychain to BGP
Networking Requirements
As shown in Figure 1, SwitchA and SwitchB are connected using BGP.
The BGP connection needs to be retained during data transmission.
Configuration Roadmap
The configuration roadmap is as follows:
Configure the basic keychain functions.
Configure a keychain for Switch to authenticate BGP.
Procedure
- Configure a keychain.
# Configure Switch A.
<HUAWEI> system-view [HUAWEI] sysname SwitchA [SwitchA] keychain huawei mode periodic weekly [SwitchA-keychain-huawei] tcp-kind 182 [SwitchA-keychain-huawei] tcp-algorithm-id hmac-sha-256 17 [SwitchA-keychain-huawei] receive-tolerance 100 [SwitchA-keychain-huawei] key-id 1 [SwitchA-keychain-huawei-keyid-1] algorithm hmac-sha-256 [SwitchA-keychain-huawei-keyid-1] key-string cipher Huawei@1234 [SwitchA-keychain-huawei-keyid-1] send-time day mon to sat [SwitchA-keychain-huawei-keyid-1] receive-time day mon to sat [SwitchA-keychain-huawei-keyid-1] default send-key-id [SwitchA-keychain-huawei-keyid-1] quit [SwitchA-keychain-huawei] quit
# Configure Switch B.
<HUAWEI> system-view [HUAWEI] sysname SwitchB [SwitchB] keychain huawei mode periodic weekly [SwitchB-keychain-huawei] tcp-kind 182 [SwitchB-keychain-huawei] tcp-algorithm-id hmac-sha-256 17 [SwitchB-keychain-huawei] receive-tolerance 100 [SwitchB-keychain-huawei] key-id 1 [SwitchB-keychain-huawei-keyid-1] algorithm hmac-sha-256 [SwitchB-keychain-huawei-keyid-1] key-string cipher Huawei@1234 [SwitchB-keychain-huawei-keyid-1] send-time day mon to sat [SwitchB-keychain-huawei-keyid-1] receive-time day mon to sat [SwitchB-keychain-huawei-keyid-1] default send-key-id [SwitchB-keychain-huawei-keyid-1] quit [SwitchB-keychain-huawei] quit
- Apply the keychain to BGP for authentication and encryption.
# Configure Switch A.
[SwitchA] vlan 10 [SwitchA-vlan10] quit [SwitchA] interface gigabitethernet 0/0/1 [SwitchA-GigabitEthernet0/0/1] port link-type hybrid [SwitchA-GigabitEthernet0/0/1] port hybrid pvid vlan 10 [SwitchA-GigabitEthernet0/0/1] port hybrid untagged vlan 10 [SwitchA-GigabitEthernet0/0/1] quit [SwitchA] interface vlanif 10 [SwitchA-Vlanif10] ip address 192.168.1.1 24 [SwitchA-Vlanif10] quit [SwitchA] bgp 1 [SwitchA-bgp] router-id 1.1.1.1 [SwitchA-bgp] peer 192.168.1.2 as-number 1 [SwitchA-bgp] peer 192.168.1.2 keychain huawei [SwitchA-bgp] quit [SwitchA] quit
# Configure Switch B.
[SwitchB] vlan 10 [SwitchB-vlan10] quit [SwitchB] interface gigabitethernet 0/0/1 [SwitchB-GigabitEthernet0/0/1] port link-type hybrid [SwitchB-GigabitEthernet0/0/1] port hybrid pvid vlan 10 [SwitchB-GigabitEthernet0/0/1] port hybrid untagged vlan 10 [SwitchB-GigabitEthernet0/0/1] quit [SwitchB] interface vlanif 10 [SwitchB-Vlanif10] ip address 192.168.1.2 24 [SwitchB-Vlanif10] quit [SwitchB] bgp 1 [SwitchB-bgp] router-id 2.2.2.2 [SwitchB-bgp] peer 192.168.1.1 as-number 1 [SwitchB-bgp] peer 192.168.1.1 keychain huawei [SwitchB-bgp] quit [SwitchB] quit
- Verify the configuration.
# Run the display keychain keychain-name command to check the key-id status of the keychain.
<SwitchA> display keychain huawei Keychain Information: --------------------- Keychain Name : huawei Timer Mode : Weekly periodic Time Type : Lmt Receive Tolerance(min) : 100 TCP Kind : 182 TCP Algorithm IDs : HMAC-MD5 : 5 HMAC-SHA1-12 : 2 HMAC-SHA1-20 : 6 HMAC-SHA-256 : 17 SHA-256 : 8 MD5 : 3 SHA1 : 4 Number of Key IDs : 1 Active Send Key ID : 1 Active Receive Key IDs : 01 Default send Key ID : 1 Default send Key Status : Inactive Key ID Information: ------------------- Key ID : 1 Key string : ****** Algorithm : HMAC-SHA-256 SEND TIMER : Day(s) : Mon Tue Wed Thu Fri Sat Status : Active RECEIVE TIMER : Day(s) : Mon Tue Wed Thu Fri Sat Status : Active# When the network runs stably, run the display bgp peer ipv4-address verbose command to check authentication information about the BGP peer. The display on Switch A is used as an example.
<SwitchA> display bgp peer 192.168.1.2 verbose BGP Peer is 192.168.1.2, remote AS 1 Type: IBGP link BGP version 4, Remote router ID 2.2.2.2 Update-group ID: 1 BGP current state: Established, Up for 00h05m17s BGP current event: RecvKeepalive BGP last state: OpenConfirm BGP Peer Up count: 1 Received total routes: 0 Received active routes total: 0 Received mac routes: 0 Advertised total routes: 0 Port: Local - 179 Remote - 55828 Configured: Connect-retry Time: 32 sec Configured: Min Hold Time: 0 sec Configured: Active Hold Time: 180 sec Keepalive Time:60 sec Received : Active Hold Time: 180 sec Negotiated: Active Hold Time: 180 sec Keepalive Time:60 sec Peer optional capabilities: Peer supports bgp multi-protocol extension Peer supports bgp route refresh capability Peer supports bgp 4-byte-as capability Address family IPv4 Unicast: advertised and received Received: Total 7 messages Update messages 0 Open messages 1 KeepAlive messages 6 Notification messages 0 Refresh messages 0 Sent: Total 9 messages Update messages 0 Open messages 2 KeepAlive messages 7 Notification messages 0 Refresh messages 0 Authentication type configured: Keychain(huawei) Last keepalive received: 2014-11-04 11:02:39+00:00 Last keepalive sent : 2014-11-04 11:02:39+00:00 Minimum route advertisement interval is 15 seconds Optional capabilities: Route refresh capability has been enabled 4-byte-as capability has been enabled Peer Preferred Value: 0 Routing policy configured: No routing policy is configured
Configuration Files
Switch A configuration file
# sysname SwitchA # vlan batch 10 # keychain huawei mode periodic weekly receive-tolerance 100 tcp-kind 182 tcp-algorithm-id hmac-sha-256 17 key-id 1 algorithm hmac-sha-256 key-string cipher %^%#Vj-D<jJ%aNGasyD!w#hVP]6xEn`_l(7bf6%m;P3P%^%# send-time day mon to sat receive-time day mon to sat default send-key-id # interface Vlanif10 ip address 192.168.1.1 255.255.255.0 # interface GigabitEthernet0/0/1 port link-type hybrid port hybrid pvid vlan 10 port hybrid untagged vlan 10 # bgp 1 router-id 1.1.1.1 peer 192.168.1.2 as-number 1 peer 192.168.1.2 keychain huawei # ipv4-family unicast undo synchronization peer 192.168.1.2 enable # return
Configuration file of Switch B
# sysname SwitchB # vlan batch 10 # keychain huawei mode periodic weekly receive-tolerance 100 tcp-kind 182 tcp-algorithm-id hmac-sha-256 17 key-id 1 algorithm hmac-sha-256 key-string cipher %^%#Dvqg<X&x>"h`1&Q\1RAT>0\TVnbc<FJyVlAy=p<#%^%# send-time day mon to sat receive-time day mon to sat default send-key-id # interface Vlanif10 ip address 192.168.1.2 255.255.255.0 # interface GigabitEthernet0/0/1 port link-type hybrid port hybrid pvid vlan 10 port hybrid untagged vlan 10 # bgp 1 router-id 2.2.2.2 peer 192.168.1.1 as-number 1 peer 192.168.1.1 keychain huawei # ipv4-family unicast undo synchronization peer 192.168.1.1 enable # return