bfd authentication-mode

Function

The bfd authentication-mode command enables the negotiation authentication function for the BFD session with a specified peer IP address and configure authentication information.

The undo bfd authentication-mode command disables the negotiation authentication function for the BFD session with a specified peer IP address.

By default, negotiation authentication is disabled for a BFD session. You are advised to configure BFD negotiation authentication to reduce security risks.

Format

bfd single-hop peer-ip ip-address [ vpn-instance vpn-name ] authentication-mode met-sha1 key-id key-id-value cipher cipher-text nego-packet

bfd single-hop peer-ipv6 ipv6-address [ vpn-instance vpn-name ] authentication-mode met-sha1 key-id key-id-value cipher cipher-text nego-packet

bfd multi-hop peer-ip ip-address [ vpn-instance vpn-name ] authentication-mode met-sha1 key-id key-id-value cipher cipher-text nego-packet

bfd multi-hop peer-ipv6 ipv6-address [ vpn-instance vpn-name ] authentication-mode met-sha1 key-id key-id-value cipher cipher-text nego-packet

bfd mpls-passive peer-ip ip-address authentication-mode met-sha1 key-id key-id-value cipher cipher-text nego-packet

bfd lsp-tunnel peer-ip ip-address authentication-mode met-sha1 key-id key-id-value cipher cipher-text nego-packet

undo bfd single-hop peer-ip ip-address [ vpn-instance vpn-name ]

undo bfd single-hop peer-ipv6 ipv6-address [ vpn-instance vpn-name ]

undo bfd multi-hop peer-ip ip-address [ vpn-instance vpn-name ]

undo bfd multi-hop peer-ipv6 ipv6-address [ vpn-instance vpn-name ]

undo bfd mpls-passive peer-ip ip-address

undo bfd lsp-tunnel peer-ip ip-address

Parameters

Parameter Description Value
vpn-instance vpn-name

Specifies the name of a VPN instance for the BFD sessions with negotiation authentication.

The value is a string of 1 to 31 case-sensitive characters, spaces not supported.
met-sha1

Specifies the M-SHA1 algorithm.

-
key-id key-id-value

Specifies the key ID.

The value is an integer ranging from 1 to 255.
cipher cipher-text

Specifies the encryption password.

The value is a string case-sensitive characters, spaces not supported.

  • The value is a string of 1 to 20 characters for simple authentication keys.
  • The value is a string of 20 to 148 characters for ciphertext authentication keys.
nego-packet

Specifies authentication for BFD session negotiation packets.

-
single-hop

Specifies the BFD for IP single-hop session type.

-
peer-ipv6 ipv6-address

Specifies the peer IPv6 address of the BFD sessions with negotiation authentication.

The value is a 32-digit hexadecimal number, in the format of X:X:X:X:X:X:X:X.
multi-hop

Specifies the BFD for IP multi-hop session type.

-
peer-ip ip-address

Specifies the peer IPv4 address of the BFD sessions with negotiation authentication.

The value is in dotted decimal notation.
mpls-passive

Specifies the BFD for LSP passive session type.

-
lsp-tunnel

Specifies the BFD for LSP proactive session type.

-

Views

BFD view

Default Level

2: Configuration level

Task Name and Operations

Task Name Operations
bfd write

Usage Guidelines

Usage Scenario

When configuring negotiation authentication for BFD sessions, you need to select different commands according to the type of the target BFD sessions.

  • bfd single-hop peer-ip ip-address [ vpn-instance vpnname-value ] authentication-mode met-sha1 key-id key-id-value cipher cipher-text nego-packet

    Enable negotiation authentication for a BFD for IP single-hop session with the specified peer IP address on the IPv4 network and configure the key ID and encryption password.
  • bfd single-hop peer-ipv6 ipv6-address [ vpn-instance vpnname-value ] authentication-mode met-sha1 key-id key-id-value cipher cipher-text nego-packet

    Enable negotiation authentication for a BFD for IP single-hop session with the specified peer IP address on the IPv6 network and configure the key ID and encryption password.
  • bfd multi-hop peer-ip ip-address [ vpn-instance vpnname-value ] authentication-mode met-sha1 key-id key-id-value cipher cipher-text nego-packet

    Enable negotiation authentication for a BFD for IP multi-hop session with the specified peer IP address on the IPv4 network and configure the key ID and encryption password.
  • bfd multi-hop peer-ipv6 ipv6-address [ vpn-instance vpnname-value ] authentication-mode met-sha1 key-id key-id-value cipher cipher-text nego-packet

    Enable negotiation authentication for a BFD for IP multi-hop session with the specified peer IP address on the IPv6 network and configure the key ID and encryption password.
  • bfd mpls-passive peer-ip ip-address [ vpn-instance vpnname-value ] authentication-mode met-sha1 key-id key-id-value cipher cipher-text nego-packet

    Enable negotiation authentication for a BFD for LSP passive session with the specified peer IP address on the IPv4 network and configure the key ID and encryption password.
  • bfd lsp-tunnel peer-ip ip-address [ vpn-instance vpnname-value ] authentication-mode met-sha1 key-id key-id-value cipher cipher-text nego-packet

    Enable negotiation authentication for a BFD for LSP proactive session with the specified peer IP address on the IPv4 network and configure the key ID and encryption password.

Prerequisites

BFD has been enabled globally using the bfd command.

Precautions

  • The peer device must be configured with the same algorithm (met-sha1) and key (key-id key-id-value) as the local device to ensure that BFD sessions can be authenticated and go Up after negotiation.
  • BFD negotiation authentication information is configured based on the peer IP address.
  • BFD for LSP passive session authentication information is configured based on the peer IP address, regardless of service types. If the peer-ip values of multiple passive sessions are the same, the configured authentication information takes effect for these sessions. In addition, the same authentication information must be configured for multiple sessions on the initiator.

Example

# Enable negotiation authentication for the single-hop sessions with the peer IP address 10.1.1.1 and set the key to 1 and password to HUAWEI_123456.
<HUAWEI> system-view
[~HUAWEI] bfd
[*HUAWEI-bfd] bfd single-hop peer-ip 10.1.1.1 authentication-mode met-sha1 key-id 1 cipher HUAWEI_123456 nego-packet
Parent Topic: BFD Configuration Commands
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >