Example: Configuring keychains
Network configuration
As shown in Figure 98, establish an OSPF neighbor relationship between Switch A and Switch B, and use a keychain to authenticate packets between the switches. Configure key 1 and key 2 for the keychain and make sure key 2 is used immediately when key 1 expires.
Figure 98: Network diagram
Procedure
Configure Switch A:
# Configure IP addresses for interfaces. (Details not shown.)
# Configure OSPF.
<SwitchA> system-view [SwitchA] ospf 1 router-id 1.1.1.1 [SwitchA-ospf-1] area 0 [SwitchA-ospf-1-area-0.0.0.0] network 192.1.1.0 0.0.0.255 [SwitchA-ospf-1-area-0.0.0.0] quit [SwitchA-ospf-1] quit
# Create a keychain named abc, and specify the absolute time mode for it.
[SwitchA] keychain abc mode absolute
# Create key 1 for keychain abc, specify an authentication algorithm, and configure a key string and the sending and receiving lifetimes for the key.
[SwitchA-keychain-abc] key 1 [SwitchA-keychain-abc-key-1] authentication-algorithm md5 [SwitchA-keychain-abc-key-1] key-string plain 123456 [SwitchA-keychain-abc-key-1] send-lifetime utc 10:00:00 2015/02/06 to 11:00:00 2015/02/06 [SwitchA-keychain-abc-key-1] accept-lifetime utc 10:00:00 2015/02/06 to 11:00:00 2015/02/06 [SwitchA-keychain-abc-key-1] quit
# Create key 2 for keychain abc, specify an authentication algorithm, and configure a key string and the sending and receiving lifetimes for the key.
[SwitchA-keychain-abc] key 2 [SwitchA-keychain-abc-key-2] authentication-algorithm hmac-md5 [SwitchA-keychain-abc-key-2] key-string plain pwd123 [SwitchA-keychain-abc-key-2] send-lifetime utc 11:00:00 2015/02/06 to 12:00:00 2015/02/06 [SwitchA-keychain-abc-key-2] accept-lifetime utc 11:00:00 2015/02/06 to 12:00:00 2015/02/06 [SwitchA-keychain-abc-key-2] quit [SwitchA-keychain-abc] quit
# Configure VLAN-interface 100 to use keychain abc for authentication.
[SwitchA] interface vlan-interface 100 [SwitchA-Vlan-interface100] ospf authentication-mode keychain abc [SwitchA-Vlan-interface100] quit
Configure Switch B:
# Configure IP addresses for interfaces. (Details not shown.)
# Configure OSPF.
[SwitchB] ospf 1 router-id 2.2.2.2 [SwitchB-ospf-1] area 0 [SwitchB-ospf-1-area-0.0.0.0] network 192.1.1.0 0.0.0.255 [SwitchB-ospf-1-area-0.0.0.0] quit [SwitchB-ospf-1] quit
# Create a keychain named abc, and specify the absolute time mode for it.
[SwitchB] keychain abc mode absolute
# Create key 1 for keychain abc, specify an authentication algorithm, and configure a key string and the sending and receiving lifetimes for the key.
[SwitchB-keychain-abc] key 1 [SwitchB-keychain-abc-key-1] authentication-algorithm md5 [SwitchB-keychain-abc-key-1] key-string plain 123456 [SwitchB-keychain-abc-key-1] send-lifetime utc 10:00:00 2015/02/06 to 11:00:00 2015/02/06 [SwitchB-keychain-abc-key-1] accept-lifetime utc 10:00:00 2015/02/06 to 11:00:00 2015/02/06 [SwitchB-keychain-abc-key-1] quit
# Create key 2 for keychain abc, specify an authentication algorithm, and configure a key string and the sending and receiving lifetimes for the key.
[SwitchB-keychain-abc] key 2 [SwitchB-keychain-abc-key-2] authentication-algorithm hmac-md5 [SwitchB-keychain-abc-key-2] key-string plain pwd123 [SwitchB-keychain-abc-key-2] send-lifetime utc 11:00:00 2015/02/06 to 12:00:00 2015/02/06 [SwitchB-keychain-abc-key-2] accept-lifetime utc 11:00:00 2015/02/06 to 12:00:00 2015/02/06 [SwitchB-keychain-abc-key-2] quit [SwitchB-keychain-abc] quit
# Configure VLAN-interface 100 to use keychain abc for authentication.
[SwitchB] interface vlan-interface 100 [SwitchB-Vlan-interface100] ospf authentication-mode keychain abc [SwitchB-Vlan-interface100] quit
Verifying the configuration
When the system time is within the lifetime from 10:00:00 to 11:00:00 on the day 2015/02/06, verify the status of the keys in keychain abc.
# Display keychain information on Switch A. The output shows that key 1 is the valid key.
[SwitchA] display keychain Keychain name : abc Mode : absolute Accept tolerance : 0 TCP kind value : 254 TCP algorithm value HMAC-MD5 : 5 MD5 : 3 Default send key ID : None Active send key ID : 1 Active accept key IDs: 1 Key ID : 1 Key string : $c$3$dYTC8QeOKJkwFwP2k/rWL+1p6uMTw3MqNg== Algorithm : md5 Send lifetime : 10:00:00 2015/02/06 to 11:00:00 2015/02/06 Send status : Active Accept lifetime : 10:00:00 2015/02/06 to 11:00:00 2015/02/06 Accept status : Active Key ID : 2 Key string : $c$3$7TSPbUxoP1ytOqkdcJ3K3x0BnXEWl4mOEw== Algorithm : hmac-md5 Send lifetime : 11:00:00 2015/02/06 to 12:00:00 2015/02/06 Send status : Inactive Accept lifetime : 11:00:00 2015/02/06 to 12:00:00 2015/02/06 Accept status : Inactive
# Display keychain information on Switch B. The output shows that key 1 is the valid key.
[SwitchB]display keychain Keychain name : abc Mode : absolute Accept tolerance : 0 TCP kind value : 254 TCP algorithm value HMAC-MD5 : 5 MD5 : 3 Default send key ID : None Active send key ID : 1 Active accept key IDs: 1 Key ID : 1 Key string : $c$3$/G/Shnh6heXWprlSQy/XDmftHa2JZJBSgg== Algorithm : md5 Send lifetime : 10:00:00 2015/02/06 to 11:00:00 2015/02/06 Send status : Active Accept lifetime : 10:00:00 2015/02/06 to 11:00:00 2015/02/06 Accept status : Active Key ID : 2 Key string : $c$3$t4qHAw1hpZYN0JKIEpXPcMFMVT81u0hiOw== Algorithm : hmac-md5 Send lifetime : 11:00:00 2015/02/06 to 12:00:00 2015/02/06 Send status : Inactive Accept lifetime : 11:00:00 2015/02/06 to 12:00:00 2015/02/06 Accept status : Inactive
When the system time is within the lifetime from 11:00:00 to 12:00:00 on the day 2015/02/06, verify the status of the keys in keychain abc.
# Display keychain information on Switch A. The output shows that key 2 becomes the valid key.
[SwitchA]display keychain Keychain name : abc Mode : absolute Accept tolerance : 0 TCP kind value : 254 TCP algorithm value HMAC-MD5 : 5 MD5 : 3 Default send key ID : None Active send key ID : 2 Active accept key IDs: 2 Key ID : 1 Key string : $c$3$dYTC8QeOKJkwFwP2k/rWL+1p6uMTw3MqNg== Algorithm : md5 Send lifetime : 10:00:00 2015/02/06 to 11:00:00 2015/02/06 Send status : Inactive Accept lifetime : 10:00:00 2015/02/06 to 11:00:00 2015/02/06 Accept status : Inactive Key ID : 2 Key string : $c$3$7TSPbUxoP1ytOqkdcJ3K3x0BnXEWl4mOEw== Algorithm : hmac-md5 Send lifetime : 11:00:00 2015/02/06 to 12:00:00 2015/02/06 Send status : Active Accept lifetime : 11:00:00 2015/02/06 to 12:00:00 2015/02/06 Accept status : Active
# Display keychain information on Switch B. The output shows that key 2 becomes the valid key.
[SwitchB]display keychain Keychain name : abc Mode : absolute Accept tolerance : 0 TCP kind value : 254 TCP algorithm value HMAC-MD5 : 5 MD5 : 3 Default send key ID : None Active send key ID : 1 Active accept key IDs: 1 Key ID : 1 Key string : $c$3$/G/Shnh6heXWprlSQy/XDmftHa2JZJBSgg== Algorithm : md5 Send lifetime : 10:00:00 2015/02/06 to 11:00:00 2015/02/06 Send status : Inactive Accept lifetime : 10:00:00 2015/02/06 to 11:00:00 2015/02/06 Accept status : Inactive Key ID : 2 Key string : $c$3$t4qHAw1hpZYN0JKIEpXPcMFMVT81u0hiOw== Algorithm : hmac-md5 Send lifetime : 11:00:00 2015/02/06 to 12:00:00 2015/02/06 Send status : Active Accept lifetime : 11:00:00 2015/02/06 to 12:00:00 2015/02/06 Accept status : Active