示例:为 IS-IS 配置 BFD 身份验证
此示例说明如何为 IS-IS 配置 BFD 身份验证。
要求
开始之前,在两台路由器上配置 IS-IS。有关所需 IS-IS 配置的信息,请参阅 示例:配置 IS-IS 。
概述
在此示例中,BFD 身份验证密钥链配置了细致的密钥 MD5 身份验证。
图 1 显示了此示例中使用的拓扑。
图 1:IS-IS BFD 身份验证拓扑
CLI 快速配置 显示了 图 1 中两个设备的配置。 #configuration228__isis-bfd-auth-step-by-step 部分介绍了设备 R1 上的步骤。
配置
程序
CLI 快速配置
要快速配置此示例,请复制以下命令,将其粘贴到文本文件中,删除所有换行符,更改详细信息,以便与网络配置匹配,然后将命令复制并粘贴到层 [edit] 级的 CLI 中。
设备 R1
set security authentication-key-chains key-chain secret123 description for-isis-bfd set security authentication-key-chains key-chain secret123 key 1 secret $ABC123 set security authentication-key-chains key-chain secret123 key 1 start-time "2012-5-31.13:00:00 -0700" set security authentication-key-chains key-chain secret123 key 2 secret $ABC123 set security authentication-key-chains key-chain secret123 key 2 start-time "2013-5-31.13:00:00 -0700" set security authentication-key-chains key-chain secret123 key 3 secret $ABC123 set security authentication-key-chains key-chain secret123 key 3 start-time "2014-5-31.13:00:00 -0700" set protocols isis interface ge-1/2/0.0 bfd-liveness-detection minimum-interval 100 set protocols isis interface ge-1/2/0.0 bfd-liveness-detection authentication key-chain secret123 set protocols isis interface ge-1/2/0.0 bfd-liveness-detection authentication algorithm meticulous-keyed-md5
设备 R2
set security authentication-key-chains key-chain secret123 description for-isis-bfd set security authentication-key-chains key-chain secret123 key 1 secret $ABC123 set security authentication-key-chains key-chain secret123 key 1 start-time "2012-5-31.13:00:00 -0700" set security authentication-key-chains key-chain secret123 key 2 secret $ABC123 set security authentication-key-chains key-chain secret123 key 2 start-time "2013-5-31.13:00:00 -0700" set security authentication-key-chains key-chain secret123 key 3 secret $ABC123 set security authentication-key-chains key-chain secret123 key 3 start-time "2014-5-31.13:00:00 -0700" set protocols isis interface ge-1/2/0.0 bfd-liveness-detection minimum-interval 100 set protocols isis interface ge-1/2/0.0 bfd-liveness-detection authentication key-chain secret123 set protocols isis interface ge-1/2/0.0 bfd-liveness-detection authentication algorithm meticulous-keyed-md5
分步过程
下面的示例要求您在各个配置层级中进行导航。有关 CLI 导航的信息,请参阅 CLI 用户指南中的在配置模式下使用 CLI 编辑器。
要配置 IS-IS BFD 身份验证:
配置身份验证密钥串。
[edit security authentication-key-chains key-chain secret123] user@R1# set description for-isis-bfd user@R1# set key 1 secret “$ABC123” user@R1# set key 1 start-time "2012-5-31.13:00:00 -0700" user@R1# set key 2 secret “$ABC123” user@R1# set key 2 start-time "2013-5-31.13:00:00 -0700" user@R1# set key 3 secret “$ABC123” user@R1# set key 3 start-time "2014-5-31.13:00:00 -0700"
启用 BFD。
[edit protocols isis interface ge-1/2/0.0 bfd-liveness-detection] user@R1# set minimum-interval 100
应用身份验证密钥串。
[edit protocols isis interface ge-1/2/0.0 bfd-liveness-detection] user@R1# set authentication key-chain secret123
设置身份验证类型。
[edit protocols isis interface ge-1/2/0.0 bfd-liveness-detection] user@R1# set authentication algorithm meticulous-keyed-md5
结果
在配置模式下,输入 show protocols 和 show security 命令,以确认您的配置。如果输出未显示预期的配置,请重复此示例中的说明以更正配置。
user@R1# show protocols
isis {
interface ge-1/2/0.0 {
bfd-liveness-detection {
minimum-interval 100;
authentication {
key-chain secret123;
algorithm meticulous-keyed-md5;
}
}
}
}
user@R1# show security
authentication-key-chains {
key-chain secret123 {
description for-isis-bfd;
key 1 {
secret “$ABC123”’;
start-time "2012-5-31.13:00:00 -0700";
}
key 2 {
secret “$ABC123”’;
start-time "2013-5-31.13:00:00 -0700";
}
key 3 {
secret “$ABC123”;
start-time "2014-5-31.13:00:00 -0700";
}
}
}
如果完成设备配置,请从配置模式进入 提交 。
验证
确认配置工作正常。
验证 IS-IS BFD 认证
目的
验证 IS-IS BFD 验证的状态。
行动
在作模式下,输入 show bfd session extensive 命令。
user@R1> show bfd session extensive
Detect Transmit
Address State Interface Time Interval Multiplier
10.0.0.2 Down ge-1/2/0.0 0.300 1.000 3
Client ISIS L1, TX interval 0.100, RX interval 0.100, Authenticate
keychain secret123, algo meticulous-keyed-md5, mode strict
Client ISIS L2, TX interval 0.100, RX interval 0.100, Authenticate
keychain secret123, algo meticulous-keyed-md5, mode strict
Session down time 00:35:13, previous up time 00:12:17
Local diagnostic None, remote diagnostic None
Remote state Up, version 1
Logical system 2, routing table index 85
Min async interval 0.100, min slow interval 1.000
Adaptive async TX interval 0.100, RX interval 0.100
Local min TX interval 1.000, minimum RX interval 0.100, multiplier 3
Remote min TX interval 0.100, min RX interval 0.100, multiplier 3
Local discriminator 2, remote discriminator 1
Echo mode disabled/inactive, no-absorb, no-refresh
Authentication enabled/active, keychain secret123, algo meticulous-keyed-md5, mode strict
Session ID: 0x100101
1 sessions, 2 clients
Cumulative transmit rate 1.0 pps, cumulative receive rate 10.0 pps
意义
输出显示 BFD 身份验证已在 IS-IS 级别 1 和级别 2 上启用。