Home » Dell Manuals » Hubs & Switches » Dell PowerSwitch S4820T » Manual Viewer

Dell PowerSwitch S4820T Configuration Guide for the S4820T System 9.100.0 - Page 606

IPsec Authentication on an Interface, service password-encryption, ipv6 ospf authentication, ipsec

View all Dell PowerSwitch S4820T manuals

Add to My Manuals
Save this manual to your list of manuals

Page 606 highlights

• There is no maximum AH or ESP header length because the headers have fields with variable lengths. • Manual key configuration is supported in an authentication or encryption policy (dynamic key configuration using the internet key exchange [IKE] protocol is not supported). • In an OSPFv3 authentication policy: • AH is used to authenticate OSPFv3 headers and certain fields in IPv6 headers and extension headers. • MD5 and SHA1 authentication types are supported; encrypted and unencrypted keys are supported. • In an OSPFv3 encryption policy: • Both encryption and authentication are used. • IPsec security associations (SAs) are supported only in Transport mode (Tunnel mode is not supported). • ESP with null encryption is supported for authenticating only OSPFv3 protocol headers. • ESP with non-null encryption is supported for full confidentiality. • 3DES, DES, AES-CBC, and NULL encryption algorithms are supported; encrypted and unencrypted keys are supported. NOTE: To encrypt all keys on a router, use the service password-encryption command in Global Configuration mode. However, this command does not provide a high level of network security. To enable key encryption in an IPsec security policy at an interface or area level, specify 7 for [key-encryption-type] when you enter the ipv6 ospf authentication ipsec or ipv6 ospf encryption ipsec command. • To configure an IPsec security policy for authenticating or encrypting OSPFv3 packets on a physical, port-channel, or VLAN interface or OSPFv3 area, perform any of the following tasks: • Configuring IPsec Authentication on an Interface • Configuring IPsec Encryption on an Interface • Configuring IPsec Authentication for an OSPFv3 Area • Configuring IPsec Encryption for an OSPFv3 Area • Displaying OSPFv3 IPsec Security Policies Configuring IPsec Authentication on an Interface To configure, remove, or display IPsec authentication on an interface, use the following commands. Prerequisite: Before you enable IPsec authentication on an OSPFv3 interface, first enable IPv6 unicast routing globally, configure an IPv6 address and enable OSPFv3 on the interface, and assign it to an area (refer to Configuration Task List for OSPFv3 (OSPF for IPv6)). The SPI value must be unique to one IPsec security policy (authentication or encryption) on the router. Configure the same authentication policy (the same SPI and key) on each OSPFv3 interface in a link. • Enable IPsec authentication for OSPFv3 packets on an IPv6-based interface. INTERFACE mode ipv6 ospf authentication {null | ipsec spi number {MD5 | SHA1} [key-encryption-type] key} • null: causes an authentication policy configured for the area to not be inherited on the interface. • ipsec spi number: the security policy index (SPI) value. The range is from 256 to 4294967295. • MD5 | SHA1: specifies the authentication type: Message Digest 5 (MD5) or Secure Hash Algorithm 1 (SHA-1). • key-encryption-type: (optional) specifies if the key is encrypted. The valid values are 0 (key is not encrypted) or 7 (key is encrypted). • key: specifies the text string used in authentication. All neighboring OSPFv3 routers must share key to exchange information. For MD5 authentication, the key must be 32 hex digits (non-encrypted) or 64 hex digits (encrypted). For SHA-1 authentication, the key must be 40 hex digits (non-encrypted) or 80 hex digits (encrypted). • Remove an IPsec authentication policy from an interface. no ipv6 ospf authentication ipsec spi number • Remove null authentication on an interface to allow the interface to inherit the authentication policy configured for the OSPFv3 area. no ipv6 ospf authentication null • Display the configuration of IPsec authentication policies on the router. show crypto ipsec policy 606 Open Shortest Path First (OSPFv2 and OSPFv3)

Section	Page
Dell Configuration Guide for the S4820T System 9.10(0.0)	3
About this Guide	32
Audience	32
Conventions	32
Related Documents	32
Configuration Fundamentals	33
Accessing the Command Line	33
CLI Modes	33
Navigating CLI Modes	35
The do Command	37
Undoing Commands	38
Obtaining Help	38
Entering and Editing Commands	39
Command History	40
Filtering show Command Outputs	40
Example of the grep Keyword	40
Multiple Users in Configuration Mode	41
Getting Started	42
Console Access	43
Serial Console	43
Accessing the CLI Interface and Running Scripts Using SSH	44
Entering CLI commands Using an SSH Connection	44
Executing Local CLI Scripts Using an SSH Connection	44
Default Configuration	45
Configuring a Host Name	45
Accessing the System Remotely	45
Accessing the System Remotely	45
Configure the Management Port IP Address	45
Configure a Management Route	46
Configuring a Username and Password	46
Configuring the Enable Password	46
Configuration File Management	47
Copy Files to and from the System	47
Mounting an NFS File System	48
Save the Running-Configuration	49
Configure the Overload Bit for a Startup Scenario	50
Viewing Files	50
Managing the File System	51
Enabling Software Features on Devices Using a Command Option	51
View Command History	52
Upgrading Dell Networking OS	52
Using HTTP for File Transfers	52
Verify Software Images Before Installation	53
Management	55
Configuring Privilege Levels	55
Creating a Custom Privilege Level	55
Removing a Command from EXEC Mode	56
Moving a Command from EXEC Privilege Mode to EXEC Mode	56
Allowing Access to CONFIGURATION Mode Commands	56
Allowing Access to Different Modes	56
Applying a Privilege Level to a Username	58
Applying a Privilege Level to a Terminal Line	58
Configuring Logging	58
Audit and Security Logs	59
Configuring Logging Format	60
Display the Logging Buffer and the Logging Configuration	61
Setting Up a Secure Connection to a Syslog Server	61
Log Messages in the Internal Buffer	63
Configuration Task List for System Log Management	63
Disabling System Logging	63
Sending System Messages to a Syslog Server	63
Configuring a UNIX System as a Syslog Server	63
Track Login Activity	64
Restrictions for Tracking Login Activity	64
Configuring Login Activity Tracking	64
Display Login Statistics	65
Limit Concurrent Login Sessions	66
Restrictions for Limiting the Number of Concurrent Sessions	66
Configuring Concurrent Session Limit	66
Enabling the System to Clear Existing Sessions	67
Changing System Logging Settings	67
Display the Logging Buffer and the Logging Configuration	68
Configuring a UNIX Logging Facility Level	69
Synchronizing Log Messages	70
Enabling Timestamp on Syslog Messages	70
File Transfer Services	71
Configuration Task List for File Transfer Services	71
Enabling the FTP Server	71
Configuring FTP Server Parameters	72
Configuring FTP Client Parameters	72
Terminal Lines	73
Denying and Permitting Access to a Terminal Line	73
Configuring Login Authentication for Terminal Lines	74
Setting Timeout for EXEC Privilege Mode	75
Using Telnet to get to Another Network Device	75
Lock CONFIGURATION Mode	76
Viewing the Configuration Lock Status	76
Recovering from a Forgotten Password	76
Recovering from a Forgotten Enable Password	77
Recovering from a Failed Start	78
Restoring the Factory Default Settings	78
Important Points to Remember	79
Restoring Factory Default Environment Variables	79
802.1X	81
Port-Authentication Process	83
EAP over RADIUS	84
Configuring 802.1X	84
Related Configuration Tasks	84
Important Points to Remember	84
Enabling 802.1X	85
Configuring MAC addresses for a do1x Profile	86
Configuring Request Identity Re-Transmissions	87
Configuring a Quiet Period after a Failed Authentication	87
Forcibly Authorizing or Unauthorizing a Port	88
Re-Authenticating a Port	89
Configuring Timeouts	90
Configuring Dynamic VLAN Assignment with Port Authentication	91
Guest and Authentication-Fail VLANs	92
Configuring a Guest VLAN	92
Configuring an Authentication-Fail VLAN	92
Configuring dot1x Profile	93
Configuring the Static MAB and MAB Profile	94
Configuring Critical VLAN	94
Access Control List (ACL) VLAN Groups and Content Addressable Memory (CAM)	96
Optimizing CAM Utilization During the Attachment of ACLs to VLANs	96
Guidelines for Configuring ACL VLAN Groups	97
Configuring ACL VLAN Groups and Configuring FP Blocks for VLAN Parameters	97
Viewing CAM Usage	99
Allocating FP Blocks for VLAN Processes	100
Access Control Lists (ACLs)	101
IP Access Control Lists (ACLs)	102
CAM Usage	102
Implementing ACLs on Dell Networking OS	103
IP Fragment Handling	105
IP Fragments ACL Examples	105
Layer 4 ACL Rules Examples	105
Configure a Standard IP ACL	106
Configuring a Standard IP ACL Filter	107
Configure an Extended IP ACL	108
Configuring Filters with a Sequence Number	108
Configuring Filters Without a Sequence Number	109
Configure Layer 2 and Layer 3 ACLs	110
Assign an IP ACL to an Interface	110
Applying an IP ACL	111
Counting ACL Hits	111
Configure Ingress ACLs	112
Configure Egress ACLs	112
Applying Egress Layer 3 ACLs (Control-Plane)	113
IP Prefix Lists	113
Implementation Information	114
Configuration Task List for Prefix Lists	114
ACL Resequencing	117
Resequencing an ACL or Prefix List	118
Route Maps	119
Implementation Information	119
Important Points to Remember	119
Configuration Task List for Route Maps	120
Configuring Match Routes	122
Configuring Set Conditions	123
Configure a Route Map for Route Redistribution	124
Configure a Route Map for Route Tagging	124
Continue Clause	125
Logging of ACL Processes	125
Guidelines for Configuring ACL Logging	126
Configuring ACL Logging	126
Flow-Based Monitoring Support for ACLs	127
Behavior of Flow-Based Monitoring	127
Enabling Flow-Based Monitoring	128
Bidirectional Forwarding Detection (BFD)	130
How BFD Works	130
BFD Packet Format	131
BFD Sessions	132
BFD Three-Way Handshake	133
Session State Changes	135
Important Points to Remember	135
Configure BFD	135
Configure BFD for Physical Ports	136
Configure BFD for Static Routes	139
Configure BFD for OSPF	141
Configure BFD for OSPFv3	143
Configure BFD for IS-IS	145
Configure BFD for BGP	147
Configure BFD for VRRP	154
Configuring Protocol Liveness	156
Troubleshooting BFD	156
Border Gateway Protocol IPv4 (BGPv4)	158
Autonomous Systems (AS)	158
Sessions and Peers	160
Establish a Session	160
Route Reflectors	161
BGP Attributes	162
Best Path Selection Criteria	162
Weight	164
Local Preference	164
Multi-Exit Discriminators (MEDs)	165
Origin	166
AS Path	166
Next Hop	167
Multiprotocol BGP	167
Implement BGP with Dell Networking OS	168
Additional Path (Add-Path) Support	168
Advertise IGP Cost as MED for Redistributed Routes	168
Ignore Router-ID in Best-Path Calculation	169
Four-Byte AS Numbers	169
AS4 Number Representation	169
AS Number Migration	171
BGP4 Management Information Base (MIB)	172
Important Points to Remember	172
Configuration Information	173
BGP Configuration	173
Enabling BGP	174
Configuring AS4 Number Representations	177
Configuring Peer Groups	178
Configuring BGP Fast Fall-Over	181
Configuring Passive Peering	182
Maintaining Existing AS Numbers During an AS Migration	183
Allowing an AS Number to Appear in its Own AS Path	184
Enabling Graceful Restart	185
Enabling Neighbor Graceful Restart	186
Filtering on an AS-Path Attribute	186
Regular Expressions as Filters	187
Redistributing Routes	189
Enabling Additional Paths	189
Configuring IP Community Lists	190
Configuring an IP Extended Community List	191
Filtering Routes with Community Lists	192
Manipulating the COMMUNITY Attribute	192
Changing MED Attributes	194
Changing the LOCAL_PREFERENCE Attribute	194
Changing the NEXT_HOP Attribute	195
Changing the WEIGHT Attribute	195
Enabling Multipath	196
Filtering BGP Routes	196
Filtering BGP Routes Using Route Maps	197
Filtering BGP Routes Using AS-PATH Information	198
Configuring BGP Route Reflectors	198
Aggregating Routes	199
Configuring BGP Confederations	199
Enabling Route Flap Dampening	200
Changing BGP Timers	202
Enabling BGP Neighbor Soft-Reconfiguration	203
Route Map Continue	204
Enabling MBGP Configurations	204
BGP Regular Expression Optimization	205
Debugging BGP	205
Storing Last and Bad PDUs	206
Capturing PDUs	207
PDU Counters	208
Sample Configurations	208
Content Addressable Memory (CAM)	214
CAM Allocation	214
Test CAM Usage	216
View CAM Profiles	216
View CAM-ACL Settings	217
View CAM Usage	218
CAM Optimization	219
Troubleshoot CAM Profiling	219
CAM Profile Mismatches	219
QoS CAM Region Limitation	219
Control Plane Policing (CoPP)	220
Configure Control Plane Policing	221
Configuring CoPP for Protocols	222
Configuring CoPP for CPU Queues	224
CoPP for OSPFv3 Packets	225
Configuring CoPP for OSPFv3	227
Displaying CoPP Configuration	228
Data Center Bridging (DCB)	230
Ethernet Enhancements in Data Center Bridging	230
Priority-Based Flow Control	231
Enhanced Transmission Selection	232
Data Center Bridging Exchange Protocol (DCBx)	233
Data Center Bridging in a Traffic Flow	234
Enabling Data Center Bridging	234
DCB Maps and its Attributes	235
Data Center Bridging: Default Configuration	236
Configuring Priority-Based Flow Control	236
Configuring Lossless Queues	237
Configuring PFC in a DCB Map	238
PFC Configuration Notes	238
PFC Prerequisites and Restrictions	239
Applying a DCB Map on a Port	239
Configuring PFC without a DCB Map	240
Configuring Lossless QueuesExample:	240
Priority-Based Flow Control Using Dynamic Buffer Method	241
Pause and Resume of Traffic	241
Buffer Sizes for Lossless or PFC Packets	242
Behavior of Tagged Packets	242
Configuration Example for DSCP and PFC Priorities	243
Using PFC to Manage Converged Ethernet Traffic	243
Configure Enhanced Transmission Selection	244
ETS Prerequisites and Restrictions	244
Creating an ETS Priority Group	244
ETS Operation with DCBx	245
Configuring Bandwidth Allocation for DCBx CIN	246
Configuring ETS in a DCB Map	246
Hierarchical Scheduling in ETS Output Policies	248
Using ETS to Manage Converged Ethernet Traffic	248
Applying DCB Policies in a Switch Stack	248
Configure a DCBx Operation	248
DCBx Operation	249
DCBx Port Roles	249
DCB Configuration Exchange	250
Configuration Source Election	251
Propagation of DCB Information	251
Auto-Detection and Manual Configuration of the DCBx Version	251
DCBx Example	252
DCBx Prerequisites and Restrictions	252
Configuring DCBx	253
Verifying the DCB Configuration	256
Sample DCB Configuration	264
PFC and ETS Configuration Command Examples	266
QoS dot1p Traffic Classification and Queue Assignment	266
Configuring the Dynamic Buffer Method	267
Dynamic Host Configuration Protocol (DHCP)	269
DHCP Packet Format and Options	269
Assign an IP Address using DHCP	271
Implementation Information	272
Configure the System to be a DHCP Server	272
Configuring the Server for Automatic Address Allocation	273
Specifying a Default Gateway	274
Configure a Method of Hostname Resolution	274
Using DNS for Address Resolution	274
Using NetBIOS WINS for Address Resolution	275
Creating Manual Binding Entries	275
Debugging the DHCP Server	275
Using DHCP Clear Commands	276
Configure the System to be a Relay Agent	276
Configure the System to be a DHCP Client	277
DHCP Client Operation with Other Features	278
DHCP Client on a Management Interface	279
Configure the System for User Port Stacking (Option 230)	279
Configure Secure DHCP	280
Option 82	280
DHCP Snooping	281
Configuring the DHCP secondary-subnet	284
Drop DHCP Packets on Snooped VLANs Only	284
Dynamic ARP Inspection	285
Configuring Dynamic ARP Inspection	286
Source Address Validation	287
Enabling IP Source Address Validation	287
DHCP MAC Source Address Validation	288
Enabling IP+MAC Source Address Validation	288
Viewing the Number of SAV Dropped Packets	289
Clearing the Number of SAV Dropped Packets	289
Equal Cost Multi-Path (ECMP)	290
ECMP for Flow-Based Affinity	290
Configuring the Hash Algorithm	290
Enabling Deterministic ECMP Next Hop	290
Configuring the Hash Algorithm Seed	291
Link Bundle Monitoring	291
Managing ECMP Group Paths	292
Creating an ECMP Group Bundle	292
Modifying the ECMP Group Threshold	292
RTAG7	293
Flow-based Hashing for ECMP	294
FIP Snooping	297
Fibre Channel over Ethernet	297
Ensure Robustness in a Converged Ethernet Network	297
FIP Snooping on Ethernet Bridges	299
FIP Snooping in a Switch Stack	300
Using FIP Snooping	301
FIP Snooping Prerequisites	301
Important Points to Remember	301
Enabling the FCoE Transit Feature	302
Enable FIP Snooping on VLANs	302
Configure the FC-MAP Value	303
Configure a Port for a Bridge-to-Bridge Link	303
Configure a Port for a Bridge-to-FCF Link	303
Impact on Other Software Features	303
FIP Snooping Restrictions	304
Configuring FIP Snooping	304
Displaying FIP Snooping Information	305
FCoE Transit Configuration Example	310
FIPS Cryptography	312
Configuration Tasks	312
Preparing the System	312
Enabling FIPS Mode	313
Generating Host-Keys	313
Monitoring FIPS Mode Status	313
Disabling FIPS Mode	314
Force10 Resilient Ring Protocol (FRRP)	315
Protocol Overview	315
Ring Status	316
Multiple FRRP Rings	316
Important FRRP Points	317
Important FRRP Concepts	318
Implementing FRRP	319
FRRP Configuration	319
Creating the FRRP Group	319
Configuring the Control VLAN	319
Configuring and Adding the Member VLANs	320
Setting the FRRP Timers	321
Clearing the FRRP Counters	322
Viewing the FRRP Configuration	322
Viewing the FRRP Information	322
Troubleshooting FRRP	322
Configuration Checks	322
Sample Configuration and Topology	323
GARP VLAN Registration Protocol (GVRP)	325
Important Points to Remember	325
Configure GVRP	326
Related Configuration Tasks	326
Enabling GVRP Globally	326
Enabling GVRP on a Layer 2 Interface	327
Configure GVRP Registration	327
Configure a GARP Timer	328
RPM Redundancy	328
High Availability (HA)	329
Component Redundancy	329
RPM Redundancy	329
Automatic and Manual Stack Unit Failover	331
Support for RPM Redundancy by Dell Networking OS Version	332
Synchronization between Management and Standby Units	332
Configuring RPM Redundancy	332
Online Insertion and Removal	333
RPM Online Insertion and Removal	334
Linecard Online Insertion and Removal	334
Hitless Behavior	335
Graceful Restart	336
Software Resiliency	336
Software Component Health Monitoring	336
System Health Monitoring	336
Failure and Event Logging	336
Hot-Lock Behavior	337
Process Restartability	337
Enabling Process Restartability	338
Internet Group Management Protocol (IGMP)	339
IGMP Implementation Information	339
IGMP Protocol Overview	339
IGMP Version 2	339
IGMP Version 3	341
Configure IGMP	343
Related Configuration Tasks	344
Viewing IGMP Enabled Interfaces	344
Selecting an IGMP Version	344
Viewing IGMP Groups	345
Adjusting Timers	345
Adjusting Query and Response Timers	345
Enabling IGMP Immediate-Leave	346
IGMP Snooping	346
IGMP Snooping Implementation Information	346
Configuring IGMP Snooping	346
Removing a Group-Port Association	347
Disabling Multicast Flooding	347
Specifying a Port as Connected to a Multicast Router	348
Configuring the Switch as Querier	348
Fast Convergence after MSTP Topology Changes	349
Egress Interface Selection (EIS) for HTTP and IGMP Applications	349
Protocol Separation	349
Enabling and Disabling Management Egress Interface Selection	350
Handling of Management Route Configuration	351
Handling of Switch-Initiated Traffic	352
Handling of Switch-Destined Traffic	352
Handling of Transit Traffic (Traffic Separation)	353
Mapping of Management Applications and Traffic Type	353
Behavior of Various Applications for Switch-Initiated Traffic	354
Behavior of Various Applications for Switch-Destined Traffic	355
Interworking of EIS With Various Applications	356
Designating a Multicast Router Interface	356
Interfaces	357
Basic Interface Configuration	357
Advanced Interface Configuration	357
Interface Types	358
View Basic Interface Information	358
Resetting an Interface to its Factory Default State	360
Enabling a Physical Interface	360
Physical Interfaces	361
Configuration Task List for Physical Interfaces	361
Overview of Layer Modes	361
Configuring Layer 2 (Data Link) Mode	362
Configuring Layer 2 (Interface) Mode	362
Configuring Layer 3 (Network) Mode	362
Configuring Layer 3 (Interface) Mode	363
Egress Interface Selection (EIS)	364
Important Points to Remember	364
Configuring EIS	364
Management Interfaces	364
Configuring Management Interfaces	364
Configuring a Management Interface on an Ethernet Port	366
VLAN Interfaces	367
Loopback Interfaces	367
Null Interfaces	368
Port Channel Interfaces	368
Port Channel Definition and Standards	368
Port Channel Benefits	368
Port Channel Implementation	369
Interfaces in Port Channels	369
Configuration Tasks for Port Channel Interfaces	369
Creating a Port Channel	370
Adding a Physical Interface to a Port Channel	370
Reassigning an Interface to a New Port Channel	372
Configuring the Minimum Oper Up Links in a Port Channel	372
Adding or Removing a Port Channel from a VLAN	373
Assigning an IP Address to a Port Channel	374
Deleting or Disabling a Port Channel	374
Load Balancing Through Port Channels	374
Changing the Hash Algorithm	375
Bulk Configuration	376
Interface Range	376
Bulk Configuration Examples	376
Defining Interface Range Macros	377
Define the Interface Range	378
Choosing an Interface-Range Macro	378
Monitoring and Maintaining Interfaces	378
Maintenance Using TDR	379
Splitting QSFP Ports to SFP+ Ports	380
Converting a QSFP or QSFP+ Port to an SFP or SFP+ Port	380
Important Points to Remember	381
Example Scenarios	381
Configuring wavelength for 10–Gigabit SFP+ optics	384

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1,000
1,001
1,002
1,003
1,004
1,005
1,006
1,007
1,008
1,009
1,010
1,011
1,012
1,013

Match case Limit results 1 per page

•

There is no maximum AH or ESP header length because the headers have

ﬁelds

with variable lengths.

•

Manual key

conﬁguration

is supported in an authentication or encryption policy (dynamic key

conﬁguration

using the internet key

exchange [IKE] protocol is not supported).

•

In an OSPFv3 authentication policy:

•

AH is used to authenticate OSPFv3 headers and certain

ﬁelds

in IPv6 headers and extension headers.

•

MD5 and SHA1 authentication types are supported; encrypted and unencrypted keys are supported.

•

In an OSPFv3 encryption policy:

•

Both encryption and authentication are used.

•

IPsec security associations (SAs) are supported only in Transport mode (Tunnel mode is not supported).

•

ESP with null encryption is supported for authenticating only OSPFv3 protocol headers.

•

ESP with non-null encryption is supported for full

conﬁdentiality.

•

3DES, DES, AES-CBC, and NULL encryption algorithms are supported; encrypted and unencrypted keys are supported.

NOTE:

To encrypt all keys on a router, use the

service password-encryption

command in Global

Conﬁguration

mode.

However, this command does not provide a high level of network security. To enable key encryption in an IPsec security policy at

an interface or area level, specify

for

[key-encryption-type]

when you enter the

ipv6 ospf authentication

ipsec

ipv6 ospf encryption ipsec

command.

•

conﬁgure

an IPsec security policy for authenticating or encrypting OSPFv3 packets on a physical, port-channel, or VLAN interface

or OSPFv3 area, perform any of the following tasks:

•

Conﬁguring

IPsec Authentication on an Interface

•

Conﬁguring

IPsec Encryption on an Interface

•

Conﬁguring

IPsec Authentication for an OSPFv3 Area

•

Conﬁguring

IPsec Encryption for an OSPFv3 Area

•

Displaying OSPFv3 IPsec Security Policies

Conﬁguring

IPsec Authentication on an Interface

conﬁgure,

remove, or display IPsec authentication on an interface, use the following commands.

Prerequisite

: Before you enable IPsec authentication on an OSPFv3 interface,

ﬁrst

enable IPv6 unicast routing globally,

conﬁgure

an IPv6

address and enable OSPFv3 on the interface, and assign it to an area (refer to

Conﬁguration

Task List for OSPFv3 (OSPF for IPv6)

The SPI value must be unique to one IPsec security policy (authentication or encryption) on the router.

Conﬁgure

the same authentication

policy (the same SPI and key) on each OSPFv3 interface in a link.

•

Enable IPsec authentication for OSPFv3 packets on an IPv6-based interface.

INTERFACE mode

ipv6 ospf authentication {null | ipsec spi

number

{MD5 | SHA1} [

key-encryption-type

]

key

}

•

null

: causes an authentication policy

conﬁgured

for the area to not be inherited on the interface.

•

ipsec spi

number

: the security policy index (SPI) value. The range is from 256 to 4294967295.

•

MD5 | SHA1

speciﬁes

the authentication type: Message Digest 5 (

MD5

) or Secure Hash Algorithm 1 (

SHA-1

•

key-encryption-type

: (optional)

speciﬁes

if the key is encrypted. The valid values are

(key is not encrypted) or

(key is

encrypted).

•

key

speciﬁes

the text string used in authentication. All neighboring OSPFv3 routers must share key to exchange information. For

MD5 authentication, the key must be 32 hex digits (non-encrypted) or 64 hex digits (encrypted). For SHA-1 authentication, the key

must be 40 hex digits (non-encrypted) or 80 hex digits (encrypted).

•

Remove an IPsec authentication policy from an interface.

no ipv6 ospf authentication ipsec spi

number

•

Remove null authentication on an interface to allow the interface to inherit the authentication policy

conﬁgured

for the OSPFv3 area.

no ipv6 ospf authentication null

•

Display the

conﬁguration

of IPsec authentication policies on the router.

show crypto ipsec policy

606

Open Shortest Path First (OSPFv2 and OSPFv3)