Home » Dell Manuals » Hubs & Switches » Dell S4148U-ON » Manual Viewer

Dell S4148U-ON OS10 Enterprise Edition User Guide Release 10.4.0E R2 - Page 379

IPsec encryption on interfaces, IPsec authentication for OSPFv3 area

Get Dell S4148U-ON PDF manuals and user guides

Add to My Manuals
Save this manual to your list of manuals

Page 379 highlights

OS10(conf-if-eth1/1/1)# show configuration ! interface ethernet1/1/1 ipv6 ospf authentication ipsec spi 400 md5 12345678123456781234567812345678 no switchport no shutdown ipv6 address 1::1/64 IPsec encryption on interfaces Prerequisite: Before you enable IPsec encryption on an OSPFv3 interface, enable IPv6 unicast routing globally, configure an IPv6 address and enable OSPFv3 on the interface, and assign it to an area. When you configure encryption on an interface, both IPsec encryption and authentication are enabled. You cannot configure encryption if you have already configured an interface for IPsec authentication (ipv6 ospf authentication ipsec). To configure encryption, you must first delete the authentication policy. • Enable IPsec encryption for OSPFv3 packets in Interface mode. ipv6 ospf encryption ipsec spi number esp encryption-type key authentication-type key • ipsec spi number - Enter a unique security policy index (SPI) value (256 to 4294967295). • esp encryption-type key - Enter the encryption algorithm used with ESP (3DES, DES, AES-CBC, or NULL). For AESCBC, only the AES-128 and AES-192 ciphers are supported. • key - Enter the text string used in the encryption algorithm. All neighboring OSPFv3 routers must share the key to decrypt information. Only a non-encrypted key is supported. Required lengths of the non-encrypted key are: 3DES - 48 hex digits; DES - 16 hex digits; AES-CBC - 32 hex digits for AES-128 and 48 hex digits for AES-192. • authentication-type key - Enter the encryption authentication algorithm to use (MD5 or SHA1). • key - Enter the text string used in the authentication algorithm. All neighboring OSPFv3 routers must share the key to exchange information. Only a non-encrypted key is supported. For MD5 authentication, the non-encrypted key must be 32 plain hex digits. For SHA-1 authentication, the non-encrypted key must be 40 hex digits. An encrypted key is not supported. To delete an IPsec encryption policy, use the no ipv6 ospf encryption ipsec spi number or no ipv6 ospf encryption null command. Configure IPsec encryption on interface OS10(conf-if-eth1/1/1)# ipv6 ospf encryption ipsec spi 500 esp des 1234567812345678 md5 12345678123456781234567812345678 OS10(conf-if-eth1/1/1)# show configuration ! interface ethernet1/1/1 ipv6 ospf encryption ipsec spi 500 esp des 1234567812345678 md5 12345678123456781234567812345678 no switchport no shutdown ipv6 address 1::1/64 Configure IPsec authentication for OSPFv3 area Prerequisite: Before you enable IPsec authentication for an OSPFv3 area, enable OSPFv3 globally on the router. • Enable IPsec authentication for OSPFv3 packets in an area in Router-OSPFv3 mode. area area-id authentication ipsec spi number {MD5 | SHA1} key • area area-id - Enter an area ID as a number or IPv6 prefix. • ipsec spi number - Enter a unique security policy index (SPI) value (256 to 4294967295). • md5 - Enable message digest 5 (MD5) authentication. • sha1 - Enable secure hash algorithm 1 (SHA-1) authentication. • key - Enter the text string used in the authentication type. All OSPFv3 routers in the area share the key to exchange information. Only a non-encrypted key is supported. For MD5 authentication, the non-encrypted key must be 32 plain hex digits. For SHA-1 authentication, the non-encrypted key must be 40 hex digits. An encrypted key is not supported. Layer 3 379

Section	Page
OS10 Enterprise Edition User Guide Release 10.4.0E(R2)	3
Getting Started	20
Download OS10 image and license	21
Installation	22
Automatic installation	23
Manual installation	23
Log into OS10	24
Install OS10 license	24
Remote access	25
Configure Management IP address	26
Management Route Configuration	26
Configure user name and password	27
Upgrade OS10	27
CLI Basics	27
User accounts	28
Key CLI features	28
CLI command modes	28
CLI command hierarchy	29
CLI command categories	29
CONFIGURATION Mode	29
Command help	30
Check device status	31
Candidate configuration	33
Change to transaction-based configuration	36
Copy running configuration	36
Restore startup configuration	37
Reload system image	37
Filter show commands	38
Alias command	38
Batch mode commands	42
Linux shell commands	43
SSH commands	43
OS9 environment commands	44
Common commands	44
alias	44
alias (multi-line)	45
batch	46
boot	46
commit	47
configure	47
copy	47
default (alias)	49
delete	49
description (alias)	50
dir	50
discard	51
do	51
feature config-os9-style	51
exit	52
license	52
line (alias)	53
lock	53
management route	54
move	54
no	55
reload	55
show alias	55
show boot	57
show candidate-configuration	57
show environment	59
show inventory	60
show ip management-route	60
show ipv6 management-route	61
show license status	61
show running-configuration	62
show startup-configuration	64
show system	65
show version	67
start	67
system	68
system identifier	68
terminal	68
traceroute	69
unlock	70
write	70
Interfaces	71
Ethernet interfaces	71
Unified port groups	71
L2 mode configuration	72
L3 mode configuration	73
Fibre Channel interfaces	73
Management interface	75
VLAN interfaces	75
User-configured default VLAN	76
Loopback interfaces	76
Port-channel interfaces	77
Create port-channel	77
Add port member	78
Minimum links	78
Assign Port Channel IP Address	79
Remove or disable port-channel	79
Load balance traffic	79
Change hash algorithm	80
Configure interface ranges	80
Switch-port profiles	81
S4148-ON series port profiles	82
S4148U-ON port profiles	83
Configure breakout mode	84
Breakout auto-configuration	85
Reset default configuration	85
Forward error correction	87
Energy-efficient Ethernet	87
Enable energy-efficient Ethernet	88
Clear interface counters	88
View EEE status/statistics	88
EEE commands	89
View interface configuration	92
Interface commands	94
channel-group	94
default interface	94
default vlan-id	96
description (Interface)	97
duplex	97
enable auto-breakout	98
fec	98
interface breakout	99
interface ethernet	99
interface loopback	100
interface mgmt	100
interface null	100
interface port-channel	101
interface range	101
interface vlan	102
link-bundle-utilization	102
mgmt	102
mode	103
mtu	103
port-group	104
show interface	104
show link-bundle-utilization	106
show port-channel summary	106
show port-group	107
show switch-port-profile	107
show vlan	108
shutdown	108
speed (Fibre Channel)	109
speed (Management)	109
switch-port-profile	110
switchport access vlan	112
switchport mode	112
switchport trunk allowed vlan	113
Fibre channel	114
Fibre Channel over Ethernet	114
Configure FIP snooping	115
Terminology	116
Virtual fabric	116
Fibre Channel zoning	119
F_Port on Ethernet	120
F_Port, NPG, and FCoE commands	121
clear fcoe database	121
clear fcoe statistics	121
fc alias	122
fc zone	122
fc zoneset	122
fcoe	123
fcoe max-sessions-per-enodemac	123
feature fc	124
feature fc npg	124
feature fip-snooping	124
fip-snooping enable	125
fip-snooping fc-map	125
fip-snooping port-mode fcf	126
member (alias)	126
member (zone)	126
member (zoneset)	127
name	127
show fc alias	128
show fc ns switch	128
show fc statistics	129
show fc switch	130
show fc zone	130
show fc zoneset	131
show fcoe enode	132
show fcoe fcf	132
show fcoe sessions	133
show fcoe statistics	133
show fcoe system	134
show fcoe vlan	134
show npg devices	134
show running-config vfabric	135
show vfabric	136
vfabric	137
vfabric (interface)	137
vlan	137
zone default-zone permit	138
zoneset activate	138
Layer 2	139
802.1X	139
Port authentication	140
EAP over RADIUS	141
Configure 802.1X	141
Enable 802.1X	142
Identity retransmissions	143
Failure quiet period	144
Port control mode	144
Reauthenticate port	145
Configure timeouts	146
802.1X commands	147
Link aggregation control protocol	152
Modes	152
Configuration	152
Interfaces	153
Rates	153
Sample configuration	154
LACP commands	157
Link layer discovery protocol	163
Protocol data units	163
Optional TLVs	164
Organizationally-specific TLVs	165
Media endpoint discovery	166
Network connectivity device	166
LLDP-MED capabilities TLV	166
Network policies TLVs	167
Define network policies	168
Packet timer values	168
Disable and re-enable LLDP	169
Disable and re-enable LLDP on management ports	170
Advertise TLVs	170
Network policy advertisement	171
Fast start repeat count	171
View LLDP configuration	172
Adjacent agent advertisements	173
Time to live	174
LLDP commands	174
Media Access Control	186
Static MAC Address	186
MAC Address Table	187
Clear MAC Address Table	187
MAC Commands	188
Multiple spanning-tree protocol	190
Configure MST protocol	191
Create instances	191
Root selection	193
Non-Dell hardware	193
Region name or revision	193
Modify parameters	194
Interface parameters	195
Forward traffic	195
Spanning-tree extensions	196
Debug configurations	198
MST commands	198
Rapid per-VLAN spanning-tree plus	208
Load balance and root selection	209
Enable RPVST+	209
Select root bridge	210
Root assignment	211
Loop guard	212
Global parameters	212
RPVST+ commands	213
Rapid spanning-tree protocol	221
Enable globally	221
Global parameters	222
Interface parameters	223
Root bridge selection	224
EdgePort forward traffic	225
Spanning-tree extensions	225
RSTP commands	227
Virtual LANs	233
Default VLAN	233
Create or remove VLANs	234
Access mode	235
Trunk mode	236
Assign IP address	236
View VLAN configuration	237
VLAN commands	239
Port monitoring	240
Local port monitoring	240
Remote port monitoring	241
Encapsulated remote port monitoring	243
Flow-based monitoring	244
Remote port monitoring on VLT	245
Port monitoring commands	246
Layer 3	252
Border gateway protocol	252
Sessions and peers	253
Route reflectors	254
Multiprotocol BGP	255
Attributes	255
Selection criteria	255
Weight and local preference	256
Multiexit discriminators	257
Origin	257
AS path and next-hop	258
Best path selection	258
More path support	259
Advertise cost	259
4-Byte AS numbers	260
AS number migration	260
Configure border gateway protocol	261
Enable BGP	261
Configure Dual Stack	263
Peer templates	263
Neighbor fall-over	265
Fast external fallover	266
Passive peering	268
Local AS	268
AS number limit	269
Redistribute routes	270
Additional paths	270
MED attributes	271
Local preference attribute	271
Weight attribute	272
Enable multipath	273
Route-map filters	273
Route reflector clusters	273
Aggregate routes	274
Confederations	275
Route dampening	276
Timers	277
Neighbor soft-reconfiguration	277
BGP commands	278
Equal cost multi-path	303
Load balancing	303
ECMP commands	303
IPv4 routing	306
Assign interface IP address	306
Configure static routing	307
Address resolution protocol	308
IPv4 routing commands	308
IPv6 routing	312
Enable or disable IPv6	312
IPv6 addresses	313
Stateless autoconfiguration	314
Neighbor discovery	315
Duplicate address discovery	316
Static IPv6 routing	317
IPv6 destination unreachable	317
IPv6 hop-by-hop options	318
View IPv6 information	318
IPv6 commands	318
Internet group management protocol	329
IGMP snooping	329
IGMP snooping commands	332
Open shortest path first	337
Autonomous system areas	337
Areas, networks, and neighbors	338
Router types	339
Designated and backup designated routers	340
Link-state advertisements	340
Router priority	341
Shortest path first throttling	342
OSPFv2	343
OSPFv3	374
Object tracking manager	393
Interface tracking	394
Host tracking	395
Set tracking delays	396
Object tracking	396
View tracked objects	396
OTM commands	397
Policy-based routing	400
Policy-based route-maps	400
Access-list to match route-map	400
Set address to match route-map	401
Assign route-map to interface	401
View PBR information	401
PBR commands	402
Virtual routing and forwarding	404
Configure management VRF	405
VRF commands	406
Virtual router redundancy protocol	410
Configuration	411
Create virtual router	412
Group version	412
Virtual IP addresses	413
Configure virtual IP address	413
Set group priority	414
Authentication	415
Disable preempt	415
Advertisement interval	416
Interface/object tracking	417
Configure tracking	417
VRRP commands	418
UFT modes	424
Configure UFT modes	425
UFT commands	425
hardware forwarding-table mode	425
show hardware forwarding-table mode	426
show hardware forwarding-table mode all	426
System management	427
Dynamic host configuration protocol	427
Packet format and options	427
Configure Server	428
Automatic address allocation	429
Hostname resolution	430
Manual binding entries	431
View DHCP Information	432
System domain name and list	432
DHCP commands	433
DNS commands	438
Network time protocol	440
Enable NTP	440
Broadcasts	441
Source IP address	441
Authentication	442
NTP commands	443
System clock	448
System Clock commands	448
User session management	449
User session management commands	449
Telnet server	451
Telnet commands	451
Security	452
User re-authentication	452
Password strength	453
Role-based access control	453
Assign user role	454
RADIUS authentication	454
TACACS+ authentication	455
SSH Server	456
Virtual terminal line	456
Enable login statistics	457
Security commands	457
Simple network management protocol	470
SNMP commands	470
OS10 image upgrade	471
Boot system partition	472
Upgrade commands	473
Access Control Lists	477
IP ACLs	477
MAC ACLs	478
IP fragment handling	478
IP fragments ACL	478
L3 ACL rules	479
Permit ACL with L3 information only	479
Deny ACL with L3 information only	479
Permit all packets from host	479
Permit only first fragments and non-fragmented packets from host	479
Assign sequence number to filter	480
User-provided sequence number	480
Auto-generated sequence number	480
L2 and L3 ACLs	480
Assign and apply ACL filters	481
Ingress ACL filters	482
Egress ACL filters	482
Clear access-list counters	483
IP prefix-lists	483
Route-maps	484
Match routes	485
Set conditions	485
continue Clause	486
ACL flow-based monitoring	486
Flow-based mirroring	486
Enable flow-based monitoring	487
ACL commands	488
clear ip access-list counters	488
clear ipv6 access-list counters	488
clear mac access-list counters	489
deny	489
deny (IPv6)	490
deny (MAC)	490
deny icmp	491
deny icmp (IPv6)	492
deny ip	492
deny ipv6	493
deny tcp	493
deny tcp (IPv6)	494
deny udp	495
deny udp (IPv6)	496
description	497
ip access-group	497
ip access-list	497
ip as-path deny	498
ip as-path permit	498
ip community-list standard deny	499
ip community–list standard permit	499
ip extcommunity-list standard deny	500
ip extcommunity-list standard permit	500
ip prefix-list description	500
ip prefix-list deny	501
ip prefix-list permit	501
ip prefix-list seq deny	502
ip prefix-list seq permit	502
ipv6 access-group	503
ipv6 access-list	503
ipv6 prefix-list deny	503
ipv6 prefix-list description	504
ipv6 prefix-list permit	504
ipv6 prefix-list seq deny	505
ipv6 prefix-list seq permit	505
mac access-group	506
mac access-list	506
permit	506
permit (IPv6)	507
permit (MAC)	508
permit icmp	508
permit icmp (IPv6)	509
permit ip	510
permit ipv6	510
permit tcp	511
permit tcp (IPv6)	512
permit udp	512
permit udp (IPv6)	513
remark	514
seq deny	514
seq deny (IPv6)	515
seq deny (MAC)	516
seq deny icmp	517
seq deny icmp (IPv6)	517
seq deny ip	518

Match case Limit results 1 per page

OS10(conf-if-eth1/1/1)# show configuration

interface ethernet1/1/1

ipv6 ospf authentication ipsec spi 400 md5 12345678123456781234567812345678

no switchport

no shutdown

ipv6 address 1::1/64

IPsec encryption on interfaces

Prerequisite

: Before you enable IPsec encryption on an OSPFv3 interface, enable IPv6 unicast routing globally,

conﬁgure

an IPv6 address

and enable OSPFv3 on the interface, and assign it to an area.

When you

conﬁgure

encryption on an interface, both IPsec encryption and authentication are enabled. You cannot

conﬁgure

encryption if

you have already

conﬁgured

an interface for IPsec authentication (

ipv6 ospf authentication ipsec

). To

conﬁgure

encryption,

you must

ﬁrst

delete the authentication policy.

•

Enable IPsec encryption for OSPFv3 packets in Interface mode.

ipv6 ospf encryption ipsec spi

number

esp

encryption-type

key

authentication-type

key

•

ipsec spi

number

— Enter a unique security policy index (SPI) value (256 to 4294967295).

•

esp

encryption-type

key

— Enter the encryption algorithm used with ESP (3DES, DES, AES-CBC, or NULL). For AES-

CBC, only the AES-128 and AES-192 ciphers are supported.

•

key

— Enter the text string used in the encryption algorithm. All neighboring OSPFv3 routers must share the key to decrypt

information. Only a non-encrypted key is supported. Required lengths of the non-encrypted key are: 3DES — 48 hex digits; DES —

16 hex digits; AES-CBC — 32 hex digits for AES-128 and 48 hex digits for AES-192.

•

authentication-type

key

— Enter the encryption authentication algorithm to use (MD5 or SHA1).

•

key

— Enter the text string used in the authentication algorithm. All neighboring OSPFv3 routers must share the key to exchange

information. Only a non-encrypted key is supported. For MD5 authentication, the non-encrypted key must be 32 plain hex digits.

For SHA-1 authentication, the non-encrypted key must be 40 hex digits. An encrypted key is not supported.

To delete an IPsec encryption policy, use the

no ipv6 ospf encryption ipsec spi

number

no ipv6 ospf encryption

null

command.

Conﬁgure

IPsec encryption on interface

OS10(conf-if-eth1/1/1)# ipv6 ospf encryption ipsec spi 500 esp des 1234567812345678 md5

12345678123456781234567812345678

OS10(conf-if-eth1/1/1)# show configuration

interface ethernet1/1/1

ipv6 ospf encryption ipsec spi 500 esp des 1234567812345678 md5 12345678123456781234567812345678

no switchport

no shutdown

ipv6 address 1::1/64

Conﬁgure

IPsec authentication for OSPFv3 area

Prerequisite

: Before you enable IPsec authentication for an OSPFv3 area, enable OSPFv3 globally on the router.

•

Enable IPsec authentication for OSPFv3 packets in an area in Router-OSPFv3 mode.

area

area-id

authentication ipsec spi

number

{MD5 | SHA1}

key

•

area

area-id

— Enter an area ID as a number or IPv6

preﬁx.

•

ipsec spi

number

— Enter a unique security policy index (SPI) value (256 to 4294967295).

•

md5

— Enable message digest 5 (MD5) authentication.

•

sha1

— Enable secure hash algorithm 1 (SHA-1) authentication.

•

key

— Enter the text string used in the authentication type. All OSPFv3 routers in the area share the key to exchange information.

Only a non-encrypted key is supported. For MD5 authentication, the non-encrypted key must be 32 plain hex digits. For SHA-1

authentication, the non-encrypted key must be 40 hex digits. An encrypted key is not supported.

Layer 3

379