Login
- Table of Contents
-
- 07-Layer 3 - IP Routing Configuration Guide
- 00-Preface
- 01-Basic IP Routing Configuration
- 02-Static Routing Configuration
- 03-RIP Configuration
- 04-OSPF Configuration
- 05-IS-IS Configuration
- 06-BGP Configuration
- 07-Policy-Based Routing Configuration
- 08-Guard Route Configuration
- 09-IPv6 Static Routing Configuration
- 10-RIPng Configuration
- 11-OSPFv3 Configuration
- 12-IPv6 IS-IS Configuration
- 13-IPv6 BGP Configuration
- 14-IPv6 Policy-Based Routing Configuration
- 15-Routing Policy Configuration
- 16-Tunnel End Packets Policy Routing Configuration
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 10-RIPng Configuration | 210.73 KB |
Contents
RIPng packet processing procedure·
Configuring RIPng route control
Configuring an additional routing metric
Configuring RIPng route summarization·
Configuring a RIPng route filtering policy
Configuring a priority for RIPng
Configuring RIPng route redistribution·
Tuning and optimizing the RIPng network
Configuring split horizon and poison reverse
Configuring zero field check on RIPng packets
Configuring the maximum number of ECMP routes
Applying IPsec policies for RIPng
Displaying and maintaining RIPng
Configure RIPng basic functions
Configuring RIPng route redistribution·
Configuring RIPng IPsec policies
Introduction to RIPng
RIP next generation (RIPng) is an extension of RIP-2 for IPv4. Most RIP concepts are applicable in RIPng.
RIPng for IPv6 has the following basic differences from RIP:
· UDP port number—RIPng uses UDP port 521 for sending and receiving routing information.
· Multicast address—RIPng uses FF02::9 as the link-local-router multicast address.
· Destination Prefix—128-bit destination address prefix.
· Next hop—128-bit IPv6 address.
· Source address—RIPng uses FE80::/10 as the link-local source address.
RIPng working mechanism
RIPng is a routing protocol based on the distance vector (D-V) algorithm. RIPng uses UDP packets to exchange routing information through port 521.
RIPng uses a hop count to measure the distance to a destination. The hop count is referred to as metric or cost. The hop count from a router to a directly connected network is 0. The hop count between two directly connected routers is 1. When the hop count is greater than or equal to 16, the destination network or host is unreachable.
By default, the routing update is sent every 30 seconds. If the router receives no routing updates from a neighbor within 180 seconds, the routes learned from the neighbor are considered unreachable. Within another 240 seconds, if no routing update is received, the router removes these routes from the routing table.
RIPng supports split horizon and poison reverse to prevent routing loops and route redistribution.
Each RIPng router maintains a routing database, including route entries of all reachable destinations. A route entry contains the following information:
· Destination address—IPv6 address of a host or a network.
· Next hop address—IPv6 address of a neighbor along the path to the destination.
· Egress interface—Output interface that forwards IPv6 packets.
· Metric—Cost from the local router to the destination.
· Route time—Time elapsed since a route entry was last changed. Each time a route entry is modified, the routing time is set to 0.
· Route tag—Identifies the route used in a routing policy to control routing information. For information about routing policy, see "Configuring routing policies."
RIPng packet format
Basic format
A RIPng packet consists of a header and multiple route table entries (RTEs). The maximum number of RTEs in a packet depends on the IPv6 MTU of the sending interface.
Figure 1 RIPng basic packet format
· Command—Type of message. 0x01 indicates Request, 0x02 indicates Response.
· Version—Version of RIPng. It can only be 0x01.
· RTE—Route table entry; it is 20 bytes for each entry.
RTE format
The types of RTEs in RIPng are as follows:
· Next hop RTE—Defines the IPv6 address of a next hop.
· IPv6 prefix RTE—Describes the destination IPv6 address, route tag, prefix length, and metric in the RIPng routing table.
IPv6 next hop address is the IPv6 address of the next hop.
Figure 3 IPv6 prefix RTE format
· IPv6 prefix—Destination IPv6 address prefix
· Route tag—Route tag
· Prefix length—Length of the IPv6 address prefix
· Metric—Cost of a route
RIPng packet processing procedure
Request packet
When a RIPng router first starts or must update some entries in its routing table, it generally sends a multicast request packet to ask for needed routes from neighbors.
The receiving RIPng router processes RTEs in the request. If there is only one RTE with the IPv6 prefix and prefix length both being 0 and with a metric value of 16, the RIPng router will respond with the entire routing table information in response messages. If there are multiple RTEs in the request message, the RIPng router will examine each RTE, update its metric, and send the requested routing information to the requesting router in the response packet.
Response packet
The response packet containing the local routing table information is generated as follows:
· A response to a request
· An update periodically
· A trigged update caused by route change
After the router receives a response, it checks the validity of the response before adding the route to its routing table, such as whether the source IPv6 address is the link-local address and whether the port number is correct. The response packet that failed the check is discarded.
Protocols and standards
· RFC 2080, RIPng for IPv6
· RFC 2081, RIPng Protocol Applicability Statement
RIPng configuration task list
|
Task |
Remarks |
|
|
Required. |
||
|
Optional. |
||
|
Optional. |
||
|
Optional. |
||
|
Optional. |
||
|
Optional. |
||
|
Optional. |
||
|
Optional. |
||
|
Optional. |
||
|
Optional. |
||
|
Optional. |
||
|
Optional. |
||
Configuring basic RIPng
This section presents the information to configure the basic RIPng features.
You must enable RIPng first before configuring other tasks, but it is not necessary for RIPng-related interface configurations, such as assigning an IPv6 address.
Configuration prerequisites
Before the configuration, complete the following tasks:
· Enable IPv6 packet forwarding.
· Configure an IP address for each interface to ensure IP connectivity between neighboring nodes.
Configuration procedure
To configure the basic RIPng:
|
Command |
Remarks |
|
|
1. Enter system view. |
system-view |
N/A |
|
2. Create a RIPng process and enter RIPng view. |
ripng [ process-id ] [ vpn-instance vpn-instance-name ] |
Not created by default. |
|
3. Return to system view. |
quit |
N/A |
|
4. Enter interface view. |
interface interface-type interface-number |
N/A |
|
5. Enable RIPng on the interface. |
ripng process-id enable |
Disabled by default. If RIPng is not enabled on an interface, the interface will not send or receive any RIPng route. |
Configuring RIPng route control
Before the configuration, complete the following tasks:
· Configure an IPv6 address on each interface to ensure IP connectivity between neighboring nodes.
· Configure basic RIPng.
· Define an IPv6 ACL before using it for route filtering. For related information, see ACL and QoS Configuration Guide.
· Define an IPv6 address prefix list before using it for route filtering. For related information, see "Configuring routing policies."
Configuring an additional routing metric
An additional routing metric can be added to the metric of an inbound or outbound RIPng route, namely, the inbound and outbound additional metric.
The outbound additional metric is added to the metric of a sent route. The route's metric in the routing table is not changed.
The inbound additional metric is added to the metric of a received route before the route is added into the routing table, so the route's metric is changed.
To configure an inbound or outbound additional routing metric:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enter interface view. |
interface interface-type interface-number |
N/A |
|
3. Specify an inbound routing additional metric. |
ripng metricin value |
Optional. 0 by default. |
|
4. Specify an outbound routing additional metric. |
ripng metricout value |
Optional. 1 by default. |
Configuring RIPng route summarization
|
Step |
Command |
|
1. Enter system view. |
system-view |
|
2. Enter interface view. |
interface interface-type interface-number |
|
3. Advertise a summary IPv6 prefix. |
ripng summary-address ipv6-address prefix-length |
Advertising a default route
With this feature enabled, a default route is advertised through the specified interface regardless of whether the default route is available in the local IPv6 routing table.
To advertise a default route:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enter interface view. |
interface interface-type interface-number |
N/A |
|
3. Advertise a default route. |
ripng default-route { only | originate } [ cost cost ] |
Not advertised by default. |
Configuring a RIPng route filtering policy
You can reference a configured IPv6 ACL or prefix list to filter received or advertised routing information as needed. To filter outbound routes, you can specify a routing protocol; routing information redistributed from the protocol is filtered.
To configure a RIPng route filtering policy:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enter RIPng view. |
ripng [ process-id ] |
N/A |
|
3. Configure a filter policy to filter incoming routes. |
filter-policy { acl6-number | ipv6-prefix ipv6-prefix-name } import |
By default, RIPng does not filter incoming routing information. |
|
4. Configure a filter policy to filter outgoing routes. |
filter-policy { acl6-number | ipv6-prefix ipv6-prefix-name } export [ protocol [ process-id ] ] |
By default, RIPng does not filter outgoing routing information. |
Configuring a priority for RIPng
Routing protocols have their own protocol priorities used for optimal route selection. You can set a priority for RIPng manually. The smaller the value, the higher the priority.
To configure a RIPng priority:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enter RIPng view. |
ripng [ process-id ] |
N/A |
|
3. Configure a RIPng priority. |
preference [ route-policy route-policy-name ] preference |
Optional. By default, the RIPng priority is 100. |
Configuring RIPng route redistribution
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enter RIPng view. |
ripng [ process-id ] |
N/A |
|
3. Configure a default routing metric for redistributed routes. |
default cost cost |
Optional. The default metric of redistributed routes is 0. |
|
4. Redistribute routes from another routing protocol. |
import-route protocol [ process-id ] [ allow-ibgp ] [ cost cost | route-policy route-policy-name ] * |
By default, no route redistribution is configured. |
Tuning and optimizing the RIPng network
This section describes how to tune and optimize the performance of the RIPng network, as well as applications under special network environments. Before you tune and optimize the RIPng network, complete the following tasks:
· Configure a network layer address for each interface.
· Configure the basic RIPng.
Configuring RIPng timers
You can adjust RIPng timers to optimize the performance of the RIPng network. Based on network performance, make RIPng timers of RIPng routers identical to each other to avoid unnecessary traffic or route oscillation.
To configure RIPng timers:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enter RIPng view. |
ripng [ process-id ] |
N/A |
|
3. Configure RIPng timers. |
timers { garbage-collect garbage-collect-value | suppress suppress-value | timeout timeout-value | update update-value } * |
Optional. The RIPng timers have the following defaults: · Update timer—30 seconds. · Timeout timer—180 seconds. · Suppress timer—120 seconds. · Garbage-collect timer—120 seconds. |
Configuring split horizon and poison reverse
If both split horizon and poison reverse are configured, only the poison reverse function takes effect.
Configuring split horizon
The split horizon function disables a route learned from an interface from being advertised through the same interface to prevent routing loops between neighbors. H3C recommends enabling split horizon to prevent routing loops.
In frame relay, X.25 and other non-broadcast multi-access (NBMA) networks, split horizon should be disabled if multiple VCs are configured on the primary interface and secondary interfaces to ensure route advertisement. For more information, see Layer 2—WAN Configuration Guide.
To configure split horizon:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enter interface view. |
interface interface-type interface-number |
N/A |
|
3. Enable the split horizon function. |
ripng split-horizon |
Optional. Enabled by default. |
Configuring poison reverse
The poison reverse function enables a route learned from an interface to be advertised through the interface. However, the metric of the route is set to 16, which means the route is unreachable.
To configure poison reverse:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enter interface view. |
interface interface-type interface-number |
N/A |
|
3. Enable the poison reverse function. |
ripng poison-reverse |
Disabled by default. |
Configuring zero field check on RIPng packets
Some fields in the RIPng packet must be zero. These fields are called zero fields. With zero field check on RIPng packets enabled, if such a field contains a non-zero value, the entire RIPng packet is discarded. If you are sure that all packets are trusty, disable the zero field check to reduce the CPU processing time.
To configure RIPng zero field check:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enter RIPng view. |
ripng [ process-id ] |
N/A |
|
3. Enable the zero field check. |
checkzero |
Optional. Enabled by default. |
Configuring the maximum number of ECMP routes
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enter RIPng view. |
ripng [ process-id ] |
N/A |
|
3. Configure the maximum number of ECMP RIPng routes for load balancing. |
maximum load-balancing number |
Optional. 16 by default. |
Applying IPsec policies for RIPng
To protect routing information and defend attacks, RIPng supports using an IPsec policy to authenticate protocol packets as follows.
Outbound RIPng packets carry the Security Parameter Index (SPI) defined in the corresponding IPsec policy. A switch uses the SPI carried in a received packet to match against the configured IPsec policy. If they match, the switch accepts the packet; otherwise, it discards the packet and thus will not establish a neighbor relationship with the sending switch.
You can configure an IPsec policy for a RIPng process or interface. The IPsec policy configured for a process applies to all packets in the process. The IPsec policy configured on an interface applies to packets on the interface. If an interface and its process each have an IPsec policy configured, the interface uses its own IPsec policy.
Configuration prerequisites
Before you apply an IPsec policy for RIPng, complete following tasks:
· Create an IPsec proposal.
· Create an IPsec policy.
For more information about IPsec policy configuration, see Security Configuration Guide.
Configuration guidelines
An IPsec policy used for RIPng can only be in manual mode. For more information, see Security Configuration Guide.
Configuration procedure
To apply an IPsec policy in a process:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enter RIPng view. |
ripng [ process-id ] |
N/A |
|
3. Apply an IPsec policy in the process. |
enable ipsec-policy policy-name |
Not configured by default. |
To apply an IPsec policy on an interface:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enter interface view. |
interface interface-type interface-number |
N/A |
|
3. Apply an IPsec policy on the interface. |
ripng ipsec-policy policy-name |
Not configured by default. |
Displaying and maintaining RIPng
|
Task |
Command |
Remarks |
|
Display configuration information of a RIPng process. |
display ripng [ process-id | vpn-instance vpn-instance-name ] [ | { begin | exclude | include } regular-expression ] |
Available in any view. |
|
Display routes in the RIPng database. |
display ripng process-id database [ | { begin | exclude | include } regular-expression ] |
Available in any view. |
|
Display the routing information of a specified RIPng process. |
display ripng process-id route [ | { begin | exclude | include } regular-expression ] |
Available in any view. |
|
Display RIPng interface information. |
display ripng process-id interface [ interface-type interface-number ] [ | { begin | exclude | include } regular-expression ] |
Available in any view. |
|
Reset a RIPng process. |
reset ripng process-id process |
Available in user view. |
|
Clear statistics of a RIPng process. |
reset ripng process-id statistics |
Available in user view. |
RIPng configuration examples
By default, Ethernet, VLAN, and aggregate interfaces are down. Before configuring these interfaces, bring them up by using the undo shutdown command.
Configure RIPng basic functions
Network requirements
As shown in Figure 4, all switches run RIPng. Configure Switch B to filter the route (3::/64) learned from Switch C, which means the route will not be added to the routing table of Switch B, and Switch B will not forward it to Switch A.
Configuration procedure
1. Configure IPv6 addresses for interfaces. (Details not shown.)
2. Configure basic RIPng:
# Configure Switch A.
<SwitchA> system-view
[SwitchA] ripng 1
[SwitchA-ripng-1] quit
[SwitchA] interface vlan-interface 100
[SwitchA-Vlan-interface100] ripng 1 enable
[SwitchA-Vlan-interface100] quit
[SwitchA] interface vlan-interface 400
[SwitchA-Vlan-interface400] ripng 1 enable
[SwitchA-Vlan-interface400] quit
# Configure Switch B.
<SwitchB> system-view
[SwitchB] ripng 1
[SwitchB-ripng-1] quit
[SwitchB] interface vlan-interface 200
[SwitchB-Vlan-interface200] ripng 1 enable
[SwitchB-Vlan-interface200] quit
[SwitchB] interface vlan-interface 100
[SwitchB-Vlan-interface100] ripng 1 enable
[SwitchB-Vlan-interface100] quit
# Configure Switch C.
<SwitchC> system-view
[SwitchC] ripng 1
[SwitchC-ripng-1] quit
[SwitchC] interface vlan-interface 200
[SwitchC-Vlan-interface200] ripng 1 enable
[SwitchC-Vlan-interface200] quit
[SwitchC] interface vlan-interface 500
[SwitchC-Vlan-interface500] ripng 1 enable
[SwitchC-Vlan-interface500] quit
[SwitchC] interface vlan-interface 600
[SwitchC-Vlan-interface600] ripng 1 enable
[SwitchC-Vlan-interface600] quit
# Display the routing table on Switch B.
[SwitchB] display ripng 1 route
Route Flags: A - Aging, S - Suppressed, G - Garbage-collect
----------------------------------------------------------------
Peer FE80::20F:E2FF:FE23:82F5 on Vlan-interface100
Dest 1::/64,
via FE80::20F:E2FF:FE23:82F5, cost 1, tag 0, A, 6 Sec
Dest 2::/64,
via FE80::20F:E2FF:FE23:82F5, cost 1, tag 0, A, 6 Sec
Peer FE80::20F:E2FF:FE00:100 on Vlan-interface200
Dest 3::/64,
via FE80::20F:E2FF:FE00:100, cost 1, tag 0, A, 11 Sec
Dest 4::/64,
via FE80::20F:E2FF:FE00:100, cost 1, tag 0, A, 11 Sec
Dest 5::/64,
via FE80::20F:E2FF:FE00:100, cost 1, tag 0, A, 11 Sec
# Display the routing table on Switch A.
[SwitchA] display ripng 1 route
Route Flags: A - Aging, S - Suppressed, G - Garbage-collect
----------------------------------------------------------------
Peer FE80::200:2FF:FE64:8904 on Vlan-interface100
Dest 1::/64,
via FE80::200:2FF:FE64:8904, cost 1, tag 0, A, 31 Sec
Dest 4::/64,
via FE80::200:2FF:FE64:8904, cost 2, tag 0, A, 31 Sec
Dest 5::/64,
via FE80::200:2FF:FE64:8904, cost 2, tag 0, A, 31 Sec
Dest 3::/64,
via FE80::200:2FF:FE64:8904, cost 1, tag 0, A, 31 Sec
3. Configure a filtering policy for Switch B:
# Configure Switch B to filter incoming and outgoing routes.
[SwitchB] acl ipv6 number 2000
[SwitchB-acl6-basic-2000] rule deny source 3::/64
[SwitchB-acl6-basic-2000] rule permit
[SwitchB-acl6-basic-2000] quit
[SwitchB] ripng 1
[SwitchB-ripng-1] filter-policy 2000 import
[SwitchB-ripng-1] filter-policy 2000 export
# Display routing tables on Switch B and Switch A.
[SwitchB] display ripng 1 route
Route Flags: A - Aging, S - Suppressed, G - Garbage-collect
----------------------------------------------------------------
Peer FE80::20F:E2FF:FE23:82F5 on Vlan-interface100
Dest 1::/64,
via FE80::20F:E2FF:FE23:82F5, cost 1, tag 0, A, 2 Sec
Dest 2::/64,
via FE80::20F:E2FF:FE23:82F5, cost 1, tag 0, A, 2 Sec
Peer FE80::20F:E2FF:FE00:100 on Vlan-interface200
Dest 4::/64,
via FE80::20F:E2FF:FE00:100, cost 1, tag 0, A, 5 Sec
Dest 5::/64,
via FE80::20F:E2FF:FE00:100, cost 1, tag 0, A, 5 Sec
[SwitchA] display ripng 1 route
Route Flags: A - Aging, S - Suppressed, G - Garbage-collect
----------------------------------------------------------------
Peer FE80::20F:E2FF:FE00:1235 on Vlan-interface100
Dest 1::/64,
via FE80::20F:E2FF:FE00:1235, cost 1, tag 0, A, 2 Sec
Dest 4::/64,
via FE80::20F:E2FF:FE00:1235, cost 2, tag 0, A, 2 Sec
Dest 5::/64,
via FE80::20F:E2FF:FE00:1235, cost 2, tag 0, A, 2 Sec
Configuring RIPng route redistribution
Network requirements
Switch B runs two RIPng processes. It communicates with Switch A through RIPng 100 and with Switch C through RIPng 200.
Configure route redistribution on Switch B, allowing the two RIPng processes to redistribute routes from each other. Set the default cost of redistributed routes from RIPng 200 to 3.
Figure 5 Network diagram
Configuration procedure
1. Configure IPv6 addresses for interfaces. (Details not shown.)
2. Configure basic RIPng:
# Enable RIPng 100 on Switch A.
<SwitchA> system-view
[SwitchA] ripng 100
[SwitchA-ripng-100] quit
[SwitchA] interface vlan-interface 100
[SwitchA-Vlan-interface100] ripng 100 enable
[SwitchA-Vlan-interface100] quit
[SwitchA] interface vlan-interface 200
[SwitchA-Vlan-interface200] ripng 100 enable
[SwitchA-Vlan-interface200] quit
# Enable RIPng 100 and RIPng 200 on Switch B.
<SwitchB> system-view
[SwitchB] ripng 100
[SwitchB-ripng-100] quit
[SwitchB] interface vlan-interface 100
[SwitchB-Vlan-interface100] ripng 100 enable
[SwitchB-Vlan-interface100] quit
[SwitchB] ripng 200
[SwitchB-ripng-200] quit
[SwitchB] interface vlan-interface 300
[SwitchB-Vlan-interface300] ripng 200 enable
[SwitchB-Vlan-interface300] quit
# Enable RIPng 200 on Switch C.
<SwitchC> system-view
[SwitchC] ripng 200
[SwitchC] interface vlan-interface 300
[SwitchC-Vlan-interface300] ripng 200 enable
[SwitchC-Vlan-interface300] quit
[SwitchC] interface vlan-interface 400
[SwitchC-Vlan-interface400] ripng 200 enable
[SwitchC-Vlan-interface400] quit
# Display the routing table on Switch A.
[SwitchA] display ipv6 routing-table
Routing Table :
Destinations : 6 Routes : 6
Destination: ::1/128 Protocol : Direct
NextHop : ::1 Preference: 0
Interface : InLoop0 Cost : 0
Destination: 1::/64 Protocol : Direct
NextHop : 1::1 Preference: 0
Interface : Vlan100 Cost : 0
Destination: 1::1/128 Protocol : Direct
NextHop : ::1 Preference: 0
Interface : InLoop0 Cost : 0
Destination: 2::/64 Protocol : Direct
NextHop : 2::1 Preference: 0
Interface : Vlan200 Cost : 0
Destination: 2::1/128 Protocol : Direct
NextHop : ::1 Preference: 0
Interface : InLoop0 Cost : 0
Destination: FE80::/10 Protocol : Direct
NextHop : :: Preference: 0
Interface : NULL0 Cost : 0
3. Configure RIPng route redistribution:
# Configure route redistribution between the two RIPng processes on Switch B.
[SwitchB] ripng 100
[SwitchB-ripng-100] default cost 3
[SwitchB-ripng-100] import-route ripng 200
[SwitchB-ripng-100] quit
[SwitchB] ripng 200
[SwitchB-ripng-200] import-route ripng 100
[SwitchB-ripng-200] quit
# Display the routing table on Switch A.
[SwitchA] display ipv6 routing-table
Routing Table :
Destinations : 7 Routes : 7
Destination: ::1/128 Protocol : Direct
NextHop : ::1 Preference: 0
Interface : InLoop0 Cost : 0
Destination: 1::/64 Protocol : Direct
NextHop : 1::1 Preference: 0
Interface : Vlan100 Cost : 0
Destination: 1::1/128 Protocol : Direct
NextHop : ::1 Preference: 0
Interface : InLoop0 Cost : 0
Destination: 2::/64 Protocol : Direct
NextHop : 2::1 Preference: 0
Interface : Vlan200 Cost : 0
Destination: 2::1/128 Protocol : Direct
NextHop : ::1 Preference: 0
Interface : InLoop0 Cost : 0
Destination: 4::/64 Protocol : RIPng
NextHop : FE80::200:BFF:FE01:1C02 Preference: 100
Interface : Vlan100 Cost : 4
Destination: FE80::/10 Protocol : Direct
NextHop : :: Preference: 0
Interface : NULL0 Cost : 0d
Configuring RIPng IPsec policies
Network requirements
As shown in the following figure,
· Configure RIPng on the switches.
· Configure IPsec policies on the switches to authenticate and encrypt protocol packets.
Figure 6 Network diagram
Configuration procedure
1. Configure IPv6 addresses for interfaces. (Details not shown.)
2. Configure basic RIPng:
# Configure Switch A.
<SwitchA> system-view
[SwitchA] ripng 1
[SwitchA-ripng-1] quit
[SwitchA] interface vlan-interface 100
[SwitchA-Vlan-interface100] ripng 1 enable
[SwitchA-Vlan-interface100] quit
# Configure Switch B.
<SwitchB> system-view
[SwitchB] ripng 1
[SwitchB-ripng-1] quit
[SwitchB] interface vlan-interface 200
[SwitchB-Vlan-interface200] ripng 1 enable
[SwitchB-Vlan-interface200] quit
[SwitchB] interface vlan-interface 100
[SwitchB-Vlan-interface100] ripng 1 enable
[SwitchB-Vlan-interface100] quit
# Configure Switch C.
<SwitchC> system-view
[SwitchC] ripng 1
[SwitchC-ripng-1] quit
[SwitchC] interface vlan-interface 200
[SwitchC-Vlan-interface200] ripng 1 enable
[SwitchC-Vlan-interface200] quit
3. Configure RIPng IPsec policies:
# On Switch A, create an IPsec proposal named tran1, and set the encapsulation mode to transport mode, the security protocol to ESP, the encryption algorithm to DES, and authentication algorithm to SHA1; create an IPsec policy named policy001, specify the manual mode for it, reference IPsec proposal tran1, set the SPIs of the inbound and outbound SAs to 12345, and the keys for the inbound and outbound SAs using ESP to abcdefg.
[SwitchA] ipsec proposal tran1
[SwitchA-ipsec-proposal-tran1] encapsulation-mode transport
[SwitchA-ipsec-proposal-tran1] transform esp
[SwitchA-ipsec-proposal-tran1] esp encryption-algorithm des
[SwitchA-ipsec-proposal-tran1] esp authentication-algorithm sha1
[SwitchA-ipsec-proposal-tran1] quit
[SwitchA] ipsec policy policy001 10 manual
[SwitchA-ipsec-policy-manual-policy001-10] proposal tran1
[SwitchA-ipsec-policy-manual-policy001-10] sa spi outbound esp 12345
[SwitchA-ipsec-policy-manual-policy001-10] sa spi inbound esp 12345
[SwitchA-ipsec-policy-manual-policy001-10] sa string-key outbound esp abcdefg
[SwitchA-ipsec-policy-manual-policy001-10] sa string-key inbound esp abcdefg
[SwitchA-ipsec-policy-manual-policy001-10] quit
# On Switch B, create an IPsec proposal named tran1, and set the encapsulation mode to transport mode, the security protocol to ESP, the encryption algorithm to DES, and authentication algorithm to SHA1; create an IPsec policy named policy001, specify the manual mode for it, reference IPsec proposal tran1, set the SPIs of the inbound and outbound SAs to 12345, and the keys for the inbound and outbound SAs using ESP to abcdefg.
[SwitchB] ipsec proposal tran1
[SwitchB-ipsec-proposal-tran1] encapsulation-mode transport
[SwitchB-ipsec-proposal-tran1] transform esp
[SwitchB-ipsec-proposal-tran1] esp encryption-algorithm des
[SwitchB-ipsec-proposal-tran1] esp authentication-algorithm sha1
[SwitchB-ipsec-proposal-tran1] quit
[SwitchB] ipsec policy policy001 10 manual
[SwitchB-ipsec-policy-manual-policy001-10] proposal tran1
[SwitchB-ipsec-policy-manual-policy001-10] sa spi outbound esp 12345
[SwitchB-ipsec-policy-manual-policy001-10] sa spi inbound esp 12345
[SwitchB-ipsec-policy-manual-policy001-10] sa string-key outbound esp abcdefg
[SwitchB-ipsec-policy-manual-policy001-10] sa string-key inbound esp abcdefg
[SwitchB-ipsec-policy-manual-policy001-10] quit
# On Switch C, create an IPsec proposal named tran1, and set the encapsulation mode to transport mode, the security protocol to ESP, the encryption algorithm to DES, and authentication algorithm to SHA1; create an IPsec policy named policy001, specify the manual mode for it, reference IPsec proposal tran1, set the SPIs of the inbound and outbound SAs to 12345, and the keys for the inbound and outbound SAs using ESP to abcdefg.
[SwitchC] ipsec proposal tran1
[SwitchC-ipsec-proposal-tran1] encapsulation-mode transport
[SwitchC-ipsec-proposal-tran1] transform esp
[SwitchC-ipsec-proposal-tran1] esp encryption-algorithm des
[SwitchC-ipsec-proposal-tran1] esp authentication-algorithm sha1
[SwitchC-ipsec-proposal-tran1] quit
[SwitchC] ipsec policy policy001 10 manual
[SwitchC-ipsec-policy-manual-policy001-10] proposal tran1
[SwitchC-ipsec-policy-manual-policy001-10] sa spi outbound esp 12345
[SwitchC-ipsec-policy-manual-policy001-10] sa spi inbound esp 12345
[SwitchC-ipsec-policy-manual-policy001-10] sa string-key outbound esp abcdefg
[SwitchC-ipsec-policy-manual-policy001-10] sa string-key inbound esp abcdefg
[SwitchC-ipsec-policy-manual-policy001-10] quit
4. Apply the IPsec policies in the RIPng process:
# Configure Switch A.
[SwitchA] ripng 1
[SwitchA-ripng-1] enable ipsec-policy policy001
[SwitchA-ripng-1] quit
# Configure Switch B.
[SwitchB] ripng 1
[SwitchB-ripng-1] enable ipsec-policy policy001
[SwitchB-ripng-1] quit
# Configure Switch C.
[SwitchC] ripng 1
[SwitchC-ripng-1] enable ipsec-policy policy001
[SwitchC-ripng-1] quit
5. Verify the configuration.
RIPng traffic between Switches A, B, and C is protected by IPsec.
