The sham-link command creates and configures an OSPFv3 sham link.
The undo sham-link command deletes the existing OSPFv3 sham link or restores the default configuration.
By default, OSPFv3 sham links are not configured.
sham-link source-address destination-address [ cost cost | dead dead-interval | hello hello-interval | retransmit retransmit-interval | trans-delay trans-delay-interval | authentication-mode { hmac-sha256 key-id key-id { plain plain-text | [ cipher ] cipher-text } | keychain keychain-name } | instance instance-id ] *
undo sham-link source-address destination-address [ cost [ cost ] | dead [ dead-interval ] | hello [ hello-interval ] | retransmit [ retransmit-interval ] | trans-delay [ trans-delay-interval ] | authentication-mode { hmac-sha256 key-id key-id | keychain } ] *
| Parameter | Description | Value |
|---|---|---|
source-address |
Specifies the source IPv6 address. |
- |
destination-address |
Specifies the destination IPv6 address. |
- |
cost cost |
Specifies the cost of a sham link. |
The value is an integer ranging from 1 to 65535. The default value is 1. |
dead dead-interval |
Specifies the dead interval. This value must be equal to the dead-interval of the router that sets up a sham link with the local router and at least four times the value of hello-interval. |
The value is an integer ranging from 1 to 65535, in seconds. |
hello hello-interval |
Specifies the interval at which an interface sends Hello packets. This value must be equal to the hello-interval of the router that sets up the sham link with the local router. |
The value is an integer ranging from 1 to 65535, in seconds. |
retransmit retransmit-interval |
Specifies the interval at which an interface retransmits LSAs. |
The value is an integer ranging from 1 to 3600, in seconds. |
trans-delay trans-delay-interval |
Specifies the delay in which an interface sends LSAs. |
The value is an integer ranging 1 to 800, in seconds. |
authentication-mode |
Indicates the authentication mode over the sham link. |
- |
hmac-sha256 |
Sets the HMAC-SHA256 authentication mode. |
- |
key-id key-id |
Specifies the key ID for authentication, which must be the same as the one configured at the other end. |
The value is an integer ranging from 1 to 255. |
plain |
Configures the simple password type. Only a simple password can be entered, and the password is displayed in simple text in the configuration file. NOTE:
When configuring an authentication password, select the ciphertext mode because the password is saved in configuration files in simple text if you select simple text mode, which has a high risk. To ensure device security, change the password periodically. |
- |
plain-text |
Specifies a simple password. |
The value is a string of 1 to 255 characters. |
cipher |
Configures the ciphertext password type. You can enter either a password in simple text mode or ciphertext mode, but the password is displayed in ciphertext in the configuration file. |
- |
cipher-text |
Specifies a ciphertext password. |
The value can be a string of 1 to 255 characters for simple passwords and 20 to 392 characters for ciphertext passwords. |
keychain |
Configures keychain authentication. NOTE:
Before you configure keychain authentication, run the keychain command to configure a keychain, the key-id command to configure a key ID, the key-string command to configure a password, and the algorithm command to configure an algorithm. If these commands are not run, OSPFv3 authentication fails. OSPFv3 supports only hmac-sha256. |
- |
keychain-name |
Specifies a keychain name. |
The value is a string of 1 to 47 case-insensitive characters. Except the question mark (?) and space. However, when double quotation marks (") are used around the string, spaces are allowed in the string. |
instance instance-id |
Specifies the instance ID of a sham link. |
The value is an integer ranging from 0 to 255. |
If two PEs belong to the same area and are connected through an intra-area route, you can run the sham-link command to set up a sham link between the two PEs so that the VPN intra-area route is preferred over the intra-area route. The sham-link command can be configured only in the OSPFv3 VPN process.
To improve OSPFv3 network security, run the authentication-mode command.
The sham-link command can be configured only in the OSPFv3 VPN process.
# Creates an OSPFv3 sham link with 2001:DB8:1::1 as the source IP address and 2001:DB8:2::2 as the destination IP address and configure HMAC-SHA256 authentication for it.
<sysname> system-view
[sysname] ospfv3 1 vpn-instance vrf1
[sysname-ospfv3-1] area 1
[sysname-ospfv3-1-area-0.0.0.1] sham-link 2001:db8:1::1 2001:db8:2::2 hmac-sha256 key-id 10 cipher Huawei-123