Cisco Cisco ASR 5000
HA Service Configuration Mode Commands
fa-ha-spi ▀
Command Line Interface Reference, StarOS Release 18 ▄
6257
secret secret
: Specifies the shared key between the HA service and the FA.
secret
must be an
alphanumeric string of 1 through 236 characters that is case sensitive.
allow-fa-ha-auth-extension
Allows validation of FA HA Authentication extension.
description
string
This is a description for the SPI.
string
must be an alphanumeric string of 0 through 31 characters.
hash-algorithm { hmac-md5 | md5 | rfc2002-md5 }
Default: hmac-md5
Specifies the hash-algorithm used between the HA service and the FA.
Specifies the hash-algorithm used between the HA service and the FA.
hmac-md5
: Configures the hash-algorithm to implement HMAC-MD5 per RFC 2002bis.
md5
: Configures the hash-algorithm to implement MD5 per RFC 1321.
rfc2002-md5
: Configures the hash-algorithm to implement keyed-MD5 per RFC 2002.
replay-protection { timestamp [ timestamp-tolerance tolerance ] | nonce }
Specifies the replay-protection scheme that should be implemented by the FA service for this SPI.
nonce
: Configures replay protection to be implemented using NONCE per RFC 2002.
timestamp
: Configures replay protection to be implemented using timestamps per RFC 2002.
timestamp-tolerance
: Specifies the allowable difference (tolerance) in timestamps that is acceptable. If
the difference is exceeded, then the session will be rejected.
tolerance
is measured in seconds and can be
configured to an integer from 1 and 65535. The default is 60.
Usage
An SPI is a security mechanism configured and shared by the HA service and the FA. Please refer to RFC
2002 for additional information.
Though it is possible for FAs and HAs to communicate without SPIs being configured, the use of them is
recommended for security purposes. It is also recommended that a “default” SPI with a remote address of
0.0.0.0/0 be configured on both the HA and FA to prevent hackers from spoofing addresses.
2002 for additional information.
Though it is possible for FAs and HAs to communicate without SPIs being configured, the use of them is
recommended for security purposes. It is also recommended that a “default” SPI with a remote address of
0.0.0.0/0 be configured on both the HA and FA to prevent hackers from spoofing addresses.
Important:
The SPI configuration on the HA must match the SPI configuration for the FA service on the system
in order for the two devices to communicate properly.
A maximum of 2,048 SPIs can be configured per HA service.
Use the
Use the
no
version of this command to delete a previously configured SPI.
Example
The following command configures the FA service to use an SPI of
512
when communicating with an HA
with the IP address
192.168.0.2
. The key that would be shared between the HA and the FA service is
q397F65
. When communicating with this HA, the FA service will also be configured to use the rfc2002-md5
hash-algorithm.
fa-ha-spi remote-address 192.168.0.2 spi-number 512 secret q397F65 hash-
algorithm rfc2002-md5
algorithm rfc2002-md5
The following command deletes the configured SPI of 400 for an HA with an IP address of
172.100.3.200
:
no fa-ha-spi remote-address 172.100.3.200 spi-number 400