Applying An Ipsec Policy To An Ipv6 Bgp Peer Or Peer Group; Configuring A Large-Scale Ipv6 Bgp Network - HP 3600 v2 series Configuration Manual
Hide thumbs
Also See for 3600 v2 series:
- Command reference manual (510 pages) ,
- Security configuration manual (398 pages) ,
- Configuration manual (248 pages)
Table of Contents
Advertisement
Applying an IPsec policy to an IPv6 BGP peer or peer group
To protect routing information and defend attacks, IPv6 BGP can authenticate protocol packets by using
an IPsec policy.
Outbound IPv6 BGP packets carry the Security Parameter Index (SPI) defined in the IPsec policy. A device
uses the SPI carried in a received packet to match against the configured IPsec policy. If they match, the
device accepts the packet; otherwise, it discards the packet and will not establish a neighbor relationship
with the sending device.
Configuration prerequisites
Before applying an IPsec policy to a peer or peer group, complete following tasks:
Create an IPsec proposal
•
Create an IPsec policy
•
For more information about IPsec policy configuration, see Security Configuration Guide.
Configuration procedure
Follow these steps to apply an IPsec policy to a peer or peer group
To do...
Enter system view
Enter BGP view
Enter IPv6 address family
view
Apply an IPsec policy to a
peer or peer group
NOTE:
An IPsec policy used for IPv6 BGP can be only in manual mode. For more information, see
Configuration Guide
Configuring a large-scale IPv6 BGP network
In a large-scale IPv6 BGP network, configuration and maintenance become inconvenient because of too
many peers. Configuring peer groups makes management easier and improves route distribution
efficiency. Peer group includes iBGP peer group, where peers belong to the same AS, and eBGP peer
group, where peers belong to different ASs. If peers in an eBGP group belong to the same external AS,
the eBGP peer group is a pure eBGP peer group, and if not, a mixed eBGP peer group.
In a peer group, all members have a common policy. Using the community attribute can make a set of
IPv6 BGP routers in multiple ASs have the same policy because community sending between IPv6 BGP
peers is not limited by AS.
To assure connectivity between iBGP peers, make them fully meshed, but it becomes impractical when
too many iBGP peers exist. Using route reflectors or confederation can solve this issue. In a large-scale
AS, both of them can be used.
Confederation configuration of IPv6 BGP is identical to that of BGP4, so it is not mentioned here.
Use the command...
system-view
bgp as-number
ipv6-family
peer { group-name | ip-address } ipsec-policy
policy-name
.
342
Remarks
—
—
—
Required
Not configured by default
Security
- Quick Links:
- Ip Routing Basics
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
