[x]

BGP commands > peer ipsec-profile

 

 Next

peer ipsec-profile

Use peer ipsec-profile to apply an IPsec profile to an IPv6 BGP peer or peer group.

Use undo peer ipsec-profile to remove the profile from an IPv6 BGP peer or peer group.

Syntax

peer { group-name | ipv6-address [ prefix-length ] } ipsec-profile profile-name

undo peer { group-name | ipv6-address [ prefix-length ] } ipsec-profile

Default

No IPsec profile is configured for any IPv6 BGP peers or peer groups.

Views

BGP instance view

BGP-VPN instance view

Predefined user roles

network-admin

Parameters

group-name: Specifies a peer group by its name, a case-sensitive string of 1 to 47 characters. The peer group must have been created.

ipv6-address: Specifies a peer by its IPv6 address. The peer must have been created.

prefix-length: Specifies a prefix length in the range of 0 to 128. You can use the ipv6-address and prefix-length arguments together to specify a subnet. If you specify a subnet, this command applies an IPsec profile to all dynamic peers in the subnet.

profile-name: Specifies an IPsec profile by its name, a case-sensitive string of 1 to 63 characters.

Usage guidelines

IPsec can protect IPv6 BGP packets from data eavesdropping, tampering, and attacks caused by forged IPv6 BGP packets.

When two IPv6 BGP neighbor devices, for example Device A and Device B, are configured with IPsec, Device A encapsulates an IPv6 BGP packet with IPsec before sending it to Device B. If Device B successfully receives and decapsulates the packet, it establishes an IPv6 BGP peer relationship with Device A or learns IPv6 BGP routes to Device A. If Device B receives but fails to decapsulate the packet, or receives a packet not protected by IPsec, it discards the packet.

Configure IPsec to protect IPv6 BGP packets through the following steps:

  1. Configure an IPsec transform set.

  2. Configure a manual IPsec profile.

  3. Execute this command to apply the IPsec profile to an IPv6 BGP peer or peer group.

For more information about IPsec transform sets and IPsec profiles, see Security Configuration Guide.

This command supports only IPsec profiles in manual mode.

If you configure IPsec on a device, you must configure IPsec on its IPv6 BGP peer. Otherwise, IPv6 BGP packets cannot be received.

Examples

# In BGP instance view, apply IPsec profile profile001 to peer group test.

<Sysname> system-view
[Sysname] bgp 100
[Sysname-bgp-default] peer test ipsec-profile profile001

Related commands

display bgp group

display bgp peer

prev

 

up

 next

peer ignore-originatorid 

home

 peer keep-all-routes

© Copyright 2018 Hewlett Packard Enterprise Development LP