HP VPN Firewall Appliances Network Management Configuration Guide
822
Outbound IPv6 BGP packets carry the Security Parameter Index (SPI) defined in the IPsec policy. A device
uses the SPI carried in a received packet to match against the configured IPsec policy. If they match, the
device accepts the packet; otherwise, it discards the packet and will not establish a neighbor relationship
with the sending device.
Configuration prerequisites
Before applying an IPsec policy to a peer or peer group, complete the following tasks:
• Create an IPsec proposal.
• Create an IPsec policy.
For more information about IPsec policy configuration, see Security Configuration Guide.
Configuration procedure
An IPsec policy used for IPv6 BGP can be only in manual mode. For more information, see VPN
Configuration Guide.
To apply an IPsec policy to a peer or peer group
Ste
p
Command
Remarks
1. Enter system view.
system-view N/A
2. Enter BGP view.
bgp as-number N/A
3. Enter IPv6 address
family view.
ipv6-family N/A
4. Apply an IPsec policy to
a peer or peer group.
peer { group-name | ip-address } ipsec-policy
policy-name
Not configured by default.
Configuring a large-scale IPv6 BGP network
In a large-scale IPv6 BGP network, configuration and maintenance become inconvenient because of too
many peers. Configuring peer groups makes management easier and improves route distribution
efficiency. Peer groups include IBGP peer groups, where peers belong to the same AS, and EBGP peer
groups, where peers belong to different ASs. If peers in an EBGP group belong to the same external AS,
the EBGP peer group is a pure EBGP peer group, and if not, a mixed EBGP peer group.
In a peer group, all members have a common policy. Using the COMMUNITY attribute can make a set
of IPv6 BGP routers in multiple ASs have the same policy, because community sending between IPv6
BGP peers is not limited by AS.
To ensure connectivity between IBGP peers, make them fully meshed, but it becomes impractical when
too many IBGP peers exist. Using route reflectors or confederation can solve this issue. In a large-scale
AS, both of them can be used.
Confederation configuration of IPv6 BGP is identical to that of BGP4, so it is not mentioned here.
Configuration prerequisites
Before you configure a large-scale IPv6 BGP network, complete the following tasks:
• Make peer nodes accessible to each other at the network layer.
• Enable BGP and configure a router ID.