4000 Router Series Layer 3 - IP Routing Command Reference

ManualsBrandsHP ManualsNetwork HardwareHP MSR3024 TAA-compliant AC Router

371

372

373

374

375

376

377

378

379

380

367

Predefined user roles

network-admin

Parameters

group-name: Specifies a peer group by its name, a case-sensitive string of 1 to 47 characters. The peer

group must have been created.

ipv6-address: Specifies a peer by its IPv6 address. The peer must have been created.

profile-name: Specifies an IPsec profile by its name, a case-sensitive string of 1 to 63 characters.

Usage guidelines

IPsec can protect IPv6 BGP packets from data eavesdropping, tampering, and attacks caused by forged

IPv6 BGP packets.

When two IPv6 BGP neighbor devices, for example Device A and Device B, are configured with IPsec,

Device A encapsulates an IPv6 BGP packet with IPsec before sending it to Device B. If Device B

successfully receives and decapsulates the packet, it establishes an IPv6 BGP peer relationship with

Device A or learns IPv6 BGP routes to Device A. If Device B receives but fails to decapsulate the packet,

or receives a packet not protected by IPsec, it discards the packet.

Configure IPsec to protect IPv6 BGP packets through the following steps:

1. Configure an IPsec transform set.

2. Configure a manual IPsec profile.

3. Execute this command to apply the IPsec profile to an IPv6 BGP peer or peer group.

For more information about IPsec transform sets and IPsec profiles, see Security Configuration Guide.

This command supports only IPsec profiles in manual mode.

If you configure IPsec on a device, you must configure IPsec on its IPv6 BGP peer. Otherwise, IPv6 BGP

packets cannot be received.

Examples

# In BGP view, apply IPsec profile profile001 to peer group test.

<Sysname> system-view

[Sysname] bgp 100

[Sysname-bgp] peer test ipsec-profile profile001

# In BGP-VPN instance view, apply IPsec profile profile001 to peer group test.

<Sysname> system-view

[Sysname] bgp 100

[Sysname-bgp] ip vpn-instance vpn1

[Sysname-bgp-vpn1] peer test ipsec-profile profile001

Related commands

• display bgp group ipv6 unicast

• display bgp peer ipv6 unicast

peer keep-all-routes

Use peer keep-all-routes to save all route updates from a peer or peer group, regardless of whether the

routes have passed the configured routing policy.