Enabling md5 authentication for tcp connections, Configuring a large-scale ipv6 bgp network, Configuration prerequisites – H3C Technologies H3C S10500 Series Switches User Manual
Page 352
337
To do…
Use the command…
Remarks
Configure the maximum number of
load balanced routes
balance number
Required
By default, no load balancing is
enabled.
Enabling MD5 authentication for TCP connections
IPv6 BGP employs TCP as the transport protocol. To enhance security, configure IPv6 BGP to perform
MD5 authentication when establishing a TCP connection. If the authentication fails, no TCP connection
can be established.
Follow these steps to enable MD5 authentication for TCP connections:
To do…
Use the command…
Remarks
Enter system view
system-view
—
Enter BGP view
bgp as-number
—
Enter IPv6 address family view
ipv6-family
—
Enable MD5 authentication when
establishing a TCP connection to
the peer or peer group
peer { ipv6-group-name |
ipv6-address } password { cipher |
simple } password
Required
Not enabled by default
NOTE:
•
The MD5 authentication for establishing TCP connections does not apply to BGP packets.
•
The MD5 authentication requires that the two parties have the same authentication mode and password
to establish a TCP connection; otherwise, no TCP connection can be established due to authentication
failure.
Configuring a large-scale IPv6 BGP network
In a large-scale IPv6 BGP network, configuration and maintenance become inconvenient because of too
many peers. Configuring peer groups makes management easier and improves route distribution
efficiency. Peer group includes iBGP peer group, where peers belong to the same AS, and eBGP peer
group, where peers belong to different ASs. If peers in an eBGP group belong to the same external AS,
the eBGP peer group is a pure eBGP peer group, and if not, a mixed eBGP peer group.
In a peer group, all members have a common policy. Using the community attribute can make a set of
IPv6 BGP routers in multiple ASs have the same policy because community sending between IPv6 BGP
peers is not limited by AS.
To assure connectivity between iBGP peers, make them fully meshed, but it becomes impractical when
too many iBGP peers exist. Using route reflectors or confederation can solve this issue. In a large-scale
AS, both of them can be used.
Confederation configuration of IPv6 BGP is identical to that of BGP4, so it is not mentioned here.
Configuration prerequisites
•
Make peer nodes accessible to each other at the network layer
•
Enable BGP and configure a router ID.