Westermo MR Series User Manual

53

6622-3201

Web Interface and Command Line Reference Guide

www.westermo.com

enforce neighbor-as (yes|no)

If set to yes, AS paths whose leftmost AS is not equal to the remote AS of the neighbor are
rejected and a NOTIFICATION is sent back. The default value for IBGP peers is no otherwise
the default is yes.

holdtime seconds

Set the holdtime in seconds. Inherited from the global configuration if not given.

holdtime min seconds

Set the minimal acceptable holdtime. Inherited from the global configuration if not given.

ipsec (ah|esp) (in|out) spi spi-number authspec [encspec]

Enable IPsec with static keying. There must be at least two ipsec statements per peer with man-
ual keying, one per direction. authspec specifies the authentication algorithm and key. It can be

sha1 <key>

md5 <key>

encspec specifies the encryption algorithm and key. ah does not support encryption. With esp,
encryption is optional. encspec can be

3des <key>

3des-cbc <key>

aes <key>

aes-128-cbc <key>

Keys must be given in hexadecimal format.

ipsec (ah|esp) ike

Enable IPsec with dynamic keying. In this mode, bgp sets up the flows, and a key management
daemon such as isakmp is responsible for managing the session keys. With isakmpd, it is suf-
ficient to copy the peer’s public key, found in /etc/isakmpd/private/local.pub, to the local machine.
It must be stored in a file named after the peer’s IP address and must be stored in /etc/
isakmpd/pubkeys/ipv4/. The local public key must be copied to the peer in the same way. As
bgp manages the flows on its own, it is sufficient to restrict isakmpd to only take care of keying
by specifying the flags -Ka. This can be done in rc.conf.local. After starting the isakmpd and bgp
daemons on both sides, the session should be established.

local-address address

When bgp initiates the TCP connection to the neighbor system, it normally does not bind to a
specific IP address. If a local address is given, bgp binds to this address first.

max-prefix number [restart number]

Terminate the session after number prefixes have been received (no such limit is imposed by
default). If restart is specified, the session will be restarted after number minutes.

multihop hops

Neighbors not in the same AS as the local bgp normally have to be directly connected to the
local machine. If this is not the case, the multihop statement defines the maximum hops the
neighbor may be away.

passive

Do not attempt to actively open a TCP connection to the neighbor system.

remote-as as-number

Set the AS number of the remote system.

route-reflector [address]

Act as an RFC 2796 route-reflector for this neighbor. An optional cluster ID can be specified;
otherwise the BGP ID will be used.