The pim ipsec sa command specifies an IPSec SA used for encrypting and authenticating PIM messages sent and received on an interface.
The undo pim ipsec sa command deletes the IPSec SA used for encrypting and authenticating PIM messages sent and received on an interface.
By default, no IPSec SA is specified for encrypting and authenticating PIM messages on an interface.
| Parameter | Description | Value |
|---|---|---|
| sa-name | Specifies the name of the SA used on an interface. | The value is an existing SA name. |
GE interface view, XGE interface view, MultiGE interface view, 25GE interface view, 40GE interface view, 100GE interface view, Eth-Trunk interface view, GE sub-interface view, XGE sub-interface view, MultiGE sub-interface view, 25GE sub-interface view, 40GE sub-interface view, 100GE sub-interface view, Eth-Trunk sub-interface view, VLANIF interface view, loopback interface view, tunnel interface view
Usage Scenario
On an IPv4 multicast network, if multicast devices are attacked by forged PIM messages, multicast data forwarding between multicast devices will be interrupted. To protect multicast devices against such attacks, configure PIM IPSec on some interfaces to authenticate PIM messages sent and received on these interfaces.
Prerequisites
IP multicast routing has been enabled using the multicast routing-enable command.
Precautions
If you run both this command and the pim hello ipsec sa command on an interface, the last configured one takes effect.
This command has the same function as the ipsec sa (IPv4) command used in the PIM view, except for the effective scope. The configuration in the interface view takes precedence over the configuration in the PIM view. If SAs are specified in both the interface view and PIM view, the specified interface uses the SA configured in the interface view. If no SA is specified on an interface, the interface uses the SA specified in the PIM view.
# Configure the device to encrypt and authenticate PIM messages sent and received on VLANIF100 using the PIM IPSec SA named sa1. (This SA has been created.)
<HUAWEI> system-view [HUAWEI] multicast routing-enable [HUAWEI] interface vlanif 100 [HUAWEI-Vlanif100] pim ipsec sa sa1
# Configure the device to encrypt and authenticate PIM messages sent and received on GE0/0/1 using the PIM IPSec SA named sa1. (This SA has been created.)
<HUAWEI> system-view [HUAWEI] multicast routing-enable [HUAWEI] interface gigabitethernet 0/0/1 [HUAWEI-GigabitEthernet0/0/1] undo portswitch [HUAWEI-GigabitEthernet0/0/1] pim ipsec sa sa1