peer tcp-ao (BGP multi-instance view) (group)

Function

The peer tcp-ao policy command configures the TCP-AO authentication for establishing the TCP connection between BGP peers.

The undo peer tcp-ao policy command deletes the TCP-AO authentication.

The peer tcp-ao disable command disables the TCP-AO authentication for establishing the TCP connection between BGP peers.

The undo peer tcp-ao disable command removes the configuration of disabling the TCP-AO authentication.

By default, the TCP-AO authentication is not configured for BGP peers.

Format

peer peerGroupName tcp-ao policy tcp-ao-name

undo peer peerGroupName tcp-ao policy tcp-ao-name

Parameters

Parameter	Description	Value
peerGroupName	Specifies the name of a peer group.	The name is a string of 1 to 47 case-sensitive characters, with spaces not supported. When double quotation marks are used around the string, spaces are allowed in the string.
tcp-ao-name	Specifies the name of a TCP AO instance.	The value is a string of 1 to 47 case-sensitive characters without any space. When double quotation marks are used around the string, spaces are allowed in the string.

Parameter

Description

Value

peerGroupName

Specifies the name of a peer group.

The name is a string of 1 to 47 case-sensitive characters, with spaces not supported. When double quotation marks are used around the string, spaces are allowed in the string.

tcp-ao-name

Specifies the name of a TCP AO instance.

The value is a string of 1 to 47 case-sensitive characters without any space. When double quotation marks are used around the string, spaces are allowed in the string.

Views

BGP multi-instance view

Default Level

2: Configuration level

Task Name and Operations

Task Name	Operations
bgp	write

Usage Guidelines

Usage Scenario

The TCP-AO authentication option is used to authenticate packets sent and received during TCP session establishment and data exchange. It supports packet integrity check to prevent TCP packet replay.

After TCP-AO is created, you can run the peer tcp-ao policy command in the BGP view and specify the peer that references the TCP-AO and the name of the TCP-AO to encrypt BGP sessions. It applies to networks that require high security. Different peers can reference the same TCP-AO.

Prerequisites

Before configuring BGP TCP-AO authentication, run the tcp ao command to create a TCP-AO.

Precautions

For the same peer, the configured TCP-AO, MD5, and keychain security mechanisms are mutually exclusive with each other.
When you run the peer tcp-ao policy command, ensure that the specified TCP-AO exists.
A BGP peer does not support TCP-AO policies that have accept-mismatch enabled, and a referenced TCP-AO policy does not support the accept-mismatch function.

Example

# Configure the TCP-AO authentication named ao1 for BGP peer groups.

<HUAWEI> system-view
[~HUAWEI] keychain kc1 mode absolute
[*HUAWEI-keychain-kc1] receive-tolerance 600
[*HUAWEI-keychain-kc1] key-id 1
[*HUAWEI-keychain-kc1-keyid-1] algorithm sha-256
[*HUAWEI-keychain-kc1-keyid-1] key-string cipher abc1
[*HUAWEI-keychain-kc1-keyid-1] send-time 00:00 2021-1-1 to 23:59 2022-2-1
[*HUAWEI-keychain-kc1-keyid-1] receive-time 00:00 2021-1-1 to 23:59 2022-2-1
[*HUAWEI-keychain-kc1-keyid-1] quit
[*HUAWEI-keychain-kc1] tcp ao ao1
[*HUAWEI-tcp-ao-ao1] binding keychain kc1
[*HUAWEI-tcp-ao-ao1] key-id 1
[*HUAWEI-tcp-ao-ao1-key-1] send-id 1 receive-id 1
[*HUAWEI-tcp-ao-ao1-key-1] quit
[*HUAWEI-tcp-ao-ao1] quit
[~HUAWEI] bgp 100 instance a
[*HUAWEI-bgp-instance-a] group grp
[*HUAWEI-bgp-instance-a] peer grp tcp-ao policy ao1