The igmp ipsec sa command specifies a security association (SA) using which an interface authenticates sent and received IGMP messages, including IGMP Report, Leave, and Query messages, to implement IP Security (IPsec) authentication.
The undo igmp ipsec sa command restores the default configuration.
By default, no SA is specified on an interface, so that the interface does not authenticate sent or received IGMP messages.
| Parameter | Description | Value |
|---|---|---|
| sa-name | Specifies the name of an SA. |
It is a string of 1 to 15 case-sensitive characters, spaces not supported. The characters can be letters or numbers, hyphens (-) not supported. When double quotation marks are used around the string, spaces are allowed in the string. |
100ge sub-interface view, 100GE interface view, 10GE sub-interface view, 10GE interface view, 200GE sub-interface view, 25GE sub-interface view, 25GE interface view, 400GE sub-interface view, 400GE interface view, 40GE sub-interface view, 40GE interface view, 50GE sub-interface view, 50GE interface view, Eth-Trunk sub-interface view, Eth-Trunk interface view, FlexE interface view, GE optical interface view, GE sub-interface view, GE interface view, GE electrical interface view, Global VE sub-interface view, Loopback interface view, PW-VE sub-interface view, VE sub-interface view, VLANIF interface view
Usage Scenario
On a multicast network, forged IGMP messages may be used to attack devices, causing devices unable to forward multicast traffic. To protect a device against attacks launched using forged IGMP messages, run the igmp ipsec sa command to configure an interface to authenticate sent and received IGMP messages based on a specified SA.
Prerequisites
Precautions
If the igmp ipsec sa command is run more than once, the latest configuration overrides the previous one. If the igmp ipsec sa and igmp query ipsec sa commands are both configured, the command configured later overrides the command configured earlier.
The function of this command is the same as the function of the ipsec sa command in the IGMP view. The configuration in the IGMP view is effective for all interfaces, whereas the configuration in the interface view is effective only for the specified interface. The configuration in the interface view takes precedence over the configuration in the IGMP view. The configuration in the IGMP view is used only when the configuration in the interface view is not available.<HUAWEI> system-view [~HUAWEI] ipsec sa sa1 [*HUAWEI-ipsec-sa-sa1] quit [*HUAWEI] multicast routing-enable [*HUAWEI] interface GigabitEthernet 0/1/0 [*HUAWEI-GigabitEthernet0/1/0] igmp ipsec sa sa1