The query ipsec sa command globally specifies a security association (SA) using which interfaces authenticate sent and received IGMP Query messages to implement IP Security (IPsec) authentication.
The undo query ipsec sa command restores the default configuration.
By default, no SA is specified globally, so that interfaces do not authenticate sent or received IGMP Query messages.
| Parameter | Description | Value |
|---|---|---|
| sa-name |
Specifies the name of an SA. |
It is a string of 1 to 15 case-sensitive characters, spaces not supported. The characters can be letters or numbers, hyphens (-) not supported. When double quotation marks are used around the string, spaces are allowed in the string. |
Usage Scenario
On a multicast network, forged IGMP Query messages may be used to attack devices, causing devices unable to forward multicast traffic. To protect a device against attacks launched using forged IGMP Query messages, run the query ipsec sa command to configure the device to authenticate sent and received IGMP Query messages based on a specified SA.
The query ipsec sa command configuration enables interfaces to authenticate only IGMP Query messages.Prerequisites
Precautions
If the query ipsec sa command is run more than once, the latest configuration overrides the previous one. If the query ipsec sa and ipsec sa commands are both configured, the command configured later overrides the command configured earlier.
The function of this command is the same as the function of the igmp query ipsec sa command in the interface view. The configuration in the IGMP view is effective for all interfaces, whereas the configuration in the interface view is effective only for the specified interface. The configuration in the interface view takes precedence over the configuration in the IGMP view. The configuration in the IGMP view is used only when the configuration in the interface view is not available.