The query ipsec sa command globally specifies a security association (SA) using which interfaces authenticate sent and received MLD Query messages to implement IP Security (IPsec) authentication.
The undo query ipsec sa command restores the default configuration.
By default, no SA is specified globally, so that interfaces do not authenticate sent or received MLD Query messages.
| Parameter | Description | Value |
|---|---|---|
| sa-name |
Specifies the name of an SA. |
It is a string of 1 to 15 case-sensitive characters, spaces not supported. The characters can be letters or numbers, hyphens (-) not supported. When double quotation marks are used around the string, spaces are allowed in the string. |
Usage Scenario
On a multicast network, forged MLD Query messages may be used to attack devices, causing devices unable to forward multicast traffic. To protect a device against attacks launched using forged MLD Query messages, run the query ipsec sa command to configure the device to authenticate sent and received MLD Query messages based on a specified SA.
The query ipsec sa command configuration enables interfaces to authenticate only MLD Query messages.Prerequisites
Precautions
If the query ipsec sa command is run more than once, the latest configuration overrides the previous one. If the query ipsec sa and ipsec sa commands are both configured, the command configured later overrides the command configured earlier.
The function of this command is the same as that of the mld query ipsec sa command used in the interface view. The configuration in the MLD view is used only when the configuration in the interface view is not available.