peer tcp-ao (BGP view)

Function

The peer tcp-ao policy command configures the TCP-AO authentication for establishing the TCP connection between BGP peers.

The undo peer tcp-ao policy command deletes the TCP-AO authentication.

The peer tcp-ao disable command disables the TCP-AO authentication for establishing the TCP connection between BGP peers.

The undo peer tcp-ao disable command removes the configuration of disabling the TCP-AO authentication.

By default, the TCP-AO authentication is not configured for BGP peers.

Format

peer peerIpv4Addr tcp-ao policy tcp-ao-name

peer peerIpv4Addr tcp-ao disable

undo peer peerIpv4Addr tcp-ao policy tcp-ao-name

undo peer peerIpv4Addr tcp-ao disable

Parameters

Parameter	Description	Value
peerIpv4Addr	Specifies the IPv4 address of a peer.	The value is in dotted decimal notation.
tcp-ao-name	Specifies the name of a TCP AO instance.	The value is a string of 1 to 47 case-sensitive characters without any space. When double quotation marks are used around the string, spaces are allowed in the string.

Parameter

Description

Value

peerIpv4Addr

Specifies the IPv4 address of a peer.

The value is in dotted decimal notation.

tcp-ao-name

Specifies the name of a TCP AO instance.

The value is a string of 1 to 47 case-sensitive characters without any space. When double quotation marks are used around the string, spaces are allowed in the string.

Views

BGP view

Default Level

2: Configuration level

Task Name and Operations

Task Name	Operations
bgp	write

Usage Guidelines

Usage Scenario

The TCP-AO authentication option is used to authenticate packets sent and received during TCP session establishment and data exchange. It supports packet integrity check to prevent TCP packet replay.

After TCP-AO is created, you can run the peer tcp-ao policy command in the BGP view and specify the peer that references the TCP-AO and the name of the TCP-AO to encrypt BGP sessions. It applies to networks that require high security. Different peers can reference the same TCP-AO.

Prerequisites

Before configuring BGP TCP-AO authentication, run the tcp ao command to create a TCP-AO.

Precautions

For the same peer, the configured TCP-AO, MD5, and keychain security mechanisms are mutually exclusive with each other.
When you run the peer tcp-ao policy command, ensure that the specified TCP-AO exists.
A BGP peer does not support TCP-AO policies that have accept-mismatch enabled, and a referenced TCP-AO policy does not support the accept-mismatch function.

Example

# Configure the TCP-AO authentication named ao1 for BGP peers.

<HUAWEI> system-view
[~HUAWEI] keychain kc1 mode absolute
[*HUAWEI-keychain-kc1] receive-tolerance 600
[*HUAWEI-keychain-kc1] key-id 1
[*HUAWEI-keychain-kc1-keyid-1] algorithm sha-256
[*HUAWEI-keychain-kc1-keyid-1] key-string cipher abc1
[*HUAWEI-keychain-kc1-keyid-1] send-time 00:00 2021-1-1 to 23:59 2022-2-1
[*HUAWEI-keychain-kc1-keyid-1] receive-time 00:00 2021-1-1 to 23:59 2022-2-1
[*HUAWEI-keychain-kc1-keyid-1] quit
[*HUAWEI-keychain-kc1] tcp ao ao1
[*HUAWEI-tcp-ao-ao1] binding keychain kc1
[*HUAWEI-tcp-ao-ao1] key-id 1
[*HUAWEI-tcp-ao-ao1-key-1] send-id 1 receive-id 1
[*HUAWEI-tcp-ao-ao1-key-1] quit
[*HUAWEI-tcp-ao-ao1] quit
[*HUAWEI] bgp 100
[*HUAWEI-bgp] peer 10.1.1.1 as-number 200
[*HUAWEI-bgp] peer 10.1.1.1 tcp-ao policy ao1