Netgear XCM8806 - 8800 SERIES 6-SLOT CHASSIS SWITCH ユーザーズマニュアル
Chapter 29. MSDP
|
765
NETGEAR 8800 User Manual
Peer Authentication
MSDP supports TCP MD5 authentication (RFC 2385) to secure control messages between
MSDP peers. You must configure a secret password for an MSDP peer session to enable
TCP MD5 authentication. When a password is configured, MSDP receives only
authenticated MSDP messages from its peers. All MSDP messages that fail TCP MD5
authentication are dropped.
MSDP peers. You must configure a secret password for an MSDP peer session to enable
TCP MD5 authentication. When a password is configured, MSDP receives only
authenticated MSDP messages from its peers. All MSDP messages that fail TCP MD5
authentication are dropped.
To configure TCP MD5 authentication on an MSDP peer, use the following command:
configure msdp peer [<remoteaddr> | all] password [none | {encrypted}
<tcpPassword>] {vr <vrname>}
To remove the password, use the following command:
configure msdp peer {all | <remoteaddr>} password none
The password displays in encrypted format and cannot be seen as simple text. Additionally,
the password is saved in encrypted format.
the password is saved in encrypted format.
To display the password in encrypted format, use the following command:
show msdp [peer {detail} | {peer} <remoteaddr>] {vr <vrname>}
Policy Filters
You can configure a policy filter to control the flow of SA messages going to or coming from
an MSDP peer. For example, policy filters can help mitigate state explosion during denial of
service (DoS) or other attacks by limiting what is propagated to other domains using MSDP.
an MSDP peer. For example, policy filters can help mitigate state explosion during denial of
service (DoS) or other attacks by limiting what is propagated to other domains using MSDP.
To configure an incoming or outgoing policy filter for SA messages, use the following
command:
command:
configure msdp peer [<remoteaddr> | all] sa-filter [in | out] [<filter-name> |
none] {vr <vrname>}
To remove a policy filter for SA messages, use the
none
keyword:
configure msdp [{peer} <remoteaddr> | peer all] sa-filter [in | out] none
To verify that a policy filter is configured on an MSDP peer, use the following command:
show msdp [peer {detail} | {peer} <remoteaddr>] {vr <vrname>}
SA Request Processing
You can configure the router to accept or reject SA request messages from a specified MSDP
peer or all peers. If an SA request filter is specified, only SA request messages from those
groups permitted are accepted. All others are ignored.
peer or all peers. If an SA request filter is specified, only SA request messages from those
groups permitted are accepted. All others are ignored.
To configure the router to accept SA request messages from a specified MSDP peer or all
peers, use the following command:
peers, use the following command:
enable msdp [{peer} <remoteaddr> | peer all] process-sa-request
{sa-request-filter <filter-name> } {vr <vrname>}