Interface and area IPsec considerations
This section describes the precedence of interface and area IPsec configurations.
If you configure an interface IPsec by using the
ipv6 ospf authentication
command in the context of a specific interface, that interface’s
IPsec configuration overrides the area configuration of IPsec.
If you configure IPsec for an area, all interfaces that utilize the area-wide IPsec (where interface-specific IPsec is not configured)
nevertheless receive an SPD entry (and SPDID number) that is unique for the interface.
The area-wide SPI that you specify is a constant for all interfaces in the area that use the area IPsec, but the use of different interfaces
results in an SPDID and an SA that are unique to each interface. The security policy database depends partly on the source IP address,
so a unique SPD for each interface results.
Considerations for IPsec on virtual links
The IPsec configuration for a virtual link is global, so only one security association database and one security policy database exist for
virtual links if you choose to configure IPsec for virtual links.
The virtual link IPsec SAs and policies are added to all interfaces of the transit area for the outbound direction. For the inbound direction,
IPsec SAs and policies for virtual links are added to the global database.
NOTE
The security association (SA), security protocol index (SPI), security protocol database (SPD), and key have mutual
dependencies, as the subsections that follow describe.
Specifying the key rollover timer
Configuration changes for authentication takes effect in a controlled manner through the key rollover procedure as specified in RFC
4552, Section 10.1. The key rollover timer controls the timing of the existing configuration changeover. The key rollover timer can be
configured in the IPv6 router OSPF context, as the following example illustrates.
device(config-ospf6-router)# key-rollover-interval 200
Syntax:
key-rollover-interval
time
The range for the key-rollover-interval is 0 through 14400 seconds. The default is 300 seconds.
Specifying the key add remove timer
The
key-add-remove
timer is used in an environment where interoperability with other vendors is required on a specific interface. This
parameter is used to determine the interval time when authentication addition and deletion will take effect.
The
key-add-remove-interval
timer can be used to set the required value globally, or on a specific interface as needed. Interface
configuration takes preference over system level configuration.
By default, the
key-add-remove-interval
is set to 300 seconds to smoothly interoperate with Brocade routers.
To set the
key-add-remove-interval
globally to 100 seconds, enter the following commands:
device(config-ospf6-router)# key-add-remove-interval 100
To set the
key-add-remove-interval
to 100 seconds on a specific interface, enter the following command:
device(config-if-e1000-1/1/10)#ipv6 ospf authentication ipsec key-add-remove-interval 100
Syntax:
[no] ipv6 ospf authentication ipsec
key-add-remove-interval
range
Configuring OSPFv3
FastIron Ethernet Switch Layer 3 Routing
314
53-1003627-04
Summary of Contents for FastIron SX 1600
Page 2: ...FastIron Ethernet Switch Layer 3 Routing 2 53 1003627 04 ...
Page 16: ...FastIron Ethernet Switch Layer 3 Routing 16 53 1003627 04 ...
Page 20: ...FastIron Ethernet Switch Layer 3 Routing 20 53 1003627 04 ...
Page 142: ...FastIron Ethernet Switch Layer 3 Routing 142 53 1003627 04 ...
Page 150: ...FastIron Ethernet Switch Layer 3 Routing 150 53 1003627 04 ...
Page 200: ...FastIron Ethernet Switch Layer 3 Routing 200 53 1003627 04 ...
Page 214: ...FastIron Ethernet Switch Layer 3 Routing 214 53 1003627 04 ...
Page 350: ...FastIron Ethernet Switch Layer 3 Routing 350 53 1003627 04 ...
Page 476: ...FastIron Ethernet Switch Layer 3 Routing 476 53 1003627 04 ...
Page 588: ...FastIron Ethernet Switch Layer 3 Routing 588 53 1003627 04 ...