beautypg.com

Considerations for ipsec on virtual links, Specifying the key rollover timer, Specifying the key add remove timer – Brocade FastIron Ethernet Switch Layer 3 Routing Configuration Guide User Manual

Page 342

background image

If you configure IPsec for an area, all interfaces that utilize the area-wide IPsec (where interface-
specific IPsec is not configured) nevertheless receive an SPD entry (and SPDID number) that is
unique for the interface.

The area-wide SPI that you specify is a constant for all interfaces in the area that use the area IPsec,
but the use of different interfaces results in an SPDID and an SA that are unique to each interface.
The security policy database depends partly on the source IP address, so a unique SPD for each
interface results.

Considerations for IPsec on virtual links

The IPsec configuration for a virtual link is global, so only one security association database and one
security policy database exist for virtual links if you choose to configure IPsec for virtual links.

The virtual link IPsec SAs and policies are added to all interfaces of the transit area for the outbound
direction. For the inbound direction, IPsec SAs and policies for virtual links are added to the global
database.

NOTE
The security association (SA), security protocol index (SPI), security protocol database (SPD), and key
have mutual dependencies, as the subsections that follow describe.

Specifying the key rollover timer

Configuration changes for authentication takes effect in a controlled manner through the key rollover
procedure as specified in RFC 4552, Section 10.1. The key rollover timer controls the timing of the
existing configuration changeover. The key rollover timer can be configured in the IPv6 router OSPF
context, as the following example illustrates.

device(config-ospf6-router)#key-rollover-interval 200

Syntax: key-rollover-interval time

The range for the key-rollover-interval is 0 through 14400 seconds. The default is 300 seconds.

Specifying the key add remove timer

The key-add-remove timer is used in an environment where interoperability with other vendors is
required on a specific interface. This parameter is used to determine the interval time when
authentication addition and deletion will take effect.

The key-add-remove-interval timer can be used to set the required value globally, or on a specific
interface as needed. Interface configuration takes preference over system level configuration.

By default, the key-add-remove-interval is set to 300 seconds to smoothly interoperate with Brocade
routers.

To set the key-add-remove-interval globally to 100 seconds, enter the following commands:

device(config-ospf6-router)# key-add-remove-interval 100

To set the key-add-remove-interval to 100 seconds at a specific interface, enter the following
commands:

Brocade (config-if-e1000-1/10)#ipv6 ospf authentication ipsec key-add-remove-

interval 100

Considerations for IPsec on virtual links

342

FastIron Ethernet Switch Layer 3 Routing Configuration Guide

53-1003087-04

See also other documents in the category Brocade Computer Accessories: