Westermo MR Series User Manual
Page 53
53
6622-3201
Web Interface and Command Line Reference Guide
www.westermo.com
enforce neighbor-as (yes|no)
If set to yes, AS paths whose leftmost AS is not equal to the remote AS of the neighbor are
rejected and a NOTIFICATION is sent back. The default value for IBGP peers is no otherwise
the default is yes.
holdtime seconds
Set the holdtime in seconds. Inherited from the global configuration if not given.
holdtime min seconds
Set the minimal acceptable holdtime. Inherited from the global configuration if not given.
ipsec (ah|esp) (in|out) spi spi-number authspec [encspec]
Enable IPsec with static keying. There must be at least two ipsec statements per peer with man-
ual keying, one per direction. authspec specifies the authentication algorithm and key. It can be
sha1
md5
encspec specifies the encryption algorithm and key. ah does not support encryption. With esp,
encryption is optional. encspec can be
3des
3des-cbc
aes
aes-128-cbc
Keys must be given in hexadecimal format.
ipsec (ah|esp) ike
Enable IPsec with dynamic keying. In this mode, bgp sets up the flows, and a key management
daemon such as isakmp is responsible for managing the session keys. With isakmpd, it is suf-
ficient to copy the peer’s public key, found in /etc/isakmpd/private/local.pub, to the local machine.
It must be stored in a file named after the peer’s IP address and must be stored in /etc/
isakmpd/pubkeys/ipv4/. The local public key must be copied to the peer in the same way. As
bgp manages the flows on its own, it is sufficient to restrict isakmpd to only take care of keying
by specifying the flags -Ka. This can be done in rc.conf.local. After starting the isakmpd and bgp
daemons on both sides, the session should be established.
local-address address
When bgp initiates the TCP connection to the neighbor system, it normally does not bind to a
specific IP address. If a local address is given, bgp binds to this address first.
max-prefix number [restart number]
Terminate the session after number prefixes have been received (no such limit is imposed by
default). If restart is specified, the session will be restarted after number minutes.
multihop hops
Neighbors not in the same AS as the local bgp normally have to be directly connected to the
local machine. If this is not the case, the multihop statement defines the maximum hops the
neighbor may be away.
passive
Do not attempt to actively open a TCP connection to the neighbor system.
remote-as as-number
Set the AS number of the remote system.
route-reflector [address]
Act as an RFC 2796 route-reflector for this neighbor. An optional cluster ID can be specified;
otherwise the BGP ID will be used.