peer sa-policy
Use peer sa-policy to configure an SA incoming or outgoing policy for an MSDP peer.
Use undo peer sa-policy to delete the SA incoming or outgoing policy for an MSDP peer.
Syntax
peer peer-address sa-policy { export | import } [ acl ipv4-acl-number ]
undo peer peer-address sa-policy { export | import }
Default
No SA incoming or outgoing policy exists, and all SA messages from an MSDP peer are accepted or forwarded.
Views
MSDP view
Predefined user roles
network-admin
Parameters
peer-address: Specifies an MSDP peer by its IP address.
export: Specifies the outgoing direction.
import: Specifies the incoming direction.
ipv4-acl-number: Specifies an IPv4 advanced ACL number in the range of 3000 to 3999. If you specify an ACL, the device accepts and forwards only SA messages that the ACL permits. The device discards all SA messages when one of the following conditions exists:
You do not specify an ACL.
The specified ACL does not exist.
The specified ACL does not have valid rules.
Usage guidelines
This command filters SA messages from a specified MSDP peer to control the acceptance or forwarding of SA messages. To control the creation of SA messages, use the import-source command.
When you configure a rule in the IPv4 advanced ACL, follow these restrictions and guidelines:
For the rule to take effect, do not specify the vpn-instance vpn-instance option.
The source source-address source-wildcard option specifies a multicast source address.
The destination dest-address dest-wildcard option specifies a multicast group address.
Among the other optional parameters, only the fragment keyword and the time-range time-range-name option take effect.
If you configure this command multiple times, the most recent configuration takes effect.
Examples
# Configure an SA outgoing policy to forward only SA messages that ACL 3100 permits to MSDP peer 125.10.7.6 on the public network.
<Sysname> system-view [Sysname] acl advanced 3100 [Sysname-acl-ipv4-adv-3100] rule permit ip source 170.15.0.0 0.0.255.255 destination 225.1.0.0 0.0.255.255 [Sysname-acl-ipv4-adv-3100] quit [Sysname] msdp [Sysname-msdp] peer 125.10.7.6 connect-interface vlan-interface 100 [Sysname-msdp] peer 125.10.7.6 sa-policy export acl 3100
Related commands
display msdp peer-status
import-source