R3303-HP HSR6800 Routers Security Command Reference

ManualsBrandsHP ManualsNetwork HardwareHP HSR68xx Configure-to-Order Router Solution

321

322

323

324

325

326

327

328

329

330

313

Default command level

2: System level

Parameters

ipv6: Specifies an IPV6 ACL.

acl-number: Specifies the number of the ACL for the IPsec policy to reference, in the range of 3000 to

3999.

aggregation: Uses the data flow protection mode of aggregation. If you do not specify this keyword, the

standard mode is used. This protection mode is not available for IPv6 data flow.

Usage guidelines

With an IKE-dependent IPsec policy configured, data flows can be protected in two modes:

• Standard mode, in which one tunnel protects one data flow. The data flow permitted by each ACL

rule is protected by one tunnel that is established separately for it.

• Aggregation mode, in which one tunnel protects all data flows permitted by all the rules of an ACL.

If the devices at the two ends of a tunnel support both the standard and aggregation mode, specify the

same data flow protection mode (either standard or aggregation) at both ends. When the device at one

end runs Comware V5 software and the device at the other end runs Comware V3, you can use only the

aggregation mode on both devices.

An IPsec policy references only one ACL. If you specify more than one ACL for an IPsec policy, the IPsec

policy references the one last specified.

In IPsec GDOI policy view, you cannot configure IPv6 ACLs or the aggregation keyword. If you specify

an ACL that contains permit statements, the packets matching the permit statements are dropped.

Examples

# Configure IPsec policy policy1 to reference ACL 3001.

<Sysname> system-view

[Sysname] acl number 3001

[Sysname-acl-adv-3001] rule permit tcp source 10.1.1.0 0.0.0.255 destination 10.1.2.0

0.0.0.255

[Sysname-acl-adv-3001] quit

[Sysname] ipsec policy policy1 100 manual

[Sysname-ipsec-policy-manual-policy1-100] security acl 3001

# Configure IPsec policy policy2 to reference ACL 3002, setting the data flow protection mode to

aggregation.

<Sysname> system-view

[Sysname] acl number 3002

[Sysname-acl-adv-3002] rule 0 permit ip source 10.1.2.1 0.0.0.255 destination 10.1.2.2

0.0.0.255

[Sysname-acl-adv-3002] rule 1 permit ip source 10.1.3.1 0.0.0.255 destination 10.1.3.2

0.0.0.255

[Sysname] ipsec policy policy2 1 isakmp

[Sysname-ipsec-policy-isakmp-policy2-1] security acl 3002 aggregation

Related commands

ipsec policy (system view)