R3303-HP HSR6800 Routers Security Configuration Guide

ManualsBrandsHP ManualsNetwork HardwareHP HSR68xx Configure-to-Order Router Solution

271

272

273

274

275

276

277

278

279

280

266

An IPsec profile cannot be applied to both an IPsec tunnel interface and a DVPN tunnel interface

simultaneously.

An IPsec tunnel interface can reference only one IPsec profile.

Apply an IPsec profile to only one IPsec tunnel interface. Although an IPsec profile can be applied to

multiple IPsec tunnel interfaces, it takes effect only on the IPsec tunnel interface that goes up first.

Enabling packet information pre-extraction on the IPsec tunnel

interface

Because packets that an IPsec tunnel interface passes to a physical interface are encapsulated, the QoS

module cannot obtain the 5-tuple (source IP, destination IP, source port, destination port, and protocol) of

the original packets. To address this problem, enable packet information pre-extraction on the tunnel

interface.

With packet information pre-extraction enabled, an IPsec tunnel interface buffers the IP 5-tuple data in

the original packets, so that the corresponding physical interface can perform QoS processing such as

traffic classification, IP precedence setting, rate limit, and congestion avoidance.

To implement QoS for IPsec packets, however, you also need to apply a QoS policy to the physical

outbound interface. For more information about how to apply a QoS policy to a physical interface, see

ACL and QoS Configuration Guide.

IMPORTANT:

hen the QoS policy applied to the physical outbound interface provides con

estion mana

ement, IPsec

packets arriving at the destination might be out of order. This might cause IPsec out of order to be dropped

by the IPsec anti-replay function. For more information, see "Configuring the IPsec anti-replay function."

To enable packet information pre-extraction on an IPsec tunnel interface:

Ste

Command

Remarks

1. Enter system view.

system-view N/A

2. Enter tunnel interface view.

interface tunnel number N/A

3. Enable packet information

pre-extraction.

qos pre-classify

Disabled by default.

For more information about the

command, see ACL and QoS

Command Reference.

Applying a QoS policy to an IPsec tunnel interface

The device allows you to apply a QoS policy to the IPsec tunnel interface. In this case, QoS is performed

before IPsec encapsulation, and the priority of a resulting packet is the same as that of the original packet.

In addition, the QoS congestion management is done to the packets before encapsulation, avoiding the

disorder of IPsec packets.

This method is much more explicit and flexible than the QoS implementation method of enabling packet

information pre-extraction on the IPsec tunnel interface, which requires applying a QoS policy to the

physical outbound interface.