R0106-HP MSR Router Series Security Configuration Guide(V7)
265
• If the DF bit is set, the devices on the path cannot fragment the IPsec packets. Therefore, make sure
the path MTU is larger than the IPsec packets. Otherwise, the IPsec packets will be discarded. If the
path MTU is smaller than the IPsec packets, clear the DF bit.
To configure the DF bit of IPsec packets on an interface:
Ste
p
Command
Remarks
1. Enter system view.
system-view N/A
2. Enter interface view.
interface interface-type
interface-number
N/A
3. Configure the DF bit of IPsec
packets on the interface.
ipsec df-bit { clear | copy | set }
By default, the interface uses the
global DF bit setting.
To configure the DF bit of IPsec packets globally:
Ste
p
Command
Remarks
1. Enter system view.
system-view N/A
2. Configure the DF bit of IPsec
packets globally.
ipsec global-df-bit { clear | copy | set }
By default, IPsec copies the DF bit
in the original IP header to the
new IP header.
Configuring IPsec RRI
When you enable or disable IPsec RRI for an IPsec policy, the device deletes all IPsec SAs created by this
IPsec policy, and the associated static routes.
If you change the preference value or tag value for an IPsec policy, the device deletes all IPsec SAs
created by this IPsec policy, and the associated static routes. Your change takes effect for future IPsec
RRI-created static routes.
You can set preferences for the static routes created by IPsec RRI to flexibly apply route management
policies. For example, you can set the same preference for multiple routes to the same destination to
implement load sharing, or you can set different preferences to implement route backup.
You can also set tags for the static routes created by IPsec RRI to implement flexible route control through
routing policies.
IPsec RRI does not generate a static route to a destination address to be protected if the destination
address is not defined in the ACL that an IPsec policy or an IPsec policy template references. You must
manually configure a static route to that destination address.
To configure IPsec RRI:
Ste
p
Command
Remarks
1. Enter system view.
system-view N/A