TMS zl Management and Configuration Guide ST.1.1.100226

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module

111

112

113

114

115

116

117

118

119

120

1-78

Overview

Feature Interaction

• If the packet is part of such a tunnel (its forwarding interface is an

L2TP PPP interface or the GRE tunnel interface), the module estab-

lishes the tunnel (if it has not yet been established).

If the tunnel cannot be established, the module drops the packet.

Otherwise, the module encapsulates the packet with a GRE or L2TP

header. It then determines whether the packet must be sent over an

IPSec tunnel as well. See step 13.

• If the packet is not part of such a tunnel, the module proceeds to

step 13.

13. The module determines whether the packet must be sent over an IPsec

tunnel:

• If the packet matches the traffic selector in a current SA, the module

uses the SA’s parameters to encrypt and encapsulate the packet with

IPsec and delivery IP headers. The packet is ready for forwarding. See

step 14.

• If the packet does not belong to a current SA, the module matches the

packet header to the traffic selectors in IPsec policies. It begins with

the policy that has the highest position (lowest numerical value).

– If the packet matches the traffic selector for an Allow policy, the

module establishes an SA using either manual keying or the IKE

policy that is specified in the IPsec policy. The module then uses

the new SA to encrypt and encapsulate the packet with IPsec

and delivery IP headers. The packet is ready for forwarding.

See step 14. (If the SA cannot be established, the packet is

dropped.)

– If the packet matches the traffic selector for a Deny policy, the

module drops the packet.

– If the packet matches the traffic selector for a Bypass policy, the

packet is ready for forwarding. By default, the TMS zl Module has

a Bypass policy that selects all traffic not selected by other

policies. See step 14.

14. The TMS zl Module forwards the packet to the next-hop router specified

in the route to its destination IP address, tagging the frame for the

forwarding VLAN of the route.

Note that the destination IP address is the NAT destination for traffic to

which destination NAT has been applied. The destination IP address is the

destination in the delivery IP header for traffic that is part of an IPsec or

GRE tunnel.

Packet Flow from the Host Switch Perspective. Figure 1-23 illustrates

the packet flow in a simplified way from the host switch perspective.