Enabling The Encryption Engine; Enabling The Ipsec Module Backup Function - 3Com MSR 50 Series Configuration Manual

1888 C 100: IPS
HAPTER EC
Enabling the
Encryption Engine
Enabling the IPSec
Module Backup
Function
C
ONFIGURATION
To do...
Enter system view
Enter encryption card
interface view
Bind an IPSec policy or policy
group
n
An IPSec policy group can be bound to an encryption card either before or
■
after it is applied to an interface.
An encryption card can be bound with multiple IPSec policies or IPSec policy
■
groups. An IPSec policy or an IPSec policy group can be bound to multiple
encryption cards.
After binding an IPSec policy or an IPSec policy group to an encryption card,
■
you cannot bind an IPSec policy or policy group with the same name to the
card again if you do not specify the encryption card as the primary card at the
same time. When an IPSec policy or policy group with the same name is bound
to the primary encryption card, the original one will be overlaid.
The encryption switch fabric is a coprocessor that provides an
encryption/decryption algorithm interface for IPSec processing.
If an encryption card is bound, IPSec processing is performed by the card as long
as it works properly. If the encryption card fails, the encryption switch fabric
cannot automatically substitute the encryption card for IPSec processing even the
encryption switch fabric is enabled. This is also the case for the IPSec module
backup function. In this case, the matched packets are discarded unless you
manually remove the binding for the encryption card.
If no encryption card is bound, there are also two cases:
If the encryption switch fabric is enabled, it takes over the responsibility of
■
IPSec processing;
If the encryption switch fabric is disabled or has failed but the IPSec module
■
backup function is enabled, the IPSec module takes over the responsibility of
IPSec processing; if the IPSec module backup function is disabled, the matched
packets are discarded.
Follow these steps to enable the encryption switch fabric:
To do...
Enter system view
Enable the encryption switch fabric
An encryption card and the IPSec module cannot backup each other. After an
encryption card is bound to an IPSec policy or policy group, the IPSec module
cannot automatically substitute the encryption card for IPSec processing in case of
Use the command...
system-view
interface encrypt-card
interface-number
ipsec binding policy
policy-name [ seq-number ]
[ primary ]
Use the command...
system-view
cryptoswitch fabric enable
Remarks
-
-
Required
By default, an encryption card
interface is bound with no
IPSec policy.
Remarks
-
Optional