Configuring Acls - HP A6600 Configuration Manual
Hide thumbs
Also See for A6600:
- Configuration manual (426 pages) ,
- Getting started (222 pages) ,
- Limited warranty (41 pages)
Table of Contents
Advertisement
Task
Enabling the encryption engine
Enabling ACL checking of de-encapsulated IPsec packets
Configuring the IPsec anti-replay function
Configuring packet information pre-extraction
Enabling invalid SPI recovery
Configuring IPsec RRI
Configuring ACLs
ACLs can be used to identify traffic. They are widely used in scenarios where traffic identification is
desired, such as QoS and IPsec.
Keywords in ACL rules
IPsec uses ACLs to identify data flows. An ACL is a collection of ACL rules. Each ACL rule is a deny or
permit statement. A permit statement identifies a data flow protected by IPsec, and a deny statement
identifies a data flow that is not protected by IPsec. With IPsec, a packet is matched against the
referenced ACL rules and processed according to the first rule that it matches:
Each ACL rule matches both the outbound traffic and the returned inbound traffic. Suppose there is
•
a rule rule 0 permit ip source 1.1.1.0 0.0.0.255 destination 2.2.2.0 0.0.0.255. This rule matches both
traffic from 1.1.1.0 to 2.2.2.0 and traffic from 2.2.2.0 to 1.1.1.0.
In the outbound direction, if a permit statement is matched, IPsec considers that the packet requires
•
protection and continues to process it. If a deny statement is matched or no match is found, IPsec
considers that the packet does not require protection and delivers it to the next function module.
In the inbound direction, all IPsec packets matching a permit statement are processed by IPsec, and
•
all non-IPsec packets that match a permit statement are discarded.
When defining ACL rules for IPsec, follow these guidelines:
Permit only data flows that must be protected, and use the any keyword with caution. With the any
•
keyword specified in a permit statement, all outbound traffic matching the permit statement is
protected by IPsec. All inbound IPsec packets matching the permit statement are received and
processed, but all inbound non-IPsec packets are dropped. This causes the inbound traffic that does
not need IPsec protection to be all dropped.
Avoid statement conflicts in the scope of IPsec policy groups. When creating a deny statement, be
•
careful with its matching scope and matching order relative to permit statements. The policies in an
IPsec policy group have different match priorities. ACL rule conflicts between them are prone to
cause mistreatment of packets. For example, when configuring a permit statement for an IPsec
policy to protect an outbound traffic flow, you must avoid the situation where the traffic flow
matches a deny statement in a higher priority IPsec policy. Otherwise, the packets are sent out as
normal packets. If they match a permit statement at the receiving end, they are dropped by IPsec.
The following configuration example shows how an improper statement causes unexpected packet
dropping. Only the ACL-related configurations are presented.
249
Remarks
Required
Optional
Optional
Optional
Optional
Optional
Advertisement
Table of Contents
Troubleshooting
