•
copy—Copies the DF bit in the original IP header to the new IP header.
You can configure the DF bit in system view and interface view. The interface-view DF bit setting
takes precedence over the system-view DF bit setting. If the interface-view DF bit setting is not
configured, the interface uses the system-view DF bit setting.
Follow these guidelines when you configure the DF bit:
•
The DF bit setting takes effect only in tunnel mode, and it changes the DF bit in the new IP
header rather than the original IP header.
•
Configure the same DF bit setting on the interfaces where the same IPsec policy bound to a
source interface has been applied.
•
If the DF bit is set, the devices on the path cannot fragment the IPsec packets. Therefore, make
sure the path MTU is larger than the IPsec packets. Otherwise, the IPsec packets will be
discarded. If the path MTU is smaller than the IPsec packets, clear the DF bit.
To configure the DF bit of IPsec packets on an interface:
Step
1.
Enter system view.
2.
Enter interface view.
3.
Configure the DF bit of
IPsec packets on the
interface.
To configure the DF bit of IPsec packets globally:
Step
1.
Enter system view.
2.
Configure the DF bit of
IPsec packets globally.
Configuring IPsec RRI
Configuration guidelines
When you enable or disable IPsec RRI for an IPsec policy, the device deletes all IPsec SAs created
by this IPsec policy, and the associated static routes.
If you change the preference value or tag value for an IPsec policy, the device deletes all IPsec SAs
created by this IPsec policy, and the associated static routes. Your change takes effect for future
IPsec RRI-created static routes.
You can set preferences for the static routes created by IPsec RRI to flexibly apply route
management policies. For example, you can set the same preference for multiple routes to the same
destination to implement load sharing, or you can set different preferences to implement route
backup.
You can also set tags for the static routes created by IPsec RRI to implement flexible route control
through routing policies.
IPsec RRI does not generate a static route to a destination address to be protected if the destination
address is not defined in the ACL that an IPsec policy or an IPsec policy template uses. You must
manually configure a static route to the destination address.
Command
system-view
interface interface-type
interface-number
ipsec df-bit { clear | copy | set }
Command
system-view
ipsec global-df-bit { clear | copy |
set }
308
Remarks
N/A
N/A
By default, the interface uses the
global DF bit setting.
Remarks
N/A
By default, IPsec copies the DF
bit in the original IP header to the
new IP header.