Applying An Ipsec Policy To An Interface; Enabling Acl Checking For De-Encapsulated Packets - HPE FlexFabric 5940 Series Security Configuration Manual
Hide thumbs
Also See for FlexFabric 5940 Series:
- Configuration manual (334 pages) ,
- Fundamentals command reference (289 pages) ,
- Command reference manual (139 pages)
Table of Contents
Advertisement
Applying an IPsec policy to an interface
You can apply an IPsec policy to an interface to protect certain data flows. To cancel the IPsec
protection, remove the application of the IPsec policy.
For each packet to be sent out of an interface applied with an IPsec policy, the interface looks
through the IPsec policy entries in the IPsec policy in ascending order of sequence numbers. If the
packet matches the ACL of an IPsec policy entry, the interface uses the IPsec policy entry to protect
the packet. If no match is found, the interface sends the packet out without IPsec protection.
When the interface receives an IPsec packet destined for the local device, it searches for the
inbound IPsec SA according to the SPI in the IPsec packet header for de-encapsulation. If the
de-encapsulated packet matches a permit rule of the ACL, the device processes the packet. If the
de-encapsulated packet does not match any permit rule of the ACL, the device drops the packet.
To apply an IPsec policy to an interface:
Step
1.
Enter system view.
2.
Enter interface view.
3.
Apply an IPsec policy to the
interface.
4.
Specify a traffic processing
slot for the interface.
Enabling ACL checking for de-encapsulated packets
This feature compares the de-encapsulated incoming IPsec packets against the ACL in the IPsec
policy and discards those that do not match any permit rule of the ACL. This feature can protect
networks against attacks using forged IPsec packets.
This feature applies only to tunnel-mode IPsec.
To enable ACL checking for de-encapsulated packets:
Step
1.
Enter system view.
2.
Enable ACL checking for
de-encapsulated packets.
Command
system-view
interface interface-type
interface-number
ipsec apply { policy |
ipv6-policy } policy-name
service slot slot-number
Command
system-view
ipsec decrypt-check enable
312
Remarks
N/A
N/A
By default, no IPsec policy is
applied to an interface.
On an interface, you can apply a
maximum of two IPsec policies:
one IPv4 IPsec policy and one
IPv6 IPsec policy.
An IKE-based IPsec policy can be
applied to multiple interfaces. As a
best practice, apply an IKE-based
IPsec policy to only one interface.
A manual IPsec policy can be
applied to only one interface.
By default, no traffic processing
slot is specified for an interface.
Traffic on an interface is
processed on the slot at which the
traffic arrives.
Remarks
N/A
By default, this feature is enabled.
- Quick Links:
- Configuring Aaa
- Configuring Local Users
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
