Configuring An Acl - HP FlexNetwork 10500 Series Security Configuration Manual
Hide thumbs
Also See for FlexNetwork 10500 Series:
- Configuration manual (512 pages) ,
- Specifications (42 pages) ,
- Datasheet (20 pages)
Table of Contents
Advertisement
2.
Configure IPsec transform sets to specify the security protocols, authentication and encryption
algorithms, and the encapsulation mode.
3.
Configure an IPsec policy to associate data flows with the IPsec transform sets, specify the SA
negotiation mode, the peer IP addresses (the start and end points of the IPsec tunnel), the
required keys, and the SA lifetime.
An IPsec policy is a set of IPsec policy entries that have the same name but different sequence
numbers. In the same IPsec policy, an IPsec policy entry with a smaller sequence number has
a higher priority.
4.
Apply the IPsec policy to an interface.
Complete the following tasks to configure ACL-based IPsec:
Tasks at a glance
(Required.)
(Required.)
(Required.) Configure an IPsec policy (use either method):
•
Configuring a manual IPsec policy
•
Configuring an IKE-based IPsec policy
(Required.)
(Optional.)
Enabling ACL checking for de-encapsulated packets
(Optional.)
Configuring IPsec anti-replay
(Optional.)
Configuring IPsec anti-replay redundancy
(Optional.)
Binding a source interface to an IPsec policy
(Optional.)
Enabling QoS pre-classify
(Optional.)
Enabling logging of IPsec packets
(Optional.)
Configuring IPsec RRI
(Optional.)
Configuring the DF bit of IPsec packets
(Optional.)
Configuring SNMP notifications for IPsec
Configuring an ACL
IPsec uses ACLs to identify the traffic to be protected.
Keywords in ACL rules
An ACL is a collection of ACL rules. Each ACL rule is a deny or permit statement. A permit statement
identifies a data flow protected by IPsec, and a deny statement identifies a data flow that is not
protected by IPsec. IPsec compares a packet against the ACL rules and processes the packet
according to the first rule it matches.
•
Each ACL rule matches both the outbound traffic and the returned inbound traffic.
•
In the outbound direction, if a permit statement is matched, IPsec considers that the packet
requires protection and continues to process it. If a deny statement is matched or no match is
found, IPsec considers that the packet does not require protection and delivers it to the next
module.
•
In the inbound direction:
Non-IPsec packets that match a permit statement are dropped.
IPsec packets destined for the device itself are de-encapsulated. By default, the
de-encapsulated packets are compared against the ACL rules. Only those that match a
Configuring an ACL
Configuring an IPsec transform set
Applying an IPsec policy to an interface
283
Advertisement
Table of Contents
Troubleshooting
