Binding A Source Interface To An Ipsec Policy; Enabling Qos Pre-Classify - HP FlexNetwork 10500 Series Security Configuration Manual
Hide thumbs
Also See for FlexNetwork 10500 Series:
- Configuration manual (512 pages) ,
- Specifications (42 pages) ,
- Datasheet (20 pages)
Table of Contents
Advertisement
Binding a source interface to an IPsec policy
For high availability, a core device is usually connected to an ISP through two links, which operate in
backup or load sharing mode. The two interfaces negotiate with their peers to establish IPsec SAs
respectively. When one interface fails and a link failover occurs, the other interface needs to take
some time to renegotiate SAs, resulting in service interruption.
To solve these problems, bind a source interface to an IPsec policy and apply the policy to both
interfaces. This enables the two physical interfaces to use the same source interface to negotiate
IPsec SAs. As long as the source interface is up, the negotiated IPsec SAs will not be removed and
will keep working, regardless of link failover.
Follow these guidelines when you perform this task:
•
Only the IKE-based IPsec policies can be bound to a source interface.
•
An IPsec policy can be bound to only one source interface.
•
A source interface can be bound to multiple IPsec policies.
•
If the source interface bound to an IPsec policy is removed, the IPsec policy becomes a
common IPsec policy.
•
If no local address is specified for an IPsec policy that has been bound to a source interface, the
IPsec policy uses the IP address of the bound source interface to perform IKE negotiation. If a
local address is specified, the IPsec policy uses the local address to perform IKE negotiation.
To bind a source interface to an IPsec policy:
Step
1.
Enter system view.
2.
Bind a source interface to an
IPsec policy.
Enabling QoS pre-classify
CAUTION:
If you configure both IPsec and QoS on an interface, make sure the IPsec traffic classification rules
match the QoS traffic classification rules. If the rules do not match, QoS might classify the packets of
one IPsec SA to different queues, causing packets to be sent out of order. When IPsec anti-replay is
enabled, IPsec will drop the incoming packets that are out of the anti-replay window, resulting in
packet loss.
If you apply both an IPsec policy and a QoS policy to an interface, QoS classifies packets by using
the new headers added by IPsec. If you want QoS to classify packets by using the headers of the
original IP packets, enable the QoS pre-classify feature.
IPsec traffic classification rules are determined by the specified ACL rules. For more information
about QoS policy and classification, see ACL and QoS Configuration Guide.
To enable the QoS pre-classify feature:
Step
1.
Enter system view.
Command
system-view
ipsec { ipv6-policy | policy }
policy-name local-address
interface-type interface-number
Command
system-view
295
Remarks
N/A
By default, no source interface is
bound to an IPsec policy.
Remarks
N/A
Advertisement
Table of Contents
Troubleshooting
