Defining Acl - 3Com 3C13636 Configuration Manual

3Com Router 3000 Ethernet Family
Configuration Guide
Configure SA duration (optional)
Configure PFS feature for negotiation
A security policy can reference an IPSec proposal or card SA proposal as needed.
4) Configure security policy template (optional)
5) Apply security policy on the interface
6) Disable next-payload field checking (optional)
II. Configuring the encryption card (optional)
1) Enable encryption card
2) Enable the IPSec module to back up the encryption card
3) Configure the fast forwarding function of the encryption card
4) Configure the simple network management operations for the encryption card

7.2.1 Defining ACL

IPSec uses advanced ACLs to discriminate which packets needs protection and which
do not. The role of ACL in IPSec is different from what introduced in firewalls. Normally,
ACL is used for determining which data can be permitted and which must be denied on
which interface. ACL in IPSec, however, is used by IPSec to determine which packet
needs security protection and which does not. For this reason, ACL applied in IPSec is
in fact encryption ACL. Packets permitted by ACL will be in protection, while packets
denied by ACL will not be protected. An encryption ACL can apply on both input
interfaces and output interfaces.
For more information about that, see section 1.4.3 II. "ACL."
Encryption ACLs defined at the local and peer routers must be in consistency (i.e., they
can mirror each other), thus allowing either side to decrypt the data encrypted at the
other side. For example,
Local end:
acl number 3101
rule 1 permit ip source 173.1.1.1 0.255.255.255 destination 173.2.2.2 0.255.255.255
Peer end:
acl number 3101
rule 1 permit ip source 173.2.2.2 0.255.255.255 destination 173.1.1.1 0.255.255.255
3Com Corporation
7-9
Chapter 7 IPSec Configuration