Troubleshooting port security, Cannot set the port security mode, Enabling qos pre-classify – H3C Technologies H3C S12500-X Series Switches User Manual

142

Step Command

Remarks

2.

Bind a source interface to an

IPsec policy.

ipsec { ipv6-policy | policy }
policy-name local-address
interface-type interface-number

By default, no source interface is
bound to an IPsec policy.

246B

Enabling QoS pre-classify

If you apply both an IPsec policy and a QoS policy to an interface, QoS classifies packets by using the
new headers added by IPsec. If you want QoS to classify packets by using the headers of the original IP

packets, enable the QoS pre-classify feature.
For more information about QoS policy and classification, see ACL and QoS Configuration Guide.
To enable the QoS pre-classify feature:

Step Command

Remarks

1.

Enter system view.

system-view

N/A

2.

Enter IPsec policy view.

ipsec { policy | ipv6-policy }
policy-name seq-number [ isakmp
| manual ]

N/A

3.

Enable QoS pre-classify.

qos pre-classify

By default, QoS pre-classify is
disabled.

247B

Enabling logging of IPsec packets

Perform this task to enable the logging of IPsec packets that are discarded because of reasons such as

IPsec SA lookup failure, AH-ESP authentication failure, and ESP encryption failure. The log information

includes the source and destination IP addresses, the SPI value, and the sequence number of a discarded
IPsec packet, and the reason for the failure.
To enable the logging of IPsec packets:

Step Command

Remarks

1.

Enter system view.

system-view

N/A

2.

Enable the logging of IPsec
packets.

ipsec logging packet enable

By default, the logging of IPsec
packets is disabled.

248B

Configuring the DF bit of IPsec packets

Perform this task to configure the Don't Fragment (DF) bit in the new IP header of IPsec packets in one of
the following ways:

•

clear—Clears the DF bit in the new header.

•

set—Sets the DF bit in the new header.

•

copy—Copies the DF bit in the original IP header to the new IP header.