beautypg.com

Configuring an acl, Keywords in acl rules, Mirror image acls – H3C Technologies H3C S6300 Series Switches User Manual

Page 238: Required.)

background image

223

Tasks at a glance

(Optional.)

Enabling logging of IPsec packets

(Optional.)

Configuring the DF bit of IPsec packets

(Optional.)

Configuring SNMP notifications for IPsec

Configuring an ACL

IPsec uses ACLs to identify the traffic to be protected.

Keywords in ACL rules

An ACL is a collection of ACL rules. Each ACL rule is a deny or permit statement. A permit statement
identifies a data flow protected by IPsec, and a deny statement identifies a data flow that is not protected

by IPsec. With IPsec, a packet is matched against the referenced ACL rules and processed according to

the first rule that it matches:

Each ACL rule matches both the outbound traffic and the returned inbound traffic.

In the outbound direction, if a permit statement is matched, IPsec considers that the packet requires
protection and continues to process it. If a deny statement is matched or no match is found, IPsec

considers that the packet does not require protection and delivers it to the next function module.

In the inbound direction:

{

Non-IPsec packets that match a permit statement are dropped.

{

IPsec packets that match a permit statement and are destined for the device itself are
de-encapsulated. By default, the device matches the de-encapsulated packets against the ACL
again and, if they match a permit statement, continues to process the packets. If ACL checking

for de-encapsulated packets is disabled, the device directly processes the de-encapsulated

packets without matching against the ACL.

When defining ACL rules for IPsec, follow these guidelines:

Permit only data flows that need to be protected and use the any keyword with caution. With the

any keyword specified in a permit statement, all outbound traffic matching the permit statement will
be protected by IPsec. All inbound IPsec packets matching the permit statement will be received and

processed, but all inbound non-IPsec packets will be dropped. This will cause all the inbound traffic

that does not need IPsec protection to be dropped.

Avoid statement conflicts in the scope of IPsec policy entries. When creating a deny statement, be
careful with its matching scope and matching order relative to permit statements. The policy entries
in an IPsec policy have different match priorities. ACL rule conflicts between them are prone to

cause mistreatment of packets. For example, when configuring a permit statement for an IPsec

policy entry to protect an outbound traffic flow, you must avoid the situation that the traffic flow

matches a deny statement in a higher priority IPsec policy entry. Otherwise, the packets will be sent

out as normal packets. If they match a permit statement at the receiving end, they will be dropped
by IPsec.

Mirror image ACLs

To make sure SAs can be set up and the traffic protected by IPsec can be processed correctly between

two IPsec peers, create mirror image ACLs on the IPsec peers.