beautypg.com

Binding a source interface to an ipsec policy, Enabling qos pre-classify – H3C Technologies H3C S6300 Series Switches User Manual

Page 248

background image

233

Binding a source interface to an IPsec policy

For high availability, a core device is usually connected to an ISP through two links, which operate in

backup or load sharing mode. The two interfaces negotiate with their peers to establish IPsec SAs

respectively. When one interface fails and a link failover occurs, the other interface needs to take some
time to re-negotiate SAs, resulting in service interruption.
To solve these problems, bind a source interface to an IPsec policy and apply the policy to both interfaces.

This enables the two physical interfaces to use the same source interface to negotiate IPsec SAs. As long

as the source interface is up, the negotiated IPsec SAs will not be removed and will keep working,

regardless of link failover.
Follow these guidelines when you perform this task:

Only the IKE-based IPsec policies can be bound to a source interface.

An IPsec policy can be bound to only one source interface.

A source interface can be bound to multiple IPsec policies.

If the source interface bound to an IPsec policy is removed, the IPsec policy becomes a common
IPsec policy.

If no local address is specified for an IPsec policy that has been bound to a source interface, the
IPsec policy uses the IP address of the bound source interface to perform IKE negotiation. If a local

address is specified, the IPsec policy uses the local address to perform IKE negotiation.

To bind a source interface to an IPsec policy:

Step Command

Remarks

1.

Enter system view.

system-view

N/A

2.

Bind a source interface to an
IPsec policy.

ipsec { ipv6-policy | policy }
policy-name local-address

interface-type interface-number

By default, no source interface is
bound to an IPsec policy.

Enabling QoS pre-classify

If you apply both an IPsec policy and a QoS policy to an interface, QoS classifies packets by using the

new headers added by IPsec. If you want QoS to classify packets by using the headers of the original IP

packets, enable the QoS pre-classify feature.
For more information about QoS policy and classification, see ACL and QoS Configuration Guide.
To enable the QoS pre-classify feature:

Step Command

Remarks

1.

Enter system view.

system-view

N/A

This manual is related to the following products:
See also other documents in the category H3C Technologies Routers: