H3C Technologies H3C SecPath F1000-E User Manual

Page 40

Item Description

Branch Network
Mask

Configure the mask of the private network addresses of the branch to be used in tunnel
entries.
After you configure a mask, the firewall at the headquarters will establish only one
tunnel entry for all private IP addresses that belong to the same network segment. This is

to reduce the number of tunnel entries on the firewall. On a branch network, you can

simulate a traffic flow destined for the headquarters to trigger the firewall at the
headquarters to create a tunnel entry for the entire branch network.

IMPORTANT:

•

By default, the mask of branch network addresses is 255.255.255.255.

•

Modifying the mask will delete all tunnel entries created on the firewall.

•

Before configuring a mask, make sure that all the branch networks of the enterprise

have the same mask length. For a branch device with a different mask length, you

can configure NAT to implement the mask length consistency.

Aging Time

Configure the aging time for P2MP GRE tunnel entries.
The creation of a tunnel entry for a branch network is triggered by the traffic from the
branch network. If the firewall at the headquarters does not receive traffic from the

branch network within the aging time, the firewall will age out the tunnel entry.

Enable Interface
Backup

Select whether to enable the interface backup function, and if yes, specify the backup
tunnel interface.

IMPORTANT:

•

The backup tunnel interface to be specified must be a GRE over IPv4 tunnel interface.

•

The backup tunnel interface to be specified must have existed.

Backup Interface

GRE Packet
Checksum

Enable or disable the GRE packet checksum function. With this function enabled, the
tunnel interface will verify the validity of packets and discard those invalid.
You can enable or disable the checksum function at both ends of the tunnel as needed.
If checksum is enabled at the local end but not at the remote end, the local end

calculates the checksum of a packet to be sent but does not check the checksum of a
received packet. In contrast, if the checksum function is enabled at the remote end but

not at the local end, the local end checks the checksum of a received packet but does not

calculate the checksum of a packet to be sent.

Displaying information about established P2MP GRE tunnels

Select VPN > GRE > P2MP from the navigation tree and then click the Tunnel List tab to view the P2MP

GRE tunnel list, as shown in

Figure 23

This manual is related to the following products:

H3C SecPath F5000-A5 Firewall H3C SecPath F1000-A-EI H3C SecPath F1000-E-SI H3C SecPath F1000-S-AI H3C SecPath F5000-S Firewall H3C SecPath F5000-C Firewall H3C SecPath F100-C-SI H3C SecPath F1000-C-SI H3C SecPath F100-A-SI H3C SecBlade FW Cards H3C SecBlade FW Enhanced Cards H3C SecPath U200-A U200-M U200-S H3C SecPath U200-CA U200-CM U200-CS