Configuring acls, Use of the permit/deny actions in acls – H3C Technologies H3C SecPath F1000-E User Manual
Page 717
![background image](https://www.manualsdir.com/files/813036/content/doc717.png)
5
Task Remarks
Configuring an IPsec Policy
Template
Required if you are using an IPsec policy template group to create an
IPsec policy.
An IPsec policy template group is a collection of IPsec policy templates
with the same name but different sequence numbers. In an IPsec policy
template group, an IPsec policy template with a smaller sequence
number has a higher priority.
Required
Configure an IPsec policy by specifying the parameters directly or using
a created IPsec policy template. The device supports only IPsec policies
that use IKE.
An IPsec policy group is a collection of IPsec policies with the same
name but different sequence numbers. The smaller the sequence
number, the higher the priority of the IPsec policy in the policy group.
IMPORTANT:
An IPsec policy referencing a template cannot be used to initiate SA
negotiations but can be used to respond to a negotiation request. The
parameters specified in the IPsec policy template must match those
of the remote end. The parameters not defined in the template are
determined by the initiator.
Applying an IPsec Policy Group
Required
Apply an IPsec policy group to an interface (logical or physical) to
protect certain data flows.
Optional
View brief information about established IPsec SAs to verify your
configuration.
Optional
View packet statistics to verify your configuration.
Configuring ACLs
Use of the Permit/Deny Actions in ACLs
IPsec uses ACLs to identify data flows. An ACL is a collection of ACL rules. Each ACL rule is a deny or
permit statement. A permit statement identifies a data flow protected by IPsec, and a deny statement
identifies a data flow that is not protected by IPsec. IPsec uses referenced ACL to match against packets.
The matching process stops once a match is found or ends with no match hit. The packet is handled as
follows:
•
Each ACL rule matches both the outbound traffic and the returned inbound traffic. Suppose there is
a rule rule 0 permit ip source 1.1.1.0 0.0.0.255 destination 2.2.2.0 0.0.0.255 shown
. This rule matches both traffic from 1.1.1.0 to 2.2.2.0 and returned traffic from 2.2.2.0 to
1.1.1.0.