Alcatel-Lucent OmniSwitch 6850-48 - Assigning a Priority to a Policy; Enabling and Disabling a Policy

To Next Page

To Previous Page

Configuring IPsec Configuring IPsec on the OmniSwitch

OmniSwitch AOS Release 6 Network Configuration Guide September 2009 page 27-13

Enabling and Disabling a Policy

You can administratively enable or disable the configured security policy by using the keywords no shut-

down or shutdown after the command as shown below:

-> ipsec policy tcp_in shutdown

The above command disables the configured IPsec security policy.

Note. Policies cannot be enabled until at least one rule is configured. See “Configuring an IPsec Rule” on

page 27-15.

Assigning a Priority to a Policy

You can use the optional priority parameter to assign a priority to the configured IPsec policy so that if

IPv6 traffic matches more than one configured policy, the policy with the highest priority is applied to the

traffic. The policy with the higher value has the higher priority. For example:

-> ipsec policy tcp_in priority 500

Note. If two security policies have the same priority then the one configured first will be processed first.

Policy Priority Example

-> ipsec policy telnet_deny priority 1 source ::/0 destination ::/0 port 23

protocol tcp in discard

-> ipsec policy telnet_ipsec priority 100 source 3ffe:1200::/32 destination ::/0

port 23 protocol tcp in ipsec shutdown

-> ipsec policy telnet_ipsec rule 1 esp

-> ipsec policy telnet_ipsec no shutdown

-> ipsec policy telnet_clear priority 200 source 3ffe:1200::1 destination ::/0

port 23 protocol tcp in none

-> ipsec policy telnet_malicious priority 1000 source 3ffe:1200::35 destination

::/0 port 23 protocol tcp in discard

1 Policy telnet_deny is the lowest priority policy. It will discard any incoming telnet connection

attempts.

2 Policy telnet_ipsec covers a subset of the source addresses of telnet_deny. With its greater priority, it

overrides telnet_deny and allows incoming telnet connections from addresses starting with the prefix

3ffe:1200::/32 as long as they are protected by ESP.

3 The policy telnet_clear overrides telnet_ipsec, allowing telnet connection attempts from the host to be

accepted without any IPsec protection.

4 Policy telnet_malicious can be configured to handle a known malicious system that otherwise would

fall under the telnet_ipsec policy. Its priority of 1000 ensures that it always takes precedence and discards

any incoming telnet connection attempts from the known malicious system.

Other manuals for Alcatel-Lucent OmniSwitch 6850-48