EasyManuals Logo

H3C MSR Series Command Reference

H3C MSR Series
1187 pages
To Next Page IconTo Next Page
To Next Page IconTo Next Page
To Previous Page IconTo Previous Page
To Previous Page IconTo Previous Page
Page #591 background imageLoading...
Page #591 background image
568
Aggregation mode—One IPsec tunnel protects all data flows permitted by all the rules of an
ACL. This mode is only used to communicate with old-version devices.
Per-host modeOne IPsec tunnel protects one host-to-host data flow. One host-to-host data
flow is identified by one ACL rule and protected by one IPsec tunnel established solely for it.
This mode consumes more system resources when multiple data flows exist between two
subnets to be protected.
A manual IPsec policy supports only the aggregation mode.
A GDOI-based IPsec policy supports only the standard mode. On a GM, do not configure permit
rules in the local ACL used by a GDOI-based IPsec policy. Otherwise, packets matching the permit
rules are dropped.
Examples
# Specify IPv4 advanced ACL 3001 for the IPsec policy policy1.
<Sysname> system-view
[Sysname] acl advanced 3001
[Sysname-acl-ipv4-adv-3001] rule permit tcp source 10.1.1.0 0.0.0.255 destination
10.1.2.0 0.0.0.255
[Sysname-acl-ipv4-adv-3001] quit
[Sysname] ipsec policy policy1 100 manual
[Sysname-ipsec-policy-manual-policy1-100] security acl 3001
# Specify IPv4 advanced ACL 3002 for the IPsec policy policy2 and specify the data protection
mode as aggregation.
<Sysname> system-view
[Sysname] acl advanced 3002
[Sysname-acl-ipv4-adv-3002] rule 0 permit ip source 10.1.2.1 0.0.0.255 destination
10.1.2.2 0.0.0.255
[Sysname-acl-ipv4-adv-3002] rule 1 permit ip source 10.1.3.1 0.0.0.255 destination
10.1.3.2 0.0.0.255
[Sysname-acl-ipv4-adv-3002] quit
[Sysname] ipsec policy policy2 1 isakmp
[Sysname-ipsec-policy-isakmp-policy2-1] security acl 3002 aggregation
Related commands
display ipsec sa
display ipsec tunnel
snmp-agent trap enable ipsec
Use snmp-agent trap enable ipsec command to enable SNMP notifications for IPsec.
Use undo snmp-agent trap enable ipsec command to disable SNMP notifications for IPsec.
Syntax
snmp-agent trap enable ipsec [ auth-failure | decrypt-failure | encrypt-failure | global |
invalid-sa-failure | no-sa-failure | policy-add | policy-attach | policy-delete | policy-detach
tunnel-start | tunnel-stop] *
undo snmp-agent trap enable ipsec [ auth-failure | decrypt-failure | encrypt-failure | global |
invalid-sa-failure | no-sa-failure | policy-add | policy-attach | policy-delete | policy-detach
tunnel-start | tunnel-stop] *
Default
All SNMP notifications for IPsec are disabled.

Table of Contents

Other manuals for H3C MSR Series

Preview: Manual
Manual33 pages
Preview: Probe Command Reference
Probe Command Reference28 pages
Preview: Configuration Guide
Configuration Guide80 pages
Preview: Troubleshooting Guide
Troubleshooting Guide28 pages
Preview: User Guide
User Guide26 pages

Questions and Answers:

Question and Answer IconNeed help?

Do you have a question about the H3C MSR Series and is the answer not in the manual?

H3C MSR Series Specifications

General IconGeneral
CategoryNetwork Router
IPv6 SupportYes
DimensionsVaries by model
WeightVaries by model
Product TypeModular Router
PortsVaries by model
WAN InterfacesVaries by model
FirewallYes
QoSYes
Wireless SupportVaries by model
USB PortsVaries by model
Console PortYes
Power SupplyVaries by model
RedundancyVaries by model
Operating Temperature0°C to 45°C
Storage Temperature-40°C to 70°C
Humidity5% to 95% non-condensing
SeriesMSR
CertificationsCE, FCC, RoHS

Related product manuals