EasyManuals Logo

HPE FlexNetwork 5510 HI Series Security Configuration Guide

HPE FlexNetwork 5510 HI Series
551 pages
To Next Page IconTo Next Page
To Next Page IconTo Next Page
To Previous Page IconTo Previous Page
To Previous Page IconTo Previous Page
Page #277 background imageLoading...
Page #277 background image
264
Implementing ACL-based IPsec
Feature restrictions and guidelines
ACLs for IPsec take effect only on traffic that is generated by the device and traffic that is destined for
the device. They do not take effect on traffic forwarded through the device. For example, an
ACL-based IPsec tunnel can protect log messages the device sends to a log server, but it cannot
protect all the data flows and voice flows that are forwarded by the device. For more information
about configuring an ACL for IPsec, see "Configuring an ACL."
Typically, IKE uses UDP port 500 for communication, and AH and ESP use the protocol numbers 51
and 50. Make sure traffic of these protocols is not denied on the interfaces with IKE or IPsec
configured.
ACL-based IPsec configuration task list
The generic configuration procedure for implementing ACL-based IPsec is as follows:
1. Configure an ACL for identifying data flows to be protected. To use IPsec to protect VPN traffic,
you do not need to specify the VPN parameters in the ACL rules.
2. Configure IPsec transform sets to specify the security protocols, authentication and encryption
algorithms, and the encapsulation mode.
3. Configure an IPsec policy to associate data flows with the IPsec transform sets, specify the SA
negotiation mode, the peer IP addresses (the start and end points of the IPsec tunnel), the
required keys, and the SA lifetime.
An IPsec policy is a set of IPsec policy entries that have the same name but different sequence
numbers. In the same IPsec policy, an IPsec policy entry with a smaller sequence number has
a higher priority.
4. Apply the IPsec policy to an interface.
Complete the following tasks to configure ACL-based IPsec:
Tasks at a glance
(Required.) Configuring an ACL
(Required.) Configuring an IPsec transform set
(Required.) Configure an IPsec policy (use either method):
• Configuring a manual IPsec policy
• Configuring an IKE-based IPsec policy
(Required.) Applying an IPsec policy to an interface
(Optional.) Enabling ACL checking for de-encapsulated packets
(Optional.) Configuring IPsec anti-replay
(Optional.) Configuring IPsec anti-replay redundancy
(Optional.) Binding a source interface to an IPsec policy
(Optional.) Enabling QoS pre-classify
(Optional.) Enabling logging of IPsec packets
(Optional.) Configuring the DF bit of IPsec packets
(Optional.) Configuring SNMP notifications for IPsec

Table of Contents

Other manuals for HPE FlexNetwork 5510 HI Series

Preview: Configuration Guide
Configuration Guide572 pages
Preview: Fundamentals Configuration Guide
Fundamentals Configuration Guide209 pages
Preview: Layer 3 - Ip Routing Configuration Guide
Layer 3 - Ip Routing Configuration Guide486 pages
Preview: Network Management And Monitoring Configuration Guide
Network Management And Monitoring Configuration Guide331 pages
Preview: Macsec Configuration Guide
Macsec Configuration Guide27 pages
Preview: Acl And Qos Configuration Guide
Acl And Qos Configuration Guide114 pages
Preview: Mpls Configuration Guide
Mpls Configuration Guide505 pages
Preview: Openflow Configuration Guide
Openflow Configuration Guide39 pages

Questions and Answers:

Question and Answer IconNeed help?

Do you have a question about the HPE FlexNetwork 5510 HI Series and is the answer not in the manual?

HPE FlexNetwork 5510 HI Series Specifications

General IconGeneral
BrandHPE
ModelFlexNetwork 5510 HI Series
CategorySwitch
LanguageEnglish

Related product manuals