276
interface-type interface-number
Enabling QoS pre-classify
If you apply both an IPsec policy and a QoS policy to an interface, QoS classifies packets by using
the new headers added by IPsec. If you want QoS to classify packets by using the headers of the
original IP packets, enable the QoS pre-classify feature.
For more information about QoS policy and classification, see ACL and QoS Configuration Guide.
To enable the QoS pre-classify feature:
1. Enter system view.
system-view
N/A
2. Enter IPsec policy
IPsec policy template view.
• To enter IPsec policy view:
ipsec { policy | ipv6-policy }
policy-name seq-number
[ isakmp | manual ]
•
template view:
ipsec { policy-template |
ipv6-policy-template }
template-name seq-number
N/A
3. Enable QoS pre-classify.
qos pre-classify
By default, QoS pre-
disabled.
Enabling logging of IPsec packets
Perform this task to enable the logging of IPsec packets that are discarded because of reasons such
as IPsec SA lookup failure, AH-ESP authentication failure, and ESP encryption failure. The log
information includes the source and destination IP addresses, the SPI value, and the sequence
number of a discarded IPsec packet, and the reason for the failure.
To enable the logging of IPsec packets:
1. Enter system view.
system-view
N/A
2.
Enable the logging of IPsec
packets.
ipsec logging packet enable
By default, the logging of IPsec
packets is disabled.
Configuring the DF bit of IPsec packets
Perform this task to configure the Don't Fragment (DF) bit in the new IP header of IPsec packets in
one of the following ways:
• clear—Clears the DF bit in the new header.
• set—Sets the DF bit in the new header.
• copy—Copies the DF bit in the original IP header to the new IP header.
To Next Page
Loading...
