No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

NE40E V800R010C10SPC500 Feature Description - Security 01

This is NE40E V800R010C10SPC500 Feature Description - Security
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
IPsec Application in the L2VPN or L3VPN Scenario

IPsec Application in the L2VPN or L3VPN Scenario

L2VPN CE Serving as an IPsec Security Gateway

Figure 13-36 Process of packet encapsulation and forwarding

By default, IPsec packets are encrypted and then fragmented. The peer end decrypts the packets after receiving all packets. You can run the ipsec df-bit clear and ipsec fragmentation before-encryption commands to configure the function of fragmentation before encryption. In this way, the peer end decrypts every fragment upon receiving it, thereby accelerating resolution of encrypted packets. However, when this function is employed, the actual payload of a packet may increase.

Figure 13-37 QoS scheme

During transmission of an IPsec packet, the DSCP value in the original IP header cannot be changed.

After the packet is encrypted, the DSCP value in the original IP header is mapped to the DSCP field in the IPsec header. The DSCP value can also be independently set in an outer IP header.

The DSCP value in the original IP header of the encrypted IPsec packet that is decrypted after being transmitted over the MPLS network remains unchanged. During the transmission over the MPLS network, the DSCP value in the outer IP header can also be mapped to the MPLS EXP value.

If the IPsec SA is negotiated based on the DSCP value, the out-of-order packets issue bought by QoS can be addressed.

L3VPN PE Serving as an IPsec Security Gateway

Figure 13-38 Process of packet encapsulation and forwarding
Figure 13-39 QoS scheme

During transmission of an IPsec packet, the DSCP value in the original IP header cannot be changed.

After the packet is encrypted, the DSCP value in the original IP header is mapped to the DSCP field in the IPsec header. The DSCP value can also be independently set in an outer IP header.

The DSCP value in the original IP header of the encrypted IPsec packet that is decrypted after being transmitted over the MPLS network remains unchanged. During the transmission over the MPLS network, the DSCP value in the outer IP header can also be mapped to the MPLS EXP value.

If the IPsec SA is negotiated based on the DSCP value, the out-of-order packets issue bought by QoS can be addressed.

L3VPN CE Serving as an IPsec Security Gateway

Figure 13-40 Process of packet encapsulation and forwarding
Figure 13-41 QoS scheme

After the packet is encrypted, the DSCP value in the original IP header is mapped to the DSCP field in the IPsec header. The DSCP value can also be independently set in an outer IP header.

The DSCP value in the original IP header is mapped to the DSCP value in the IPsec header. The DSCP value in the original IP header of the encrypted IPsec packet that is decrypted after being transmitted over the MPLS network remains unchanged. During the transmission over the MPLS network, the DSCP value in the outer IP header can also be mapped to the MPLS EXP value. After the IPsec packet is decrypted, you can specify the DSCP value in the original IP header.

If the IPsec SA is negotiated based on the DSCP value, the out-of-order packets issue bought by QoS can be addressed.

Devices on the core network implement QoS based on DSCP values. On the bearer network, if supporting the mapping from DSCP to 802.1p, devices can implement QoS based on 802.1p on the Layer 2 bearer network.

Translation
Download
Updated: 2019-01-03

Document ID: EDOC1100055047

Views: 12825

Downloads: 31

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next