No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

NE40E V800R010C10SPC500 Feature Description - Security 01

This is NE40E V800R010C10SPC500 Feature Description - Security
Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
IPsec QoS

IPsec QoS

IPSec QoS

Table 13-3 describes the functions of IPsec QoS.
Table 13-3 Functions of IPsec QoS

Function

Description

Overload Processing

Packets received by a board enter different queues based on different DSCP values. Each queue has a different priority. When the board's CPU is overloaded, back pressure occurs on the multi-core CPU. The board preferentially forwards high-priority packets and discards low-priority packets.

Rate Limit on User Packets

To prevent a user from consuming a large number of VSUF resources, configure an IPsec policy to limit the user's packet rate. You can configure different rates for different IPsec policies. You can separately configure rate limit in the incoming and outgoing tunnel directions.

In GRE over IPsec scenarios, you can also control whether a GRE or IPsec tunnel header is calculated when rate limit statistics are collected. If no GRE/IPsec tunnel header is calculated, users' actual traffic is limited, implementing accurate rate limit.

Priority Re-marking

When a user packet enters an IPsec tunnel, a new IP header is generated. By default, the DSCP value in the original IP header is used as the value of the DSCP field in the new IP header. You can also configure the DSCP field in the new IP header to use a specified value.

When the packet leaves the tunnel, the packet is decapsulated and an IP header is generated. You can change the value of the DSCP field in the IP header.

In MPLS scenarios, after a user packet is encrypted or decrypted, it is encapsulated with an MPLS label. You can configure the EXP value in the MPLS label to flexibly control EXP re-marking.

Fragmentation and Re-organization

  • Encryption before fragmentation

    After being encrypted on the board, packets are fragmented based on the default MTU. If the MTU value is set on the specified outbound interface for sending packets, packets are fragmented based on the set MTU value. Packets are re-organized and then decrypted on the decryption end.

  • Fragmentation before encryption

    After receiving packets, the board fragments packets based on the MTU value at first, and then encrypts each packet and sends it. Each packet is decrypted at first, and then re-organized on the decryption end, and sent at last.

Mutual Access of Terminals and Traffic Filtering

During the process of the X2 traffic from the LTE base station are accessing to each other or during the process of terminal users are accessing to each other, traffic must be sent to the gateway to be decrypted at first. Then, the decrypted traffic must be encrypted based on the destination IP address of the packet. Therefore, traffic needs to be decrypted at first and then encrypted on the board.

At the same time, users can apply related methods to filter and limit the mutual access of terminals.

NOTE:

This function is only supported on VSUF bord.

Mirroring Function of Tunnel Interfaces

About packets which are decrypted at first and encrypted later, their simple texts can be viewed only on the board. In order to monitor the related traffic, decrypted packets must be mirrored. Therefore, the packets need to be replicated and then sent to the related observing interface before encrypted.

NOTE:

This function is only supported on VSUF bord.

Translation
Download
Updated: 2019-01-03

Document ID: EDOC1100055047

Views: 12691

Downloads: 31

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next