No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

NE20E-S2 V800R010C10SPC500 Configuration Guide - Security 01

This is NE20E-S2 V800R010C10SPC500 Configuration Guide - Security
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring IPsec QoS

Configuring IPsec QoS

You can configure the IPsec packet format or forwarding behavior to implement QoS for IPsec packets.

Procedure

  • Global configuration
    1. Run system-view

      The system view is displayed.

    2. Configure the function of fragmenting IPsec packets and then encrypting the IPsec packets globally.

      1. Run the ipsec global df-bit clear command to clear the DF flag to allow IPsec packet fragmentation.

      2. Run the ipsec global fragmentation before-encryption command to configure the function of fragmenting IPsec packets and then encrypting the IPsec packets.

      The function of fragmenting IPsec packets and then encrypting the IPsec packets includes the following modes:

      • Global configuration

        The global configuration is valid to all created IPsec policies (except for policies in which the function of fragmenting IPsec packets and then encrypting the IPsec packets is separately configured). If a large number of IPsec policies need to use this function, you do not need to run the ipsec df-bit clear command to manually configure this function for IPsec policies one by one. You can use the global configuration to improve efficiency.

      • Partial configuration

        For a specific IPsec policy, you can run the ipsec df-bit clear command to separately configure this function. The priority of the partial configuration is higher than that of the global configuration.

    3. Run commit

      The configuration is committed.

  • Partial configuration
    1. Run system-view

      The system view is displayed.

    2. Configure IPsec QoS in IPsec policy mode or IPsec policy template based on actual requirements.

      Table 12-4 Configuring IPsec QoS

      Step/Item

      IPsec Policy Mode

      IPsec Policy Template Mode

      1. Enter the IPsec policy view or IPsec policy template view.

      ipsec policy policy-name sequence-number

      ipsec policy-template template-name sequence-number

      2. Configure the rate limit.

      Run the speed-limit { inbound | outbound } speed-limit [ ike ] [ payload ] command to configure the rate limit.

      When multiple tunnels are established on the device, traffic conflict occurs in case of heavy traffic. By configuring the speed-limit command, you can limit the traffic on each IPsec tunnel. The traffic beyond the limit is discarded. In this manner, traffic on each tunnel can be transmitted.

      3. Configure the function of fragmenting IPsec packets and then encrypting the IPsec packets.

      1. Run the ipsec df-bit clear command to clear the DF flag to allow IPsec packet fragmentation.

      2. Run the ipsec fragmentation before-encryption command to configure the function of fragmenting IPsec packets and then encrypting the IPsec packets.

      NOTE:
      For the IPsec policies, the priority of the ipsec df-bit clear command is higher than that of the ipsec global df-bit clear command in the system view.

      4. Configure the priority re-marking function.

      • Run the set dscp { dscp-value | af11 | af12 | af13 | af21 | af22 | af23 | af31 | af32 | af33 | af41 | af42 | af43 | cs1 | cs2 | cs3 | cs4 | cs5 | cs6 | cs7 | default | ef } { inbound | outbound } command to configure the DSCP value of IPv4 packets.

      • Run the set service-class { af1 | af2 | af3 | af4 | be | cs6 | cs7 | ef } { inbound | outbound } command to configure the internal service class corresponding to the EXP value in MPLS headers.

        After a packet enters an MPLS network, both the DSCP value of IP headers and EXP value of MPLS headers in the packets are mapped to service classes by default. To allow only the EXP value of MPLS headers to be modified, run this command to configure the internal service class.

      6. Define a policy template.

      -

      ipsec policy policy-name seq-number isakmp [ template template-name ]

      After the IPsec policy template is bound with the IPsec policy, you can apply the IPsec policy to the interface to enable functions of the IPsec policy template.

      NOTE:

      In an IPsec policy group, only one IPsec policy can quote the IPsec policy template.

      The names of the IPsec policy template and the IPsec policy must be different.

    3. Run commit

      The configuration is committed.

  • Tunnel interface configuration
    • Configure the IPsec packet mirroring.

      1. Configure an observing port.
        1. Run the system-view command to enter the system view.

        2. Run the interface interface-type interface-number command to enter the interface view.

        3. Run the port-observing observe-index observe-index command to configure the observing port.

        4. Run the quit command to return to the system view.

Translation
Download
Updated: 2019-01-02

Document ID: EDOC1100055397

Views: 19646

Downloads: 39

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next