No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search


To have a better experience, please upgrade your IE browser.


Feature Description - IP Services 01

NE05E and NE08E V300R003C10SPC500

This is NE05E and NE08E V300R003C10SPC500 Feature Description - IP Services
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
ACLs Applied to an IPsec Policy

ACLs Applied to an IPsec Policy

An IPsec policy can protect different data flows. In practice, you need to define data flows through an ACL and quote the ACL in a security policy. Therefore, data flows are protected.

According to ACL rules, IPsec identifies which packets need or do not need security protection. Data flows matching advanced ACLs (permit) are protected and sent after being processed by IPsec. Data flows that do not match advanced ACLs are transmitted directly. Data flows that need to be encrypted but actually not are considered as attack data flows and discarded.

Pay attention to the following items:

  • An inexistent ACL or an ACL without any rule cannot be applied to IPsec policy.
  • IPsec policy supports only advanced ACL (including numbered and named ACL).
  • Rules in an advanced ACL can match data flows according to the source or destination IP address, source or destination port, and protocol number only.
  • The ACL applied to an IPsec policy does not support deny rule.
  • The ACL applied to an IPsec policy cannot contain rules quoting address sets/port sets.
  • The source and destination port numbers in the ACL applied to an IPsec policy can be specified by the eq parameter, rather than the lt, gt, and range parameters.
  • An IPsec policy can only be applied one ACL. The original configuration must be deleted when a new ACL is applied.
  • ACLs configured in the same IPsec policy group cannot include the same rules.
Table 3-8 Matching Principles of ACLs Applied to an IPsec Policy
ACL Matching Result IPsec Processing Result
The packet matches the permit rule The packet is processed by IPsec, and then be forwarded.
The packet matches the deny rule The packet is forwarded directly.
The relative ACL exists and there are rules in the ACL, but the packet does not match any rule The packet is forwarded directly.
The relative ACL does not exist IPsec does not support these kinds of ACLs
The relative ACL exists but there is no rule in the ACL
Updated: 2019-01-14

Document ID: EDOC1100058931

Views: 10049

Downloads: 17

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Previous Next