security acl
Use security acl to specify an ACL for an IPsec policy or IPsec policy template.
Use undo security acl to restore the default.
Syntax
security acl [ ipv6 ] { acl-number | name acl-name } [ aggregation | per-host ]
undo security acl
Default
An IPsec policy or IPsec policy template does not use any ACL.
Views
IPsec policy view
IPsec policy template view
Predefined user roles
network-admin
mdc-admin
Parameters
ipv6: Specifies an IPv6 ACL.
acl-number: Specifies an ACL by its number in the range of 3000 to 3999.
name acl-name: Specifies an ACL by its name, a case-insensitive string of 1 to 63 characters.
aggregation: Specifies the data protection mode as aggregation. The device does not support protecting IPv6 data flows in aggregation mode.
per-host: Specifies the data protection mode as per-host.
Usage guidelines
An IKE-based IPsec policy supports the following data flow protection modes:
Standard mode—One IPsec tunnel protects one data flow. The data flow permitted by an ACL rule is protected by one IPsec tunnel that is established solely for it. The standard mode is used if you do not specify the aggregation or the per-host mode.
Aggregation mode—One IPsec tunnel protects all data flows permitted by all the rules of an ACL. This mode is only used to communicate with old-version devices.
Per-host mode—One IPsec tunnel protects one host-to-host data flow. One host-to-host data flow is identified by one ACL rule and protected by one IPsec tunnel established solely for it. This mode consumes more system resources when multiple data flows exist between two subnets to be protected.
A manual IPsec policy supports only the aggregation mode.
Examples
# Specify IPv4 advanced ACL 3001 for IPsec policy policy1.
<Sysname> system-view [Sysname] acl advanced 3001 [Sysname-acl-ipv4-adv-3001] rule permit tcp source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255 [Sysname-acl-ipv4-adv-3001] quit [Sysname] ipsec policy policy1 100 manual [Sysname-ipsec-policy-manual-policy1-100] security acl 3001
# Specify IPv4 advanced ACL 3002 for IPsec policy policy2 and specify the data protection mode as aggregation.
<Sysname> system-view [Sysname] acl advanced 3002 [Sysname-acl-ipv4-adv-3002] rule 0 permit ip source 10.1.2.1 0.0.0.255 destination 10.1.2.2 0.0.0.255 [Sysname-acl-ipv4-adv-3002] rule 1 permit ip source 10.1.3.1 0.0.0.255 destination 10.1.3.2 0.0.0.255 [Sysname-acl-ipv4-adv-3002] quit [Sysname] ipsec policy policy2 1 isakmp [Sysname-ipsec-policy-isakmp-policy2-1] security acl 3002 aggregation
Related commands
display ipsec sa
display ipsec tunnel