security acl

Use security acl to specify an ACL for an IPsec policy or IPsec policy template.

Use undo security acl to restore the default.

Syntax

security acl [ ipv6 ] { acl-number | name acl-name } [ aggregation | per-host ]

undo security acl

Default

An IPsec policy or IPsec policy template does not use any ACL.

Views

IPsec policy view

IPsec policy template view

Predefined user roles

network-admin

mdc-admin

Parameters

ipv6: Specifies an IPv6 ACL.

acl-number: Specifies an ACL by its number in the range of 3000 to 3999.

name acl-name: Specifies an ACL by its name, a case-insensitive string of 1 to 63 characters.

aggregation: Specifies the data protection mode as aggregation. The device does not support protecting IPv6 data flows in aggregation mode.

per-host: Specifies the data protection mode as per-host.

Usage guidelines

An IKE-based IPsec policy supports the following data flow protection modes:

A manual IPsec policy supports only the aggregation mode.

Examples

# Specify IPv4 advanced ACL 3001 for IPsec policy policy1.

<Sysname> system-view
[Sysname] acl advanced 3001
[Sysname-acl-ipv4-adv-3001] rule permit tcp source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255
[Sysname-acl-ipv4-adv-3001] quit
[Sysname] ipsec policy policy1 100 manual
[Sysname-ipsec-policy-manual-policy1-100] security acl 3001

# Specify IPv4 advanced ACL 3002 for IPsec policy policy2 and specify the data protection mode as aggregation.

<Sysname> system-view
[Sysname] acl advanced 3002
[Sysname-acl-ipv4-adv-3002] rule 0 permit ip source 10.1.2.1 0.0.0.255 destination 10.1.2.2 0.0.0.255
[Sysname-acl-ipv4-adv-3002] rule 1 permit ip source 10.1.3.1 0.0.0.255 destination 10.1.3.2 0.0.0.255
[Sysname-acl-ipv4-adv-3002] quit
[Sysname] ipsec policy policy2 1 isakmp
[Sysname-ipsec-policy-isakmp-policy2-1] security acl 3002 aggregation

Related commands

display ipsec sa

display ipsec tunnel