security acl

Syntax

security acl acl-number

undo security acl

View

IPsec policy view

Default level

2: System level

Parameters

acl-number: Number of the ACL for the IPsec policy to reference, in the range 3000 to 3999.

Description

Use the security acl command to specify the ACL for the IPsec policy to reference.

Use the undo security acl command to remove the configuration.

By default, an IPsec policy references no ACL.

With an IKE-dependent IPsec policy configured, data flows can be protected in standard mode. In standard mode, one tunnel protects one data flow. The data flow permitted by each ACL rule is protected by one tunnel that is established separately for it.

This command is supported only in FIPS mode.

When you specify an ACL for an IPsec policy, note these guidelines:

• You must create a mirror image ACL rule at the remote end for each ACL rule created at the local end. Otherwise, IPsec may protect traffic in only one direction.

• The ACL cannot be deployed to an aggregate interface or a tunnel interface.

• You cannot specify multiple ACLs for one IPsec policy or one ACL for multiple IPsec policies. To configure ACL rules you want to deploy for an IPsec policy, you must configure all of them in one ACL and specify the ACL for the IPsec policy.

• You can specify only one ACL for an IPsec policy. To deploy multiple ACL rules, configure the ACL rules in one ACL, and then reference the ACL in an IPsec policy.

• ACLs referenced by IPsec cannot be used by other services.

Related commands: ipsec policy (system view).

Examples

# Configure IPsec policy policy1 to reference ACL 3001.

<Sysname> system-view
[Sysname] acl number 3001
[Sysname-acl-adv-3001] rule permit tcp source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255
[Sysname-acl-adv-3001] quit
[Sysname] ipsec policy policy1 100 manual
[Sysname-ipsec-policy-manual-policy1-100] security acl 3001