Applying an IPsec policy group to an interface
This feature is supported only in FIPS mode.
An IPsec policy group is a collection of IPsec policies with the same name but different sequence numbers. In an IPsec policy group, an IPsec policy with a smaller sequence number has a higher priority.
You can apply an IPsec policy group to a logical or physical interface to protect certain data flows. To cancel the IPsec protection, remove the application of the IPsec policy group.
For each packet to be sent out an IPsec protected interface, the system looks through the IPsec policies in the IPsec policy group in ascending order of sequence numbers. If an IPsec policy matches the packet, the system uses the IPsec policy to protect the packet. If no match is found, the system sends the packet out without IPsec protection.
To apply an IPsec policy group to an interface:
Step | Command |
|---|---|
1. Enter system view. | system-view |
2. Enter interface view. | interface interface-type interface-number |
3. Apply an IPsec policy group to the interface. | ipsec policy policy-name |
![[NOTE: ]](images/note.png) | NOTE: IPsec policies can be applied only to VLAN interfaces on the switch. An interface can reference only one IPsec policy group. An IPsec policy can be applied to only one interface. | |