security acl

Function

The security acl command specifies an ACL to be referenced in an IPSec policy or IPSec policy template.

The undo security acl command cancels the configuration.

By default, an IPSec policy or IPSec policy template does not reference an ACL.

Format

security acl { ipv6 acl-number | acl-number }

undo security acl

Parameters

Parameter	Description	Value
ipv6 acl-number	Specifies the number of an IPv6 ACL that is referenced in an IPSec policy. If this parameter is not specified, an IPSec policy references an IPv4 ACL. NOTE: The device does not support this parameter in manual IPSec policy view.	The value is an integer that ranges from 3000 to 3999.
acl-number	Specifies the number of an ACL.	The value is an integer that ranges from 3000 to 3999.

Parameter

Description

Value

ipv6 acl-number

Specifies the number of an IPv6 ACL that is referenced in an IPSec policy.

If this parameter is not specified, an IPSec policy references an IPv4 ACL.

NOTE:

The device does not support this parameter in manual IPSec policy view.

The value is an integer that ranges from 3000 to 3999.

acl-number

Specifies the number of an ACL.

The value is an integer that ranges from 3000 to 3999.

Views

Manual IPSec policy view, ISAKMP IPSec policy view, IPSec policy template view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

The security acl command references an ACL that defines data flows to be protected by IPSec. In practice, you need to configure rules in an ACL to define data flows to be protected and apply the ACL to an IPSec policy to protect the data flows.

When an IPSec policy is created using an IPSec policy template, you can determine whether to define data flows to be protected by IPSec on the responder.

If data flows to be protected by IPSec are not specified on the responder, the responder accepts the range of data flows to be protected by IPSec defined on the initiator.
If data flows to be protected by IPSec are specified on the responder, the configuration on the responder must mirror that on the initiator or the range of protected data flows on the responder must contain the range of protected data flows on the initiator.

Precautions

To reference an ACL in an IPSec policy, ensure that rules must be configured in this ACL view and the number of rules configured in this ACL view does not exceed the following specification limits. Otherwise, this ACL cannot be referenced in this IPSec policy.

USG6510E/6510E-POE: The value is an integer that ranges from 1 to 1000.
USG6530E: The value is an integer that ranges from 1 to 3000.
USG6515E: The value is an integer that ranges from 1 to 15000.
USG6525E: The value is an integer that ranges from 1 to 15000.
USG6550E/6560E/6580E: The value is an integer that ranges from 1 to 15000.
USG6555E/6565E/6575E-B/6585E/6605E-B: The value is an integer that ranges from 1 to 15000.
USG6615E/6625E: The value is an integer that ranges from 1 to 15000.
USG6635E/6655E: The value is an integer that ranges from 1 to 15000.
USG6630E: The value is an integer that ranges from 1 to 15000.
USG6650E: The value is an integer that ranges from 1 to 15000.
USG6680E: The value is an integer that ranges from 1 to 15000.
USG6712E/6716E: The value is an integer that ranges from 1 to 15000.

If an address set is used in a security ACL, only IKEv2 supports this mode and the address set contains at most 15 IP addresses.

Example

# Reference ACL 3100 in a manually created IPSec policy.

<sysname> system-view
[sysname] acl number 3100
[sysname-acl-adv-3100] rule permit tcp source 10.1.1.1 0.0.0.0 destination 10.1.1.2 0.0.0.0
[sysname-acl-adv-3100] quit
[sysname] ipsec policy policy1 100 manual
[sysname-ipsec-policy-manual-policy1-100] security acl 3100