Send documentation comments to mdsfeedback-doc@cisco.com
44-22
Cisco MDS 9000 Family Fabric Manager Configuration Guide
OL-17256-03, Cisco MDS NX-OS Release 4.x
Chapter 44 Configuring IPsec Network Security
Crypto IPv4-ACLs
• Configuring Perfect Forward Secrecy, page 44-35
• About Crypto Map Set Application, page 44-36
• Applying a Crypto Map Set, page 44-36
About Crypto IPv4-ACLs
Crypto IPv4-ACLs are used to define which IP traffic requires crypto protection and which traffic does
not.
Crypto IPv4-ACLs associated with IPsec crypto map entries have four primary functions:
• Select outbound traffic to be protected by IPsec (permit = protect).
• Indicate the data flow to be protected by the new SAs (specified by a single permit entry) when
initiating negotiations for IPsec SAs.
• Process inbound traffic to filter out and discard traffic that should have been protected by IPsec.
• Determine whether or not to accept requests for IPsec SAs on behalf of the requested data flows
when processing IKE negotiation from the IPsec peer.
Tip If you want some traffic to receive one type of IPsec protection (for example, encryption only) and other
traffic to receive a different type of IPsec protection (for example, both authentication and encryption),
create two IPv4-ACLs. Use both IPv4-ACLs in different crypto maps to specify different IPsec policies.
Note IPsec does not support IPv6-ACLs.
Crypto IPv4-ACL Guidelines
Follow these guidelines when configuring IPv4-ACLs for the IPsec feature:
• The Cisco NX-OS software only allows name-based IPv4-ACLs.
• When an IPv4-ACL is applied to a crypto map, the following options apply:
–
Permit—Applies the IPsec feature to the traffic.
–
Deny—Allows clear text (default).
Note IKE traffic (UDP port 500) is implicitly transmitted in clear text.
• The IPsec feature only considers the source and destination IPv4 addresses and subnet masks,
protocol, and single port number. There is no support for IPv6 in IPsec.
Note The IPsec feature does not support port number ranges and ignores higher port number field,
if specified.
• The permit option causes all IP traffic that matches the specified conditions to be protected by
crypto, using the policy described by the corresponding crypto map entry.
To Next Page
Loading...
Need help?
General
