Send documentation comments to mdsfeedback-doc@cisco.com
44-24
Cisco MDS 9000 Family Fabric Manager Configuration Guide
OL-17256-03, Cisco MDS NX-OS Release 4.x
Chapter 44 Configuring IPsec Network Security
Crypto IPv4-ACLs
• For IPsec to interoperate effectively with Microsoft iSCSI initiators, specify the TCP protocol and
the local iSCSI TCP port number (default 3260) in the IPv4-ACL. This configuration ensures the
speedy recovery of encrypted iSCSI sessions following disruptions such as Gigabit Ethernet
interfaces shutdowns, VRRP switchovers, and port failures.
Mirror Image Crypto IPv4-ACLs
For every crypto IPv4-ACL specified for a crypto map entry defined at the local peer, define a mirror
image crypto IPv4-ACL at the remote peer. This configuration ensures that IPsec traffic applied locally
can be processed correctly at the remote peer.
Tip The crypto map entries themselves must also support common transforms and must refer to the other
system as a peer.
Figure 44-18 shows some sample scenarios with and without mirror image IPv4-ACLs.
Figure 44-18 IPsec Processing of Mirror Image Configuration
As Figure 44-18 indicates, IPsec SAs can be established as expected whenever the two peers' crypto
IPv4-ACLs are mirror images of each other. However, an IPsec SA can be established only some of the
time when the IPv4-ACLs are not mirror images of each other. This can happen in the case when an entry
in one peer's IPv4-ACL is a subset of an entry in the other peer's IPv4-ACL, such as shown in cases 3
and 4 of
Figure 44-18. IPsec SA establishment is critical to IPsec. Without SAs, IPsec does not work,
causing any packets matching the crypto IPv4-ACL criteria to be silently dropped instead of being
forwarded with IPsec security.
Internet
S0
S1
Switch M Router N
Mirror image
access lists at
Switch M S0
and
Router N S1
IPSec access list at S0
permits
Switch M Host B
permits
Host B Switch M
M B
or B M
SAs established for
Traffic M B (good
SAs established for
Traffic M B (good
SAs cannot be
established and
packets from Host
B to Switch M are
dropped (bad)
SAs established for
Traffic X Y (good
M B
B M
M B
or B M
or M C
permits
Switch M Host B
permits
Subnet X Subnet Y
permits
Subnet Y Subnet X
permits
Subnet Y Subnet X
IPSec access list at S1 1st packet Result
Case 1
Case 2
Case 3
Case 4
Subnet X
Subnet Y
Host B
Host C
To Next Page
Loading...
Need help?
General
