Implementing IPSec Network Security on Cisco IOS XR Software
How to Implement General IPSec Configurations for IPSec Networks
SC-89
Cisco IOS XR System Security Configuration Guide for the Cisco CRS-1 Router
OL-20382-01
Step 3
[sequence-number] permit {ipv4 |
ipv4-protocol-number} {any | host source-ip |
source-ip/prefix | source-ip source-wildcard}
{any | host destination-ip |
destination-ip/prefix | destination-ip
destination-wildcard}
or
[sequence-number] permit {tcp | udp}{any | host
source-ip | source-ip/prefix | source-ip
source-wildcard}[eq port-number | gt
port-number | lt port-number | neq port-number
| range port-number port-number] {any | host
destination-ip | destination-ip/prefix |
destination-ip destination-wildcard} [eq
port-number| gt port-number | lt port-number |
neq port-number | range port-number
port-number]
Example:
RP/0/RP0/CPU0:router(config-ipv4-acl)# 10
permit tcp 100.0.1.0 0.0.0.255 lt 15
30.0.0.0/16 range 2000 2050
Specifies conditions to determine which IP packets are
protected.
• Enables crypto for traffic that matches these conditions.
• In the first version of this step, any IPv4 protocol
together with source and destination IP addresses can
be used to define crypto traffic.
• In the second version, either TCP or UDP protocol can
be used to define crypto traffic, together with source
and destination IP addresses, and optional selection of
port numbers.
Caution Use the any keyword with caution. For details,
see the
“About Use of the any Keyword in Crypto
Access Lists” section on page 97.
Note Only those keywords that have a relationship to
crypto access list creation are referenced here. For
this reason, for example, the deny command has
been omitted. This is because
Cisco
IOS XR software ignores an ACL if
configured with the deny command and associated
with an IPSec profile.
• sequence-number—Specifies a sequence number to be
associated with the protocol used to define crypto
traffic. Range is from 1-2147483646
• ipv4-protocol-number— Specifies an IPv4 protocol
number to be used to define crypto traffic. Range is
from 0-255.
• port-number —Specifies a port number used to define
crypto traffic. You can define a range of port numbers
using the gt, lt, neq, or range keyword. Range is from
0-65535.
• range keyword—Specifies a range of port numbers.
Range is from 0-65535.
• In the example, an ACL is defined for traffic of a TCP
protocol with a source address in the range of from
100.0.1.0 to 100.0.1.255, using a source port number of
from 0 to 14, with a destination address in the range of
from 30.0.0.0 to 30.0.255.255, and using any
destination port in the range of from 2000 to 2050.
Command or Action Purpose
To Next Page
Loading...
Need help?
General
