Name: Cisco IOS XR
Brand: Cisco
Rating: 4 (1 reviews)

To Next Page

To Previous Page

Implementing IPSec Network Security on Cisco IOS XR Software

How to Implement IPSec Network Security for Locally Sourced and Destined Traffic

SC-129

Cisco IOS XR System Security Configuration Guide

DETAILED STEPS

How to Implement IPSec Network Security for Locally Sourced

and Destined Traffic

Locally sourced and terminated traffic are evaluated against IPSec profiles that are attached to

tunnel-ipsec interfaces or crypto transport.

Note • Multiple profiles can be attached to a tunnel-ipsec interface or crypto transport.

• For locally sourced traffic or terminated traffic, we discourage the use of the any keyword to specify

source or destination addresses in the crypto profiles, which are attached to the tunnel-ipsec

interface or transport. This recommendation is only for locally sourced traffic for VPN transit traffic.

You can encrypt all the traffic going through the interface. Therefore, ACLs in profiles, which are

attached to service-ipsec interfaces, can use the any keyword).

This section contains the following procedures:

• The any Keyword in Crypto Access Lists, page SC-129

• Applying Crypto Profiles to tunnel-ipsec Interfaces, page SC-130

• Applying Crypto Profiles to Crypto Transport, page SC-131

The any Keyword in Crypto Access Lists

When you create crypto access lists, using the any keyword could cause problems. We discourage the

use of the any keyword to specify source or destination addresses. The any keyword is relevant only to

locally sourced or terminated traffic.

No concept of default access lists exists for IPSec.

The permit any any statement is strongly discouraged, because it causes all outbound traffic to be

protected (and all protected traffic to be sent to the peer specified in the corresponding crypto profile

entry) and requires protection for all inbound traffic. Then, all inbound packets that lack IPSec protection

are silently dropped, including packets for routing protocols, NTP, echo, echo response, and so on.

Command or Action Purpose

Step 1

configure

Example:

RP/0/0/CPU0:router# configure

Enters global configuration mode.

Step 2

crypto mib ipsec flowmib history failure size

number

Example:

RP/0/0/CPU0:router(config)# crypto mib ipsec flowmib

history failure size 140

Sets the size of the failure history table.

Questions and Answers:

Need help?

Do you have a question about the Cisco IOS XR and is the answer not in the manual?

Cisco IOS XR Specifications

General

Operating System	Cisco IOS XR
Architecture	Microkernel
High Availability	Yes
Type	Network operating system
Developed by	Cisco Systems
License	Proprietary
Programming Language	C, C++
Kernel	QNX
Supported Platforms	Cisco ASR9000, NCS series
Security Features	Role-Based Access Control (RBAC), Secure Boot, Encryption
Management Interface	CLI, SNMP, NETCONF, RESTCONF
Release Date	2004
Target Devices	High-end core routers, service provider edge routers, data center interconnect (DCI) routers
Supported Hardware	Cisco routers and switches
Networking Protocols	BGP, OSPF, IS-IS, MPLS
Virtualization Support	Virtualization-ready, supports network function virtualization (NFV) and containerization technologies.