Crypto-map Instance
10-7
10.1.5 match
Crypto Map Config Commands
Use this command to assign an IP access-list to a crypto map definition. The access-list
designates the IP packets to be encrypted by this crypto map.
A crypto map entry is a single policy that describes how certain traffic is secured. There
are two types of crypto map entries: ipsec-manual and ipsec-ike entries. Each entry is
given an index (used to sort the ordered list).
When a non-secured packet arrives on an interface, the crypto map set associated with
that interface is processed (in order). If a crypto map entry matches the non-secured traffic,
the traffic is discarded.
When a packet is transmitted on an interface, the crypto map set associated with that
interface is processed. The first crypto map entry that matches the packet is used to secure
the packet. If a suitable SA exists, it is used for transmission. Otherwise, IKE is used to
establish an SA with the peer. If no SA exists (and the crypto map entry is “respond only”),
the packet is discarded.
When a secured packet arrives on an interface, its SPI is used to look up a SA. If a SA does
not exist (or if the packet fails any of the security checks), it is discarded. If all checks pass,
the packet is forwarded normally.
Supported in the following platforms:
• RFS7000
• RFS6000
• RFS4000
Syntax
Parameters
address Match the address of packets to encrypt
<acl-id> Enter the name of the access list or ACL ID to assign to this
crypto map
To Next Page
Loading...
Need help?
General
