Mirror image ACLs
To ensure that SAs can be set up and the traffic protected by IPsec can be processed correctly at the
remote peer, on the remote peer, create a mirror image ACL rule for each ACL rule created at the local
peer. As shown in
ensures that SAs can be created successfully for the traffic between Host A and Host C and the traffic
between Network 1 and Network 2.
Figure 94 Mirror image ACLs
Host A
1.1.1.1
Network 1
1.1.1.0/24
Host B
If the ACL rules on peers do not form mirror images of each other, SAs can be set up only when both of
the following requirements are met:
The range specified by an ACL rule on one peer is covered by its counterpart ACL rule on the other
•
peer. As shown in
covered by its counterpart on Router B.
The peer with the narrower rule initiates SA negotiation. If a wider ACL rule is used by the SA
•
initiator, the negotiation request may be rejected because the matching traffic is beyond the scope
of the responder. As shown in
accepted but the SA negotiations from Host C to Host B or from Host D to Host A is rejected.
Figure 95 Non-mirror image ACLs
Figure
94, ACL rules on Router B are mirror images of the rules on Router A. This
ACL1: rule permit 1.1.1.1 -> 2.2.2.2
ACL2: rule permit 1.1.1.0/24 -> 2.2.2.0/24
Eth1/1
IP network
Router A
ACL1: rule permit 2.2.2.2 -> 1.1.1.1
ACL2: rule permit 2.2.2.0/24 -> 1.1.1.0/24
Mirror image ACLs on Eth1/1 of Router A and on Eth1/2 of
Router B
Figure
95, the range specified by the ACL rule configured on Router A is
Figure
Eth1/2
Router B
95, the SA negotiation initiated by Host A to Host C is
251
Host C
2.2.2.2
Network 2
2.2.2.0/24
Host D