Mirror Image Crypto Ipv4-Acls - HP Cisco MDS 9020 - Fabric Switch Configuration Manual

Chapter 35 Configuring IPsec Network Security
S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m
Figure 35-5
access-list S0 permit ip 10.0.0.1 0.0.0.255 20.0.0.2 0.0.0.255
•
•
•
•

Mirror Image Crypto IPv4-ACLs

For every crypto IPv4-ACL specified for a crypto map entry defined at the local peer, define a mirror
image crypto IPv4-ACL at the remote peer. This configuration ensures that IPsec traffic applied locally
can be processed correctly at the remote peer.
Tip The crypto map entries themselves must also support common transforms and must refer to the other
system as a peer.
Figure 35-6
OL-16184-01, Cisco MDS SAN-OS Release 3.x
IPsec Processing of Crypto IPv4-ACLs
MDS_Switch A
S0
IPSec access list at S0:
Traffic exchanged between 10.0.0.1 and 20.0.0.2 is protected.
If you configure multiple statements for a given crypto IPv4-ACL that is used for IPsec, the first
permit statement that is matched is used to determine the scope of the IPsec SA. Later, if traffic
matches a different permit statement of the crypto IPv4-ACL, a new, separate IPsec SA is negotiated
to protect traffic matching the newly matched IPv4-ACL statement.
Unprotected inbound traffic that matches a permit entry in the crypto IPv4-ACL for a crypto map
entry flagged as IPsec is dropped, because this traffic was expected to be protected by IPsec.
You can use the show ip access-lists command to view all IP-ACLs. The IP-ACLs used for traffic
filtering purposes are also used for crypto.
For IPsec to interoperate effectively with Microsoft iSCSI initiators, specify the TCP protocol and
the local iSCSI TCP port number (default 3260) in the IPv4-ACL. This configuration ensures the
speedy recovery of encrypted iSCSI sessions following disruptions such as Gigabit Ethernet
interfaces shutdowns, VRRP switchovers, and port failures. The following example of a IPv4-ACL
entry shows that the MDS switch IPv4 address is 10.10.10.50 and remote Microsoft host running
encrypted iSCSI sessions is 10.10.10.16:
switch(config)# ip access-list aclmsiscsi2 permit tcp 10.10.10.50 0.0.0.0 range port
3260 3260 10.10.10.16 0.0.0.0
shows some sample scenarios with and without mirror image IPv4-ACLs.
IPSec peers
Internet
access-list S1 permit ip 20.0.0.2 0.0.0.255 10.0.0.1 0.0.0.255
Cisco MDS 9000 Family CLI Configuration Guide
Crypto IPv4-ACLs
MDS_Switch N
S1
IPSec access list at S1:
35-19