Crypto Acl Guidelines - Cisco DS-X9530-SF1-K9 - Supervisor-1 Module - Control Processor Configuration Manual

Configuring IPsec
S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m .
In the context of crypto maps, ACLs are different from regular ACLs. Regular ACLs determine what
traffic to forward or block at an interface. For example, ACLs can be created to protect all IP traffic
between Subnet A and Subnet Y or Telnet traffic between Host A and Host B.
Crypto ACLs are used to define which IP traffic requires crypto protection and which traffic does not.
Crypto ACLs associated with IPsec crypto map entries have four primary functions:
•
•
•
•
If you want some traffic to receive one type of IPsec protection (for example, encryption only) and other
Tip
traffic to receive a different type of IPsec protection (for example, both authentication and encryption),
create two ACLs. Use both ACLs in different crypto maps to specify different IPsec policies.
To create ACLs, follow these steps:
Command
Step 1
switch# config terminal
switch(config)#
Step 2
switch(config)# ip access-list List1 permit
ip 10.1.1.100 0.0.0.255 11.1.1.100 0.0.0.255
The show ip access-list command does not display the crypto map entries. Use the show crypto map
Note
command to display the associated entries.
Add permit and deny statements as appropriate (see the
Each permit and deny specifies conditions to determine which IP packets must be protected.

Crypto ACL Guidelines

Follow these guidelines when configuring ACLs for the IPsec feature:
•
•
•
Cisco MDS 9000 Family Configuration Guide
30-12
Select outbound traffic to be protected by IPsec (permit = protect).
Indicate the data flow to be protected by the new SAs (specified by a single permit entry) when
initiating negotiations for IPsec SAs.
Process inbound traffic to filter out and discard traffic that should have been protected by IPsec.
Determine whether or not to accept requests for IPsec SAs on behalf of the requested data flows
when processing IKE negotiation from the IPsec peer.
The Cisco SAN-OS software only allows name-based IP-ACLs.
When an IP-ACL is applied to a crypto map, the following applies:
Permit—applying the IPsec feature to the traffic.
–
Deny—allowing clear text (default).
–
IKE traffic (UDP port 500) is implicitly transmitted in clear text.
Note
The IPsec feature only considers the source and destination IP addresses and subnet masks.
The IPsec feature ignores the port numbers and protocol fields.
Note
Chapter 30 Configuring IPsec Network Security
Purpose
Enters configuration mode.
Permits all IP traffic from and to the specified
networks.
"IP Access Control Lists" section on page
OL-6973-03, Cisco MDS SAN-OS Release 2.x
29-1).