Mirror Image Crypto Acls - Cisco DS-X9530-SF1-K9 - Supervisor-1 Module - Control Processor Configuration Manual

Mds 9000 family

Table of Contents

Configuring IPsec

S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m .

Mirror Image Crypto ACLs

For every crypto ACL specified for a crypto map entry defined at the local peer, define a mirror image

crypto ACL at the remote peer. This configuration ensures that IPsec traffic applied locally can be

processed correctly at the remote peer.

The crypto map entries themselves must also support common transforms and must refer to the other

system as a peer.

IPsec Processing of Mirror Image Configuration

IPSec access list at S0

Mirror image

access lists at

ACLs are mirror images of each other. However, an IPsec SA can be established only some of the time

when the ACLs are not mirror images of each other. This can happen in the case where an entry in one

peer's ACL is a subset of an entry in the other peer's ACL, such as shown in Cases 3 and 4 of

IPsec SA establishment is critical to IPsec—without SAs, IPsec does not work, causing any packets

matching the crypto ACL criteria to be silently dropped instead of being forwarded with IPsec security.

Cisco MDS 9000 Family Configuration Guide

Use the show ip access-lists command to view all IP-ACLs. The IP-ACLs used for traffic filtering

purposes are also used for crypto.

shows some sample scenarios with and without mirror image ACLs.

IPSec access list at S1

indicates, IPsec SAs (SAs) can be established as expected whenever the two peers' crypto

Configuring IPsec Network Security

SAs established for

SAs established for

SAs established for

SAs cannot be

established and

packets from Host

B to Switch M are

dropped (bad)

OL-6973-03, Cisco MDS SAN-OS Release 2.x