The Any Keyword In Crypto Ipv4-Acls; Creating Crypto Ipv4-Acls; About Transform Sets In Ipsec - Cisco AP775A - Nexus Converged Network Switch 5010 Configuration Manual

Chapter 44 Configuring IPsec Network Security
S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m
In case 4, an SA cannot be established because SAs are always requested according to the crypto
IPv4-ACLs at the initiating packet's end. In case 4, router N requests that all traffic between subnet X
and subnet Y be protected, but this is a superset of the specific flows permitted by the crypto IPv4-ACL
at switch M so the request is not permitted. Case 3 works because switch M's request is a subset of the
specific flows permitted by the crypto IPv4-ACL at router N.
Because of the complexities introduced when crypto IPv4-ACLs are not configured as mirror images at
peer IPsec devices, we strongly encourage you to use mirror image crypto IPv4-ACLs.

The any Keyword in Crypto IPv4-ACLs

We recommend that you configure mirror image crypto IPv4-ACLs for use by IPsec and that you avoid
Tip
using the any option.
The any keyword in a permit statement is discouraged when you have multicast traffic flowing through
the IPsec interface. This configuration can cause multicast traffic to fail.
The permit any statement causes all outbound traffic to be protected (and all protected traffic sent to the
peer specified in the corresponding crypto map entry) and requires protection for all inbound traffic.
Then, all inbound packets that lack IPsec protection are silently dropped, including packets for routing
protocols, NTP, echo, echo response, and so forth.
You need to be sure you define which packets to protect. If you must use any in a permit statement, you
must preface that statement with a series of deny statements to filter out any traffic (that would otherwise
fall within that permit statement) that you do not want to be protected.

Creating Crypto IPv4-ACLs

To create crypto IPv4-ACLs refer to the Cisco MDS 9000 Family CLI Configuration Guide.

About Transform Sets in IPsec

A transform set represents a certain combination of security protocols and algorithms. During the IPsec
security association negotiation, the peers agree to use a particular transform set for protecting a
particular data flow.
You can specify multiple transform sets, and then specify one or more of these transform sets in a crypto
map entry. The transform set defined in the crypto map entry is used in the IPsec security association
negotiation to protect the data flows specified by that crypto map entry's access list.
During IPsec security association negotiations with IKE, the peers search for a transform set that is the
same at both peers. When such a transform set is found, it is selected and applied to the protected traffic
as part of both peers' IPsec security associations.
Tip If you change a transform set definition, the change is only applied to crypto map entries that reference
the transform set. The change is not applied to existing security associations, but used in subsequent
negotiations to establish new security associations. If you want the new settings to take effect sooner,
you can clear all or part of the security association database.
OL-17256-03, Cisco MDS NX-OS Release 4.x
Cisco MDS 9000 Family Fabric Manager Configuration Guide
Crypto IPv4-ACLs
44-25