About Crypto Ipv4-Acls; Crypto Ipv4-Acl Guidelines - Cisco AP776A - Nexus Converged Network Switch 5020 Configuration Manual
Cisco mds 9000 family cli configuration guide - release 4.x (ol-18084-01, february 2009)
Hide thumbs
Also See for AP776A - Nexus Converged Network Switch 5020:
- Command reference manual (1640 pages) ,
- Configuration manual (1486 pages) ,
- Reference (886 pages)
Table of Contents
Advertisement
Chapter 37
Configuring IPsec Network Security
S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m
In the context of crypto maps, IPv4-ACLs are different from regular IPv4-ACLs. Regular IPv4-ACLs
determine what traffic to forward or block at an interface. For example, IPv4-ACLs can be created to
protect all IP traffic between subnet A and subnet Y or Telnet traffic between host A and host B.
This section contains the following topics:
•
•
•
•
•
•
•
•
•
•
•
•
•
•
About Crypto IPv4-ACLs
Crypto IPv4-ACLs are used to define which IP traffic requires crypto protection and which traffic does
not.
Crypto IPv4-ACLs associated with IPsec crypto map entries have four primary functions:
•
•
•
•
Tip
If you want some traffic to receive one type of IPsec protection (for example, encryption only) and other
traffic to receive a different type of IPsec protection (for example, both authentication and encryption),
create two IPv4-ACLs. Use both IPv4-ACLs in different crypto maps to specify different IPsec policies.
IPsec does not support IPv6-ACLs.
Note
Crypto IPv4-ACL Guidelines
Follow these guidelines when configuring IPv4-ACLs for the IPsec feature:
OL-18084-01, Cisco MDS NX-OS Release 4.x
About Crypto IPv4-ACLs, page 37-17
Creating Crypto IPv4-ACLs, page 37-21
About Transform Sets in IPsec, page 37-21
Configuring Transform Sets, page 37-22
About Crypto Map Entries, page 37-23
Creating Crypto Map Entries, page 37-24
About SA Lifetime Negotiation, page 37-25
Setting the SA Lifetime, page 37-25
About the AutoPeer Option, page 37-26
Configuring the AutoPeer Option, page 37-26
About Perfect Forward Secrecy, page 37-27
Configuring Perfect Forward Secrecy, page 37-27
About Crypto Map Set Interface Application, page 37-27
Applying a Crypto Map Set, page 37-28
Select outbound traffic to be protected by IPsec (permit = protect).
Indicate the data flow to be protected by the new SAs (specified by a single permit entry) when
initiating negotiations for IPsec SAs.
Process inbound traffic to filter out and discard traffic that should have been protected by IPsec.
Determine whether or not to accept requests for IPsec SAs on behalf of the requested data flows
when processing IKE negotiation from the IPsec peer.
Cisco MDS 9000 Family CLI Configuration Guide
Crypto IPv4-ACLs
37-17
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
