Creating Crypto Ipv4-Acls; About Transform Sets In Ipsec - Cisco AP776A - Nexus Converged Network Switch 5020 Configuration Manual

Chapter 37 Configuring IPsec Network Security
S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m
The permit any statement causes all outbound traffic to be protected (and all protected traffic sent to the
peer specified in the corresponding crypto map entry) and requires protection for all inbound traffic.
Then, all inbound packets that lack IPsec protection are silently dropped, including packets for routing
protocols, NTP, echo, echo response, and so forth.
You need to be sure you define which packets to protect. If you must use any in a permit statement, you
must preface that statement with a series of deny statements to filter out any traffic (that would otherwise
fall within that permit statement) that you do not want to be protected.

Creating Crypto IPv4-ACLs

To create IPv4-ACLs, follow these steps:
Command
Step 1
switch# config terminal
switch(config)#
Step 2
switch(config)# ip access-list List1 permit
ip 10.1.1.100 0.0.0.255 11.1.1.100 0.0.0.255
The show ip access-list command does not display the crypto map entries. Use the show crypto map
Note
command to display the associated entries.
Add permit and deny statements as appropriate (see
Control
protected.

About Transform Sets in IPsec

A transform set represents a certain combination of security protocols and algorithms. During the IPsec
security association negotiation, the peers agree to use a particular transform set for protecting a
particular data flow.
You can specify multiple transform sets, and then specify one or more of these transform sets in a crypto
map entry. The transform set defined in the crypto map entry is used in the IPsec security association
negotiation to protect the data flows specified by that crypto map entry's access list.
During IPsec security association negotiations with IKE, the peers search for a transform set that is the
same at both peers. When such a transform set is found, it is selected and applied to the protected traffic
as part of both peers' IPsec security associations.
If you change a transform set definition, the change is only applied to crypto map entries that reference
Tip
the transform set. The change is not applied to existing security associations, but used in subsequent
negotiations to establish new security associations. If you want the new settings to take effect sooner,
you can clear all or part of the security association database.
Note When you enable IPsec, the Cisco NX-OS software automatically creates a default transform set
(ipsec_default_tranform_set) using AES-128 encryption and SHA-1 authentication algorithms.
OL-18084-01, Cisco MDS NX-OS Release 4.x
Lists,"). Each permit and deny specifies conditions to determine which IP packets must be
Purpose
Enters configuration mode.
Permits all IP traffic from and to the specified
networks.
Chapter 35, "Configuring IPv4 and IPv6 Access
Cisco MDS 9000 Family CLI Configuration Guide
Crypto IPv4-ACLs
37-21