Configuring IPsec Network Security
S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m
In the context of crypto maps, IPv4-ACLs are different from regular IPv4-ACLs. Regular IPv4-ACLs
determine what traffic to forward or block at an interface. For example, IPv4-ACLs can be created to
protect all IP traffic between subnet A and subnet Y or Telnet traffic between host A and host B.
This section contains the following topics:
About Crypto IPv4-ACLs
Crypto IPv4-ACLs are used to define which IP traffic requires crypto protection and which traffic does
Crypto IPv4-ACLs associated with IPsec crypto map entries have four primary functions:
If you want some traffic to receive one type of IPsec protection (for example, encryption only) and other
traffic to receive a different type of IPsec protection (for example, both authentication and encryption),
create two IPv4-ACLs. Use both IPv4-ACLs in different crypto maps to specify different IPsec policies.
IPsec does not support IPv6-ACLs.
Crypto IPv4-ACL Guidelines
Follow these guidelines when configuring IPv4-ACLs for the IPsec feature:
OL-16184-01, Cisco MDS SAN-OS Release 3.x
About Crypto IPv4-ACLs, page 35-17
Creating Crypto IPv4-ACLs, page 35-21
About Transform Sets in IPsec, page 35-21
Configuring Transform Sets, page 35-22
About Crypto Map Entries, page 35-23
Creating Crypto Map Entries, page 35-24
About SA Lifetime Negotiation, page 35-25
Setting the SA Lifetime, page 35-25
About the AutoPeer Option, page 35-26
Configuring the AutoPeer Option, page 35-27
About Perfect Forward Secrecy, page 35-27
Configuring Perfect Forward Secrecy, page 35-28
About Crypto Map Set Interface Application, page 35-28
Applying a Crypto Map Set, page 35-28
Select outbound traffic to be protected by IPsec (permit = protect).
Indicate the data flow to be protected by the new SAs (specified by a single permit entry) when
initiating negotiations for IPsec SAs.
Process inbound traffic to filter out and discard traffic that should have been protected by IPsec.
Determine whether or not to accept requests for IPsec SAs on behalf of the requested data flows
when processing IKE negotiation from the IPsec peer.
Cisco MDS 9000 Family CLI Configuration Guide