HP Cisco MDS 9020 - Fabric Switch Configuration Manual page 866

Crypto IPv4-ACLs
S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m
The Cisco SAN-OS software only allows name-based IPv4-ACLs.
•
When an IPv4-ACL is applied to a crypto map, the following options apply:
•
Note
The IPsec feature only considers the source and destination IPv4 addresses and subnet masks,
•
protocol, and single port number. There is no support for IPv6 in IPsec.
Note
The permit option causes all IP traffic that matches the specified conditions to be protected by
•
crypto, using the policy described by the corresponding crypto map entry.
The deny option prevents traffic from being protected by crypto. The first deny statement causes the
•
traffic to be in clear text.
• The crypto IPv4-ACL you define is applied to an interface after you define the corresponding crypto
map entry and apply the crypto map set to the interface.
• Different IPv4-ACLs must be used in different entries of the same crypto map set.
• Inbound and outbound traffic is evaluated against the same outbound IPv4-ACL. Therefore, the
IPv4-ACL's criteria is applied in the forward direction to traffic exiting your switch, and the reverse
direction to traffic entering your switch.
Each IPv4-ACL filter assigned to the crypto map entry is equivalent to one security policy entry. The
•
IPsec feature supports up to 120 security policy entries for each MPS-14/2 module and Cisco MDS
9216i Switch.
In
•
10.0.0.1) and switch interface S1 (IPv4 address 20.0.0.2) as the data exits switch A's S0 interface
enroute to switch interface S1. For traffic from 10.0.0.1 to 20.0.0.2, the IPv4-ACL entry on switch
A is evaluated as follows:
For traffic from 20.0.0.2 to 10.0.0.1, that same IPv4-ACL entry on switch A is evaluated as follows:
Cisco MDS 9000 Family CLI Configuration Guide
35-18
Permit—Applies the IPsec feature to the traffic.
–
Deny—Allows clear text (default).
–
IKE traffic (UDP port 500) is implicitly transmitted in clear text.
The IPsec feature does not support port number ranges and ignores higher port number field,
if specified.
Figure 35-5, IPsec protection is applied to traffic between switch interface S0 (IPv4 address
– source = IPv4 address 10.0.0.1
– dest = IPv4 address 20.0.0.2
source = IPv4 address 20.0.0.2
–
dest = IPv4 address 10.0.0.1
–
Chapter 35 Configuring IPsec Network Security
OL-16184-01, Cisco MDS SAN-OS Release 3.x