S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m
The Cisco SAN-OS software only allows name-based IPv4-ACLs.
When an IPv4-ACL is applied to a crypto map, the following options apply:
The IPsec feature only considers the source and destination IPv4 addresses and subnet masks,
protocol, and single port number. There is no support for IPv6 in IPsec.
The permit option causes all IP traffic that matches the specified conditions to be protected by
crypto, using the policy described by the corresponding crypto map entry.
The deny option prevents traffic from being protected by crypto. The first deny statement causes the
traffic to be in clear text.
The crypto IPv4-ACL you define is applied to an interface after you define the corresponding crypto
map entry and apply the crypto map set to the interface.
Different IPv4-ACLs must be used in different entries of the same crypto map set.
Inbound and outbound traffic is evaluated against the same outbound IPv4-ACL. Therefore, the
IPv4-ACL's criteria is applied in the forward direction to traffic exiting your switch, and the reverse
direction to traffic entering your switch.
Each IPv4-ACL filter assigned to the crypto map entry is equivalent to one security policy entry. The
IPsec feature supports up to 120 security policy entries for each MPS-14/2 module and Cisco MDS
10.0.0.1) and switch interface S1 (IPv4 address 220.127.116.11) as the data exits switch A's S0 interface
enroute to switch interface S1. For traffic from 10.0.0.1 to 18.104.22.168, the IPv4-ACL entry on switch
A is evaluated as follows:
For traffic from 22.214.171.124 to 10.0.0.1, that same IPv4-ACL entry on switch A is evaluated as follows:
Cisco MDS 9000 Family CLI Configuration Guide
Permit—Applies the IPsec feature to the traffic.
Deny—Allows clear text (default).
IKE traffic (UDP port 500) is implicitly transmitted in clear text.
The IPsec feature does not support port number ranges and ignores higher port number field,
35-5, IPsec protection is applied to traffic between switch interface S0 (IPv4 address
source = IPv4 address 10.0.0.1
dest = IPv4 address 126.96.36.199
source = IPv4 address 188.8.131.52
dest = IPv4 address 10.0.0.1
Configuring IPsec Network Security
OL-16184-01, Cisco MDS SAN-OS Release 3.x