Crypto Map Configuration Guidelines; Creating Crypto Map Entries - HP Cisco MDS 9020 - Fabric Switch Configuration Manual

Crypto IPv4-ACLs
S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m
•
•
•
•
When a packet matches a permit entry in a particular IPv4-ACL, the corresponding crypto map entry is
tagged, and the connections are established.

Crypto Map Configuration Guidelines

When configuring crypto map entries, follow these guidelines:
•
•
•
•

Creating Crypto Map Entries

If the peer IP address specified in the crypto map entry is a VRRP IP address on a remote Cisco MDS
Note
switch, ensure that the IP address is created using the secondary option (see the
IP Addresses" section on page
To create mandatory crypto map entries, follow these steps:
Command
Step 1
switch# config terminal
switch(config)#
Step 2
switch(config)# crypto map
SampleMap 31
ips-hac1(config-crypto-map-ip)#
switch(config)# no crypto map
ipsec SampleMap 3
switch(config)# no crypto map
ipsec SampleMap
Cisco MDS 9000 Family CLI Configuration Guide
35-24
The crypto map entries must contain compatible crypto IPv4-ACLs (for example, mirror image
IPv4-ACLs). If the responding peer entry is in the local crypto, the IPv4-ACL must be permitted by
the peer's crypto IPv4-ACL.
The crypto map entries must each identify the other peer or must have auto peer configured.
If you create more than one crypto map entry for a given interface, use the
entry to rank the map entries: the lower the
the crypto map set, traffic is evaluated against higher priority map entries first.
The crypto map entries must have at least one transform set in common, where IKE negotiations are
carried out and SAs are established. During the IPsec SA negotiation, the peers agree to use a
particular transform set when protecting a particular data flow.
The sequence number for each crypto map decides the order in which the policies are applied. A
lower sequence number is assigned a higher priority.
Only one IPv4-ACL is allowed for each crypto map entry (the IPv4-ACL itself can have multiple
permit or deny entries).
When the tunnel endpoint is the same as the destination address, you can use the auto-peer option
to dynamically configure the peer.
For IPsec to interoperate effectively with Microsoft iSCSI initiators, specify the TCP protocol and
the local iSCSI TCP port number (default 3260) in the IPv4-ACL. This configuration ensures the
speedy recovery of encrypted iSCSI sessions following disruptions such as Gigabit Ethernet
interfaces shutdowns, VRRP switchovers, and port failures.
, the higher the priority. At the interface that has
seq-num
43-20).
Purpose
Enters configuration mode.
Place you in the crypto map configuration mode for
domain ipsec
the entry named SampleMap with 31 as its sequence
number.
Deletes the specified crypto map entry.
domain
Deletes the entire crypto map set called SampleMap.
domain
Chapter 35 Configuring IPsec Network Security
seq-num
"Adding Virtual Router
OL-16184-01, Cisco MDS SAN-OS Release 3.x
of each map