Crypto Map Configuration Guidelines; Creating Crypto Map Entries - HP Cisco MDS 9216 - Fabric Switch Configuration Manual

Chapter 44 Configuring IPsec Network Security
S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m

Crypto Map Configuration Guidelines

When configuring crypto map entries, follow these guidelines:
•
•
•
•

Creating Crypto Map Entries

To create mandatory crypto map entries using Fabric Manager, follow these steps:
Expand Switches > Security and then select IPSEC in the Physical Attributes pane.
Step 1
You see the IPSec configuration in the Information pane (see
Figure 44-21
Step 2 Choose the CryptoMap Set Entry tab.
You see the existing crypto maps configured (see
OL-16184-01, Cisco MDS SAN-OS Release 3.x
The sequence number for each crypto map decides the order in which the policies are applied. A
lower sequence number is assigned a higher priority.
Only one IPv4-ACL is allowed for each crypto map entry (the IPv4-ACL itself can have multiple
permit or deny entries).
When the tunnel endpoint is the same as the destination address, you can use the auto-peer option
to dynamically configure the peer.
For IPsec to interoperate effectively with Microsoft iSCSI initiators, specify the TCP protocol and
the local iSCSI TCP port number (default 3260) in the IPv4-ACL. This configuration ensures the
speedy recovery of encrypted iSCSI sessions following disruptions such as Gigabit Ethernet
interfaces shutdowns, VRRP switchovers, and port failures.
IPsec Configuration
Figure 44-21).
Figure 44-22).
Cisco MDS 9000 Family CLI Configuration Guide
Crypto IPv4-ACLs
44-29