Crypto IPv4-ACLs
S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m
Crypto Map Configuration Guidelines
When configuring crypto map entries, follow these guidelines:
•
•
•
•
Creating Crypto Map Entries
If the peer IP address specified in the crypto map entry is a VRRP IP address on a remote Cisco MDS
Note
switch, ensure that the IP address is created using the secondary option (see the
IP Addresses" section on page
To create mandatory crypto map entries, follow these steps:
Command
Step 1
switch# config terminal
switch(config)#
Step 2
switch(config)# crypto map
SampleMap 31
ips-hac1(config-crypto-map-ip)#
switch(config)# no crypto map
ipsec SampleMap 3
switch(config)# no crypto map
ipsec SampleMap
Step 3
switch(config-crypto-map-ip)# match
address SampleAcl
switch(config-crypto-map-ip)# no match
address SampleAcl
Step 4
switch(config-crypto-map-ip)# set peer
10.1.1.1
Step 5
switch(config-crypto-map-ip)# no set
peer 10.1.1.1
Cisco MDS 9000 Family CLI Configuration Guide
37-24
The sequence number for each crypto map decides the order in which the policies are applied. A
lower sequence number is assigned a higher priority.
Only one IPv4-ACL is allowed for each crypto map entry (the IPv4-ACL itself can have multiple
permit or deny entries).
When the tunnel endpoint is the same as the destination address, you can use the auto-peer option
to dynamically configure the peer.
For IPsec to interoperate effectively with Microsoft iSCSI initiators, specify the TCP protocol and
the local iSCSI TCP port number (default 3260) in the IPv4-ACL. This configuration ensures the
speedy recovery of encrypted iSCSI sessions following disruptions such as Gigabit Ethernet
interfaces shutdowns, VRRP switchovers, and port failures.
44-20).
Purpose
Enters configuration mode.
Places you in the crypto map configuration mode for
domain ipsec
the entry named SampleMap with 31 as its sequence
number.
Deletes the specified crypto map entry.
domain
Deletes the entire crypto map set called SampleMap.
domain
Names an ACL to determine which traffic should be
protected and not protected by IPsec in the context of
this crypto map entry.
Deletes the matched address.
Configures a specific peer IPv4 address.
IKE only supports IPv4 addresses, not IPv6
Note
addresses.
Deletes the configured peer.
Chapter 37
Configuring IPsec Network Security
"Adding Virtual Router
OL-18084-01, Cisco MDS NX-OS Release 4.x