Crypto IPv4-ACLs
S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m
•
•
•
•
•
•
•
•
•
•
Cisco MDS 9000 Family CLI Configuration Guide
37-18
The Cisco NX-OS software only allows name-based IPv4-ACLs.
When an IPv4-ACL is applied to a crypto map, the following options apply:
Permit—Applies the IPsec feature to the traffic.
–
Deny—Allows clear text (default).
–
IKE traffic (UDP port 500) is implicitly transmitted in clear text.
Note
The IPsec feature only considers the source and destination IPv4 addresses and subnet masks,
protocol, and single port number. There is no support for IPv6 in IPsec.
The IPsec feature does not support port number ranges and ignores higher port number field,
Note
if specified.
The permit option causes all IP traffic that matches the specified conditions to be protected by
crypto, using the policy described by the corresponding crypto map entry.
The deny option prevents traffic from being protected by crypto. The first deny statement causes the
traffic to be in clear text.
The crypto IPv4-ACL you define is applied to an interface after you define the corresponding crypto
map entry and apply the crypto map set to the interface.
Different IPv4-ACLs must be used in different entries of the same crypto map set.
Inbound and outbound traffic is evaluated against the same outbound IPv4-ACL. Therefore, the
IPv4-ACL's criteria is applied in the forward direction to traffic exiting your switch, and the reverse
direction to traffic entering your switch.
Each IPv4-ACL filter assigned to the crypto map entry is equivalent to one security policy entry. The
IPsec feature supports up to 120 security policy entries for each MPS-14/2 module and Cisco MDS
9216i Switch.
In
Figure
37-5, IPsec protection is applied to traffic between switch interface S0 (IPv4 address
10.0.0.1) and switch interface S1 (IPv4 address 20.0.0.2) as the data exits switch A's S0 interface
enroute to switch interface S1. For traffic from 10.0.0.1 to 20.0.0.2, the IPv4-ACL entry on switch
A is evaluated as follows:
source = IPv4 address 10.0.0.1
–
dest = IPv4 address 20.0.0.2
–
For traffic from 20.0.0.2 to 10.0.0.1, that same IPv4-ACL entry on switch A is evaluated as follows:
–
source = IPv4 address 20.0.0.2
dest = IPv4 address 10.0.0.1
–
Chapter 37
Configuring IPsec Network Security
OL-18084-01, Cisco MDS NX-OS Release 4.x