Chapter 44
Configuring IPsec Network Security
S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m
The deny option prevents traffic from being protected by crypto. The first deny statement causes the
•
traffic to be in clear text.
•
The crypto IPv4-ACL you define is applied to an interface after you define the corresponding crypto
map entry and apply the crypto map set to the interface.
•
Different IPv4-ACLs must be used in different entries of the same crypto map set.
•
Inbound and outbound traffic is evaluated against the same outbound IPv4-ACL. Therefore, the
IPv4-ACL's criteria is applied in the forward direction to traffic exiting your switch, and the reverse
direction to traffic entering your switch.
Each IPv4-ACL filter assigned to the crypto map entry is equivalent to one security policy entry. The
•
IPsec feature supports up to 120 security policy entries for each MPS-14/2 module and Cisco MDS
9216i Switch.
In
•
10.0.0.1) and switch interface S1 (IPv4 address 20.0.0.2) as the data exits switch A's S0 interface
enroute to switch interface S1. For traffic from 10.0.0.1 to 20.0.0.2, the IPv4-ACL entry on switch
A is evaluated as follows:
For traffic from 20.0.0.2 to 10.0.0.1, that same IPv4-ACL entry on switch A is evaluated as follows:
Figure 44-17
access-list S0 permit ip 10.0.0.1 0.0.0.255 20.0.0.2 0.0.0.255
If you configure multiple statements for a given crypto IPv4-ACL that is used for IPsec, the first
•
permit statement that is matched is used to determine the scope of the IPsec SA. Later, if traffic
matches a different permit statement of the crypto IPv4-ACL, a new, separate IPsec SA is negotiated
to protect traffic matching the newly matched IPv4-ACL statement.
•
Unprotected inbound traffic that matches a permit entry in the crypto IPv4-ACL for a crypto map
entry flagged as IPsec is dropped, because this traffic was expected to be protected by IPsec.
OL-17256-03, Cisco MDS NX-OS Release 4.x
Figure
44-17, IPsec protection is applied to traffic between switch interface S0 (IPv4 address
–
source = IPv4 address 10.0.0.1
–
dest = IPv4 address 20.0.0.2
source = IPv4 address 20.0.0.2
–
dest = IPv4 address 10.0.0.1
–
IPsec Processing of Crypto IPv4-ACLs
MDS_Switch A
S0
IPSec access list at S0:
access-list S1 permit ip 20.0.0.2 0.0.0.255 10.0.0.1 0.0.0.255
Traffic exchanged between 10.0.0.1 and 20.0.0.2 is protected.
IPSec peers
Internet
S1
IPSec access list at S1:
Cisco MDS 9000 Family Fabric Manager Configuration Guide
Crypto IPv4-ACLs
MDS_Switch N
44-23