Chapter 30
Configuring IPsec Network Security
S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m .
•
•
•
•
•
•
•
Figure 30-2
access-list S0 permit ip 10.0.0.1 0.0.0.255 20.0.0.2 0.0.0.255
•
•
OL-6973-03, Cisco MDS SAN-OS Release 2.x
The permit option causes all IP traffic that matches the specified conditions to be protected by
crypto, using the policy described by the corresponding crypto map entry.
The deny option prevents traffic from being protected by crypto. The first deny statement causes the
traffic to be in clear text.
The crypto ACL you define is applied to an interface after you define the corresponding crypto map
entry and apply the crypto map set to the interface.
Different ACLs must be used in different entries of the same crypto map set.
Inbound and outbound traffic is evaluated against the same outbound IPsec ACL. Therefore, the
ACL's criteria is applied in the forward direction to traffic exiting your switch, and the reverse
direction to traffic entering your switch.
Each ACL filter assigned to the crypto map entry is equivalent to one security policy entry. The IPsec
feature supports up to 120 security policy entries for each MPS-14/2 module and Cisco MDS 9216i
Switch.
In
Figure
30-2, IPsec protection is applied to traffic between switch interface S0 (IP address
10.0.0.1) and switch interface S1 (IP address 20.0.0.2) as the data exits switch A's S0 interface
enroute to switch interface S1. For traffic from 10.0.0.1 to 20.0.0.2, the ACL entry on switch A is
evaluated as follows:
source = IP address 10.0.0.1
–
dest = IP address 20.0.0.2
–
For traffic from 20.0.0.2 to 10.0.0.1, that same ACL entry on switch A is evaluated as follows:
–
source = IP address 20.0.0.2
dest = IP address 10.0.0.1
–
IPsec Processing of Crypto ACLS
MDS_Switch A
S0
IPSec access list at S0:
Traffic exchanged between 10.0.0.1 and 20.0.0.2 is protected.
If you configure multiple statements for a given crypto ACL which is used for IPsec, the first permit
statement that is matched is used to determine the scope of the IPsec SA. Later, if traffic matches a
different permit statement of the crypto ACL, a new, separate IPsec SA is negotiated to protect
traffic matching the newly matched ACL statement.
Unprotected inbound traffic that matches a permit entry in the crypto ACL for a crypto map entry
flagged as IPsec is dropped, because this traffic was expected to be protected by IPsec.
IPSec peers
Internet
access-list S1 permit ip 20.0.0.2 0.0.0.255 10.0.0.1 0.0.0.255
Cisco MDS 9000 Family Configuration Guide
Configuring IPsec
MDS_Switch N
S1
IPSec access list at S1:
30-13