Match – Brocade Mobility RFS7000-GR Controller CLI Reference Guide (Supporting software release 4.1.0.0-040GR and later) User Manual

Page 300

Advertising
background image

286

Brocade Mobility RFS7000-GR Controller CLI Reference Guide

53-1001945-01

Crypto Map Config Commands

10

match

Crypto Map Config Commands

Use this command to assign an IP access-list to a crypto map definition. The access-list designates
the IP packets to be encrypted by this crypto map.

A crypto map entry is a single policy that describes how certain traffic is to be secured. There are
two types of crypto map entries: ipsec-manual and ipsec-ike. Each entry is given an index, which is
used to sort the ordered list.

When a non-secured packet arrives on an interface, the crypto map set associated with that
interface is processed in order. If a crypto map entry matches the non-secured traffic, the traffic is
discarded.

When a packet is to be transmitted on an interface, the crypto map set associated with that
interface is processed in order. The first crypto map entry that matches the packet will be used to
secure the packet. If a suitable SA exists, that is used for transmission. Otherwise, IKE is used to
establish an SA with the peer. If no SA exists, and the crypto map entry is “respond only”, the
packet is discarded.

When a secured packet arrives on an interface, its SPI is used to look up an SA. If an SA does not
exist, or if the packet fails any of the security checks (bad authentication, traffic does not match SA
selectors, etc.), it is discarded. If all checks pass, the packet is forwarded normally.

Syntax

match (address) <WORD>

Parameters

Usage Guidelines

Crypto map entries do not directly contain the selectors used to determine which data to secure.
Instead, the crypto map entry refers to an access control list. An access control list (ACL) is
assigned to the crypto map using the match address command. If no ACL is configured for a crypto
map, then the entry is incomplete and will have no effect on the system.

The entries of the ACL used in a crypto map should be created with respect to traffic sent by the OS
product. The source information must be the local OS product and the destination must be the
peer.

Only extended access-lists can be used in crypto maps.

Example

The following example shows setting up an ACL (called TestList) and then assigning the new list to a
crypto map (called TestMap):

RFS7000(config)#ip access-list extended TestList

Configuring New Extended ACL "TestList"

(config-ext-nacl)#exit

RFS7000(config)#crypto map TestMap 220 isakmp dynamic

RFS7000(config-crypto-map)#

RFS7000(config-crypto-map)#match address TestMap

RFS7000(config-crypto-map)#

(address) <list name>

Enter the name of the access list or ACL id you wish to assign to this crypto map.

Advertising
Popular Brands
Popular manuals