Match – Brocade Communications Systems RFS6000 User Manual

Page 378

Advertising
background image

376

Brocade Mobility RFS4000, RFS6000 and RFS7000 CLI Reference Guide

53-1001931-01

Crypto Map config commands

10

match

Crypto Map config commands

Use this command to assign an IP access-list to a crypto map definition. The access-list designates
the IP packets to be encrypted by this crypto map.

A crypto map entry is a single policy that describes how certain traffic is secured. There are two
types of crypto map entries: ipsec-manual and ipsec-ike entries. Each entry is given an index (used
to sort the ordered list).

When a non-secured packet arrives on an interface, the crypto map set associated with that
interface is processed (in order). If a crypto map entry matches the non-secured traffic, the traffic is
discarded.

When a packet is transmitted on an interface, the crypto map set associated with that interface is
processed. The first crypto map entry that matches the packet is used to secure the packet. If a
suitable SA exists, it is used for transmission. Otherwise, IKE is used to establish an SA with the
peer. If no SA exists (and the crypto map entry is “respond only”), the packet is discarded.

When a secured packet arrives on an interface, its SPI is used to look up a SA. If a SA does not exist
(or if the packet fails any of the security checks), it is discarded. If all checks pass, the packet is
forwarded normally.

Supported in the following platforms:

Mobility RFS4000 Controller

Mobility RFS6000 Controller

Mobility RFS7000 Controller

Syntax

match address <acl-id>

Parameters

Usage Guidelines

Crypto map entries do not directly contain the selectors used to determine which data to secure.
Instead, the crypto map entry refers to an access control list. An access control list (ACL) is
assigned to the crypto map using the match address command. If no ACL is configured for a crypto
map, the entry is incomplete and will have no effect on the system.

The entries of the ACL used in a crypto map should be created with respect to traffic sent by the
OS. The source information must be the local OS, and the destination must be the peer.

Only extended access-lists can be used in crypto maps.

Example

The following entails setting up an ACL (called TestList) and assigning the new list to a crypto map
(called TestMap):

RFController(config)#ip access-list extended TestList

Configuring New Extended ACL "TestList"

address

Match the address of packets to encrypt

<acl-id>

Enter the name of the access list or ACL ID to assign to this crypto
map

Advertising
This manual is related to the following products:

RFS4000, RFS7000

Popular Brands
Popular manuals