Cisco Cisco IOS Software Release 12.4(22)XR Références techniques
9
Command Reference for Cisco PDSN Release 5.1 in IOS Release 12.4(22)XR1
OL-20781-01
access list
Usage Guidelines
Use encryption access lists to control which packets on an interface are encrypted/decrypted, and which
are transmitted as plain text (not encrypted).
are transmitted as plain text (not encrypted).
When a packet is examined for an encryption access list match, encryption access list statements are
checked in the order that the statements were created. When a packet matches the conditions in a
statement, no more statements are checked. This means that you need to carefully consider the order in
which you enter the statements.
checked in the order that the statements were created. When a packet matches the conditions in a
statement, no more statements are checked. This means that you need to carefully consider the order in
which you enter the statements.
To use the encryption access list, you must first specify the access list in a crypto map and then apply
the crypto map to an interface, using the crypto map (CET global configuration) and crypto map (CET
interface configuration) commands.
the crypto map to an interface, using the crypto map (CET global configuration) and crypto map (CET
interface configuration) commands.
Fragmented IP packets, other than the initial fragment, are immediately accepted by any extended IP
access list. Extended access lists used to control virtual terminal line access or restrict contents of routing
updates must not match the TCP source port, the type of service value, or the packet's precedence.
access list. Extended access lists used to control virtual terminal line access or restrict contents of routing
updates must not match the TCP source port, the type of service value, or the packet's precedence.
Note
After an access list is created initially, any subsequent additions (possibly entered from the terminal) are
placed at the end of the list. You cannot selectively add or remove access list command lines from a
specific access list.
placed at the end of the list. You cannot selectively add or remove access list command lines from a
specific access list.
Caution
When creating encryption access lists, we do not recommend using the any keyword to specify source
or destination addresses. Using the any keyword with a permit statement could cause extreme problems
if a packet enters your router and is destined for a router that is not configured for encryption. This would
cause your router to attempt to set up an encryption session with a non-encrypting router. If you
incorrectly use the any keyword with a deny statement, you might inadvertently prevent all packets from
being encrypted, which could present a security risk.
or destination addresses. Using the any keyword with a permit statement could cause extreme problems
if a packet enters your router and is destined for a router that is not configured for encryption. This would
cause your router to attempt to set up an encryption session with a non-encrypting router. If you
incorrectly use the any keyword with a deny statement, you might inadvertently prevent all packets from
being encrypted, which could present a security risk.
Note
If you view your router’s access lists by using a command such as show ip access-list, all extended IP
access lists are displayed in the command output. This includes extended IP access lists that are used for
traffic filtering purposes as well as those that are used for encryption. The show command output does
not differentiate between the two uses of the extended access lists.
access lists are displayed in the command output. This includes extended IP access lists that are used for
traffic filtering purposes as well as those that are used for encryption. The show command output does
not differentiate between the two uses of the extended access lists.
Examples
The following example shows how to create a numbered encryption access list that specifies a class C
subnet for the source and a class C subnet for the destination of IP packets. When the router uses this
encryption access list, all TCP traffic that is exchanged between the source and destination subnets are
encrypted.
subnet for the source and a class C subnet for the destination of IP packets. When the router uses this
encryption access list, all TCP traffic that is exchanged between the source and destination subnets are
encrypted.
access-list 101 permit tcp 172.21.3.0 0.0.0.255 172.22.2.0 0.0.0.255