brocade-communications-sy rfs6000 사용자 설명서
376
Brocade Mobility RFS4000, RFS6000 and RFS7000 CLI Reference Guide
53-1001931-01
Crypto Map config commands
10
match
Use this command to assign an IP access-list to a crypto map definition. The access-list designates
the IP packets to be encrypted by this crypto map.
the IP packets to be encrypted by this crypto map.
A crypto map entry is a single policy that describes how certain traffic is secured. There are two
types of crypto map entries: ipsec-manual and ipsec-ike entries. Each entry is given an index (used
to sort the ordered list).
types of crypto map entries: ipsec-manual and ipsec-ike entries. Each entry is given an index (used
to sort the ordered list).
When a non-secured packet arrives on an interface, the crypto map set associated with that
interface is processed (in order). If a crypto map entry matches the non-secured traffic, the traffic is
discarded.
interface is processed (in order). If a crypto map entry matches the non-secured traffic, the traffic is
discarded.
When a packet is transmitted on an interface, the crypto map set associated with that interface is
processed. The first crypto map entry that matches the packet is used to secure the packet. If a
suitable SA exists, it is used for transmission. Otherwise, IKE is used to establish an SA with the
peer. If no SA exists (and the crypto map entry is “respond only”), the packet is discarded.
processed. The first crypto map entry that matches the packet is used to secure the packet. If a
suitable SA exists, it is used for transmission. Otherwise, IKE is used to establish an SA with the
peer. If no SA exists (and the crypto map entry is “respond only”), the packet is discarded.
When a secured packet arrives on an interface, its SPI is used to look up a SA. If a SA does not exist
(or if the packet fails any of the security checks), it is discarded. If all checks pass, the packet is
forwarded normally.
(or if the packet fails any of the security checks), it is discarded. If all checks pass, the packet is
forwarded normally.
Supported in the following platforms:
•
Mobility RFS4000 Controller
•
Mobility RFS6000 Controller
•
Mobility RFS7000 Controller
Syntax
match address <acl-id>
Parameters
Usage Guidelines
Crypto map entries do not directly contain the selectors used to determine which data to secure.
Instead, the crypto map entry refers to an access control list. An access control list (ACL) is
assigned to the crypto map using the match address command. If no ACL is configured for a crypto
map, the entry is incomplete and will have no effect on the system.
Instead, the crypto map entry refers to an access control list. An access control list (ACL) is
assigned to the crypto map using the match address command. If no ACL is configured for a crypto
map, the entry is incomplete and will have no effect on the system.
The entries of the ACL used in a crypto map should be created with respect to traffic sent by the
OS. The source information must be the local OS, and the destination must be the peer.
OS. The source information must be the local OS, and the destination must be the peer.
Only extended access-lists can be used in crypto maps.
Example
The following entails setting up an ACL (called TestList) and assigning the new list to a crypto map
(called TestMap):
(called TestMap):
RFController(config)#ip access-list extended TestList
Configuring New Extended ACL "TestList"
address
Match the address of packets to encrypt
<acl-id>
Enter the name of the access list or ACL ID to assign to this crypto
map
map