Crypto Access Lists
| Crypto access lists are a fancy name for extended IP access lists, for that is what crypto access lists are. With a crypto access list, you determine exactly what traffic gets IPSec protection by specifying source and destination IP addresses, port numbers , and the protocol. The protocol that you configure with the crypto access list can be IP, TCP, or UDP. Remember, IPSec only works with IP.
Crypto ACLs are not applied to any interfaces. However, the crypto ACLs are still used to evaluate traffic flows both inbound to the router and outbound from the router. Outbound TrafficIf you are familiar with dial-on-demand routing (DDR) and dialer lists, or quality of service (QoS) and classifying traffic, then you know that ACLs identify interesting traffic. Crypto ACLs serve a similar purpose. A router needs to know what traffic must be encrypted and what traffic gets sent in the clear. When a router evaluates outbound traffic, it uses the crypto ACL to make that decision. Using a crypto ACL, the router decides what traffic is either encrypted or bypassed (sent in cleartext). A permit entry in the crypto ACL indicates that traffic should be encrypted. A deny entry in the crypto ACL indicates that traffic should be sent in the clear.
Inbound TrafficA router that is an IPSec peer must also determine what traffic it receives should be encrypted. Crypto ACLs also help determine this issue. When a router receives traffic, it uses the crypto ACLs to determine whether the traffic received should have been encrypted by the remote IPSec peer. If received traffic should be encrypted (as determined by the crypto ACL) and is in fact encrypted, the traffic is permitted to enter the router. If the received traffic should be encrypted and is not, the router drops that traffic. If received traffic is in cleartext and should not be encrypted, the received traffic bypasses the router's IPSec engine.
|
