Crypto Group Configuration Mode Commands


Crypto Group Configuration Mode Commands
 
 
The Crypto Group Configuration Mode is used to configure crypto (tunnel) groups for providing fail-over redundancy for IPSec tunnels to packet data networks (PDNs).
 
Important: The commands or keywords/variables that are available are dependent on platform type, product version, and installed license(s).
 
end
Exits the current configuration mode and returns to the Exec mode.
Product
All
Privilege
Security Administrator, Administrator
Syntax
end
Usage
Return to the Exec mode.
 
exit
Exits the current configuration mode and returns to the context configuration mode.
Product
All
Privilege
Security Administrator, Administrator
Syntax
exit
Usage
Return to the context configuration mode.
 
match address
Associates an access control list (ACL) to the crypto group.
Product
PDSN, HA, GGSN
Privilege
Security Administrator, Administrator
Syntax
match address acl_name [ preference ]
no match address acl_name
no
Deletes a previously configured ACL association.
acl_name
The name of the ACL being matched to the crypto group.
preference
The priority of the ACL.
The ACL preference is factored when a single packet matches the criteria of more than one ACL. preference can be configured to any integer value from 0 to 4294967295. "0" is the highest priority.
If multiple ACLs are assigned the same priority, the last one entered will be used first.
Important: The priorities are only compared for ACLs matched to other groups or to policy ACLs (those applied to the entire context).
Usage
IP ACLs are associated with crypto groups using this command. Both the crypto group and the ACLs must be configured in the same context.
ISAKMP crypto maps can then be associated with the crypto group. This allows user traffic matching the rules of the ACL to be handled according to the policies configured as part of the crypto map.
Example
The following command associates an ACL called corporate_acl to the crypto group:
match address corporate_acl
 
match ip pool
Matches the specified IP pool to the current crypto group. This command can be used multiple times to match more than one IP pool.
Product
PDSN, HA, GGSN
Privilege
Security Administrator, Administrator
Syntax
match ip pool pool-name pool_name
no match ip pool pool-name pool_name
no
Delete the matching statement for the specified IP pool from the crypto group.
pool_name
The name of an existing IP pool that should be matched.
Usage
Use this command to set the names of IP pools that should be matched in the current crypto group.
Example
The following command sets a rule for the current crypto group that will match an IP pool named ippool1:
match ip pool pool-name ippool1
 
switchover
Configures the fail-over properties for the crypto group as part of the Redundant IPSec Fail-Over feature.
Product
PDSN, HA, GGSN
Privilege
Security Administrator, Administrator
Syntax
switchover auto [ do-not-revert ]
no switchover auto
no
Disables the automatic switchover of tunnels. This applies to both primary-to-secondary and secondary-to-primary switches.
auto
Default: Enabled
Allows the automatic switchover of tunnels.
do-not-revert
Default: Disabled
Disables the automatic switchover of secondary tunnels to primary tunnels.
Usage
This command configures the fail-over options for the Redundant IPSec Fail-over feature.
If the automatic fail-over options are disabled, tunneled traffic must be manually switched to the alternate tunnel (or manually activated if no alternate tunnel is configured and available) using the following command in the Exec Mode:
crypto-group group_name activate { primary | secondary }
For a definition of this command, see the crypto-group section of the Exec Mode Commands chapter of this guide.
Example
The following command disables the automatic secondary-to-primary switchover:
switchover auto do-not-revert
 

Cisco Systems Inc.
Tel: 408-526-4000
Fax: 408-527-0883