Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Exclude addresses from encryption

Hello


I've configured encryption between site A and site B as followed:

On site A, this my configuration. As you can see, all traffic going through the interface Gi0/2/1 is encrypted.

crypto ipsec transform-set MyProfile-Trans esp-aes 256 esp-sha-hmac
!
crypto ipsec profile MyProfile

     set transform-set MyProfile-Trans

interface Tunnel110

description *** Tunnel to SITE B ***

bandwidth 1000000

ip address 171.0.103.1 255.255.255.252

tunnel source GigabitEthernet0/2/1

tunnel mode ipsec ipv4

tunnel destination 171.0.98.146

tunnel protection ipsec profile MyProfile

interface GigabitEthernet0/2/1

description *** Interface to SITE B ***

ip address 171.0.98.41 255.255.255.252

ip ospf hello-interval 5

I would like now to exclude some addresses from this tunnel. What is the best way to do so?

Thank you

Elise

  • WAN Routing and Switching
Everyone's tags (1)
3 REPLIES
VIP Purple

Exclude addresses from encryption

You can use policy-based-routing (PBR) to route some traffic a different way:

http://www.cisco.com/en/US/partner/products/ps6599/products_white_paper09186a00800a4409.shtml#wp14033

http://www.cisco.com/en/US/partner/docs/ios/12_2/ip/configuration/guide/1cfindep.html#wp1001398

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

-- Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
New Member

Exclude addresses from encryption

Hello

Thank you for your answer.


Is there no other possibility than a PBR?

I've seen something like:

crypto ipsec profile name

match acl-name transform-set transform-set-name


But this "match" command is not accepted by my router: do you know why?

Thank you

VIP Purple

Exclude addresses from encryption

Where have you seen that statement? I'm not aware of that command in that place.

But anyhow it would be the wrong place to achieve your goal.

What addresses do you want to exclude? Specific sources or specific destination-addresses.

For sources, there is only PBR. For destination-addresses you can tweak your routing-protocol to anounce more specific host-routes on the preferred way.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

-- Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
201
Views
0
Helpful
3
Replies
This widget could not be displayed.