[Contents]
[Prev]
[Next]
[Index]
[Report an Error]
Specifying a Virtual Router for an IKE Policy Rule
The ip address virtual-router command enables an IKE policy rule to limit its scope to a specific
local IP address on a specific virtual router. When enabled, this
limitation ensures that this policy rule is evaluated for IKE security
association evaluations for only the specified IP address and virtual
router.
When initiating and responding to an IKE SA exchange,
the router evaluates the possible policy rules as follows:
- If an IP-address-specific IKE policy rule refers to the
local IP address and virtual router for this exchange, the router
evaluates this policy rule before any non-IP-address-specific IKE
policy rules. If more than one IP-address-specific IKE policy rule
exists, the router evaluates the policy rule with the lowest priority
number first and then evaluates the policy rule with the next highest
priority number and so on.
- If no IP-address-specific IKE policy rule refers to the
local IP address and virtual router for this exchange, the router
evaluates all non-IP-address-specific IKE policy rules in the normal
IKE policy rule evaluation order.
You can define an IKE policy rule without specifying
an IP address or virtual router (the default). When not specifically
configured, the IKE policy rule remains valid for any local IP address
on any virtual router residing on the router.
ip
address virtual-router
- Use to limit the scope of the IKE policy rule to the specified
local IP address on the specified virtual router. This limitation
ensures that this policy rule is evaluated for IKE security association
evaluations for only the specified IP address and virtual router.
- Example
- host1(config-ike-policy)#ip address virtual-router
VR1
- Use the no version to remove
the IP address and virtual router limitation.
- See ip address virtual-router.
[Contents]
[Prev]
[Next]
[Index]
[Report an Error]
