Manualshelf

Technical information

ManualsBrandsCisco ManualsComputer equipmentWS-SVC-IPSEC-1= - IPSec VPN Services Module
11121314151617181920
22
IPSec VPN Acceleration Services Module Installation and Configuration Note
78-14459-03 Rev C0
Configuring a VPN Using the VPN Module
Note Switching to the software-based cryptographic mode (by entering the no crypto connect vlan
command) does not automatically change the configuration and enable software-based cryptographic
operation. To enable software-based cryptographic mode and have it function correctly, you have to
remove the VPN module configuration and reconfigure the switch for software-based cryptographic
operation.
Effects of Exiting the Hardware-Based Cryptographic Mode on Existing IPSec SAs
These sections describe the configuration guidelines for exiting the hardware-based cryptographic mode
on existing IPSec SAs.
Cisco IOS Release 12.2(9)YO4 or Later Releases
The configuration guidelines for Cisco IOS Release 12.2(9)YO4 or later releases are as follows:
When you enter the no crypto connect vlan command to break the connection between a port
VLAN and the interface VLAN, the IPSec security associations (SAs) are not automatically
removed.
Note The IPSec SAs may be removed by other features such as DPD or IKE keepalives.
If the no crypto connect vlan command is the last hardware-based cryptographic configuration
command that you entered, then the IPSec SAs are removed automatically as part of the switchover
from hardware-based cryptographic mode to software-based cryptographic mode.
Cisco IOS Release 12.2(14)SY and Later Releases
The configuration guidelines for Cisco IOS Release 12.2(14)SY or later releases are as follows:
When you issue the no crypto connect vlan command on a crypto-connected routed, access, or
trunk mode port, all the associated SAs are removed.
When you shut down a port VLAN, none of the associated SAs are removed.
When you shut down an interface VLAN, the hardware-based cryptographic mode will not be
exited.
When you shut down an interface VLAN, all the associated SAs will not be removed.
When you enter the no ip address command on an interface VLAN, all the associated SAs will not
be removed.
When you change the IP address on an interface VLAN by entering the ip address new-ip-address
new-mask command, all the associated SAs are removed.
Note that the behavior described above depends on the type of interface as follows:
Ethernet interface:
shut down—SAs are removed.
no shut down—SAs are recreated on the VPN module.