Technical information
25
IPSec VPN Acceleration Services Module Installation and Configuration Note
78-14459-03 Rev C0
Configuring a VPN Using the VPN Module
VPN Module Configuration Guidelines
Use the guidelines in the following sections when configuring a VPN using the VPN module:
• Interaction with Other Features, page 25
• Preventing VPN Module Misconfigurations, page 26
• Miscellaneous Guidelines, page 28
• Handling Multicast Traffic, page 29
• Configuring MTU Settings, page 30
• Configuring Trunk Ports, page 31
• Configuring the VPN Module Inside Port and Outside Port, page 33
• Using Multiple VPN Modules in a Chassis, page 33
• Using IPSec Stateful Failover and the VPN Module, page 36
• Using IPSec NAT Transparency, page 42
• Using TopN Acceleration, page 42
• Using IPSec Anti-Replay Window Size Expansion, page 42
• Using Easy-VPN Client, page 42
• Using Dead-Peer-Detection, page 45
• Using WAN Interfaces, page 45
• Using Look-Ahead Fragmentation, page 49
• Using GRE Tunneling, page 49
• Using QoS, page 51
Interaction with Other Features
Follow these configuration guidelines for configuring a VPN using the VPN module:
• EtherChannels
You can enter the crypto connect vlan command only from the following:
–
The associated port VLAN interface when the EtherChannel interface (port-channel interface)
and participating interfaces are switch ports
–
The EtherChannel interface when the EtherChannel interface (port-channel interface) and
participant interfaces are routed ports
• ACL on a routed port without an IP address
When a routed port has a crypto connection, the IP ACLs that are attached to the routed port work
correctly even if the routed port does not have an IP address.
• HSRP configuration
–
Do not use the standby use-bia command. Always use a virtual HSRP MAC address for the
router’s MAC address.
–
HSRP/GRE is supported.
Note For an example, see the “HSRP” section on page 88.