Manualshelf

Technical information

ManualsBrandsCisco ManualsComputer equipmentWS-SVC-IPSEC-1= - IPSec VPN Services Module
21222324252627282930
26
IPSec VPN Acceleration Services Module Installation and Configuration Note
78-14459-03 Rev C0
Configuring a VPN Using the VPN Module
Switched Port Analyzer (SPAN)
Interaction with the SPAN feature is as follows:
If the SPAN session is set up to copy all the traffic from the VPN module inside port, then all
the traffic before encryption and after decryption is sent to the SPAN port.
If the SPAN session is set up to copy all the traffic from the VPN module outside port, then all
the traffic before decryption and after encryption is sent to the SPAN port.
If the SPAN session is set up to copy all the traffic from the Catalyst switch outside port (the
port that connects to the WAN router), then all the traffic before decryption and after encryption
is sent to the SPAN port.
GRE tunnel interfaces
Attaching a crypto map set to a generic routing encapsulation (GRE) tunnel interface is not
supported. You can attach a crypto map set to a GRE tunnel interface, but there are configuration
restrictions. You can configure the GRE tunnel interface in the same manner as on other Cisco
routers, but you cannot attach a crypto map set to the interface. Instead, you attach the crypto map
set to all of the ingress/egress interfaces over which the GRE tunnel spans. Note that HSRP/GRE is
supported.
Note For detailed configuration information, see the “Using GRE Tunneling” section on page 49.
Preventing VPN Module Misconfigurations
Follow these guidelines to prevent VPN module misconfigurations:
Removing a line in a crypto ACL causes all crypto maps using that ACL to be removed and
reattached to the VPN module. This action causes all the SAs that are derived from the crypto maps,
which referenced that ACL, to flap.
Do not convert existing crypto-connected port characteristics. When the characteristics of a
crypto-connected access port or a routed port change (switch port to routed port or vice versa), the
associated crypto connection is deleted.
The example in this section shows how a misconfiguration can affect the startup-configuration file.
This example uses the following configuration:
The interface VLAN is 100.
The port VLAN is 200 on access port Gigabit Ethernet 1/1.
The VPN module is in slot 2.
In this example, a crypto connection exists, and when the associated interface VLAN is removed
from the VPN module inside port, a misconfigured startup-configuration file is created.
Note With Cisco IOS Release 12.2(14)SY, it is no longer possible to remove an interface VLAN
from the VPN module inside port while the crypto connection to the interface VLAN exists.
You must first remove the crypto connection.