Technical information
27
IPSec VPN Acceleration Services Module Installation and Configuration Note
78-14459-03 Rev C0
Configuring a VPN Using the VPN Module
When you enter the write memory command, the following misconfigured startup-configuration
file is created:
.
.
.
interface GigabitEthernet1/1
no ip address
snmp trap link-status
switchport
switchport access vlan 200
switchport mode access
crypto connect vlan 100
end
.
.
.
interface GigabitEthernet2/1
no ip address
snmp trap link-status
switchport
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,1002-1005 <-- misconfiguration
switchport mode trunk
flowcontrol receive on
cdp enable
end
.
.
.
In this example, when you use this startup-configuration file to boot a switch, the misconfigured
crypto connections are removed after the VPN module boots and this warning message is displayed:
%CRYPTO: crypto connection to VLAN 100 is removed from gi1/1 because VLAN 100 doesn't
belong to any IPSec Service Module.
Note that all the configurations on the interface VLAN, such as the crypto map, are intact.
• Do not remove the interface VLAN or port VLAN from the VLAN database. All interface VLANs
and port VLANs must be in the VLAN database. When you remove these VLANs from the VLAN
database, the running traffic stops.
When you enter the crypto connect vlan command and the interface VLAN or port VLAN is not in
the VLAN database, this warning message is displayed:
VLAN id 100 not found in current VLAN database. It may not function correctly unless
VLAN 100 is added to VLAN database.
• When replacing a crypto map on an interface, always enter the no crypto map name [redundancy
| ssp group] command before reapplying a crypto map on the interface.