Technical information

29
IPSec VPN Acceleration Services Module Installation and Configuration Note
78-14459-03 Rev C0
Configuring a VPN Using the VPN Module
Handling Multicast Traffic
In Cisco IOS Release 12.2(9)YO and later releases, when a chassis contains a Switch Fabric Module the
VPN module drops all multicast traffic. This action does not occur if there is no Switch Fabric Module
installed. To handle this multicast traffic issue, in Cisco IOS Release 12.2(14)SY and later releases, the
Cisco IOS software recognizes when a VPN module has been inserted into a chassis where there is a
Switch Fabric Module and automatically configures a SPAN session to forward the multicast traffic.
Note The Firewall Services Module (WS-SVC-FWM-1-K9) and the Multiprocessor WAN Application
Module (WS-SVC-MWAM-1) have the same multicast traffic issues as the VPN module. Although this
publication covers the VPN module only, note that the other two service modules behave exactly as the
VPN module when handling multicast traffic.
See Table 2 for the descriptions of the switching modes that are used when the Switch Fabric Module is
installed.
Follow these guidelines for multicast traffic:
With a Supervisor Engine 2, if there are two local SPAN sessions or one Remote SPAN (RSPAN)
source session configured, the Cisco IOS software cannot generate another session for the VPN
module multicast traffic. With this configuration, when you insert a VPN module, a syslog message
is displayed directing you to remove one SPAN session.
When you insert a VPN module and the system is in compact mode, one SPAN session is used (if
available). If the system is in flow-through mode or truncated mode, the VPN module uses
flow-through mode.
If you install multiple service modules with the multicast traffic issue, they use the same SPAN
session for forwarding multicast traffic. Use the show monitor command to display the current
SPAN configuration.
If you insert a VPN module in a chassis that is in compact mode and the two local SPAN sessions
or one Remote SPAN (RSPAN) source session are already configured, the switch is put in compact
mode. In this situation, all multicast traffic that is sourced from the VPN module is dropped. A
syslog message is displayed directing you to remove one SPAN session.
With a VPN module installed, if you insert a Switch Fabric Module in a chassis that is in
flow-through mode and the two local SPAN sessions or one Remote SPAN (RSPAN) source session
are already configured, the switch is put in compact mode. In this situation, all multicast traffic that
is sourced from the VPN module is dropped. A syslog message is displayed directing you to remove
one SPAN session.
Table 2 Switching Modes with Switch Fabric Module Installed
Modules Switching Modes
Between fabric-enabled modules (no nonfabric-enabled
modules installed)
Compact
Between fabric-enabled modules (when nonfabric-enabled
modules are also installed)
Truncated
Between fabric-enabled and nonfabric-enabled modules Flow-through
Between non-fabric-enabled modules Flow-through