Manualshelf

Technical information

ManualsBrandsCisco ManualsComputer equipmentWS-SVC-IPSEC-1= - IPSec VPN Services Module
21222324252627282930
31
IPSec VPN Acceleration Services Module Installation and Configuration Note
78-14459-03 Rev C0
Configuring a VPN Using the VPN Module
The interface MTU setting is greater than 1500 bytes:
If the received packet length is greater than the global MTU value, the packets are dropped.
If the received packet length is less than or equal to the global MTU value, routing is performed
and the outgoing interface is determined as the result of routing. Then, one of the following
conditions apply:
If the received packet length is greater than the outgoing interface’s interface MTU value, the
packets are sent to the MSFC2 to be fragmented.
If the received packet length is less than or equal to the outgoing interface’s interface MTU
value, the packets are sent directly to the outgoing interface through hardware (PFC2).
Configuring Trunk Ports
Caution When you configure an Ethernet port as a trunk port, all the VLANs are allowed on the trunk port by
default. This default configuration does not work well with the VPN module and causes network loops.
When you configure a trunk port for cryptographic connection, do not use the “all VLANs allowed”
default. You need to explicitly specify all the desirable VLANs using the switchport trunk allowed
vlan vlan-list command.
To verify the VLANs allowed by a trunk port, enter the show interface trunk command or the show int
interface trunk command. The following display shows that all VLANs are allowed:
cat6k# show interfaces GigabitEthernet 2/1 trunk
Port Mode Encapsulation Status Native vlan
Gi2/1 on 802.1q trunking 1
Port Vlans allowed on trunk
Gi2/1 1-4094
Port Vlans allowed and active in management domain
Gi2/1 1-4,7-8,513,1002-1005
Port Vlans in spanning tree forwarding state and not pruned
Gi2/1 1-4,7-8,513,1002-1005
cat6k#
Due to an incorrect startup configuration or through the default trunk port configuration, an interface
VLAN might be associated with a trunk port. When you try to remove the interface VLAN from the
VLAN list, you might receive an error message similar to the following:
Router# conf t
Router(config)# int g1/1
Router(config-if)# switchport trunk allowed vlan rem 71
Command rejected:VLAN 61 is crypto connected to Vl62.