Manualshelf

Technical information

ManualsBrandsCisco ManualsComputer equipmentWS-SVC-IPSEC-1= - IPSec VPN Services Module
12345678910
3
IPSec VPN Acceleration Services Module Installation and Configuration Note
78-14459-03 Rev C0
Understanding How the VPN Module Works
When you configure a VPN on the Cisco routers, a packet is sent to a routed interface that is associated
with an IP address. If the interface has an attached crypto map, the software checks that the packet is on
an access control list (ACL) that is specified by the crypto map. If a match occurs, the packet is
transformed (encrypted) before it is routed to the appropriate IPSec peer; otherwise, the packet is routed
in the clear (unencrypted) state.
When you configure the VPN module, the same cryptographic operations are performed as on Cisco
routers. The VPN module’s implementation of VPN is generally the same as on Cisco routers other than
the use of interface VLANs and some configuration guidelines that are specific to the VPN module (see
the “VPN Module Configuration Guidelines” section on page 25 for details).
Note For detailed information on Cisco IOS IPSec cryptographic operations and policies, refer to the “IP
Security and Encryption” section of the Cisco IOS Security Configuration Guide, Release 12.2.
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_c/fipsenc/index.htm
When you configure the VPN module on the Catalyst 6500 series switches and Cisco 7600 Series
Internet Routers, you ensure that all packets coming from or going to the Internet pass through the VPN
module. The VPN module has an extensive set of policies that validate a packet before the packet is sent
onto the local (trusted) LAN. The VPN module can use multiple Fast Ethernet or Gigabit Ethernet ports
on other Catalyst 6500 series modules to connect to the Internet through WAN routers. Packets that are
received from the WAN routers pass through the VPN module for IPSec processing.
On the local LAN side, traffic between the LAN ports can be routed or bridged on multiple Fast Ethernet
or Gigabit Ethernet ports. Because the local LAN traffic is not encrypted or decrypted, it does not pass
though the VPN module.
The VPN module does not maintain routing information, route, or change the MAC header of a packet
(except for the VLAN ID from one VLAN to another).
Catalyst Switch Outside Ports and Inside Ports
The Fast Ethernet or Gigabit Ethernet ports on the Catalyst 6500 series switch and Cisco 7600 Series
Internet Routers that connect to the WAN routers are referred to as Catalyst switch outside ports. These
ports connect the local LAN to the Internet or to remote sites. Cryptographic policies are applied to the
Catalyst switch outside ports.
The Fast Ethernet or Gigabit Ethernet ports on the Catalyst 6500 series switch and Cisco 7600 Series
Internet Routers that connect to the local LAN are referred to as Catalyst switch inside ports.
The VPN module sends encrypted packets to the Catalyst switch outside ports and decrypted packets to
the Policy Feature Card 2 (PFC2) for Layer-3 forwarding to the Catalyst switch inside ports.