Technical information

4

IPSec VPN Acceleration Services Module Installation and Configuration Note

78-14459-03 Rev C0

Understanding How the VPN Module Works

The VPN module appears to the CLI as a module with two Gigabit Ethernet ports. The VPN module has

no external connectors; the Gigabit Ethernet ports connect the VPN module to the switch backplane and

Switch Fabric Module (if installed).

One Gigabit Ethernet port handles all the traffic going to and coming from the Catalyst switch outside

all traffic going to and coming from the local LAN or inside ports. This port is referred to as the VPN

module inside port.

Your VPN configuration can have one or more Catalyst switch outside ports. To handle the packets from

multiple Catalyst switch outside ports, you need to direct the packets from multiple Catalyst switch

outside ports to the VPN module outside port by placing the Catalyst switch outside ports in a VLAN

with the outside port of the VPN module. This VLAN is referred to as the port VLAN. The port VLAN

Before the router can forward the packets using the correct routing table entries, the router needs to know

so that the packets from every Catalyst switch outside port are presented to the router with the

corresponding VLAN ID. This VLAN contains only the VPN module inside port and is referred to as

the interface VLAN. The interface VLAN is a Layer 3-VLAN. You configure the Layer 3 address and

Layer 3 features, such as ACLs and the crypto map, to the interface VLAN.

After you create and configure the port VLAN and the interface VLAN, you tie the VLANs together by

using a new CLI command (crypto connect vlan command). See the “Configuring a VPN Using the

VPN Module” section on page 21 for detailed information. Figure 1 shows the port VLAN and interface

VLAN configurations.