Manualshelf

Technical information

ManualsBrandsCisco ManualsComputer equipmentWS-SVC-IPSEC-1= - IPSec VPN Services Module
41424344454647484950
49
IPSec VPN Acceleration Services Module Installation and Configuration Note
78-14459-03 Rev C0
Configuring a VPN Using the VPN Module
crypto connect vlan 16
!
interface Vlan16
ip address 192.168.16.1 255.255.255.0
no mop enabled
Using Look-Ahead Fragmentation
Note This section applies to VPN modules running Cisco IOS Release 12.2(14)SY or later releases.
Follow these guidelines for using Look-Ahead Fragmentation (LAF):
Large packets can increase the IPSec packet size beyond the MTU causing the IPSec packets to be
fragmented. When this situation occurs, the receiving IPSec peer must reassemble the packets prior
to decryption. This action can cause serious loading for many VPN gateway devices. The solution
is to fragment the packets before IPSec decryption and let the end devices bear the reassembly load.
If there is no large packet connectivity through an IPSec peer, turn off LAF (the peer may be
discarding fragments found inside the IPSec packets).
If an IPSec peer is experiencing high CPU utilization with large packet flows, verify that LAF is
enabled (the peer may be reassembling large packets).
For complete configuration information for LAF, refer to this URL:
http://www.cisco.com/en/US/products/sw/iosswrel/ps1839/products_feature_guide09186a0080115533.html
Using GRE Tunneling
Note This section applies to VPN modules running Cisco IOS Release 12.2(14)SY or later releases.
Note The VPN module is able to accelerate packet processing for up to 1023 GRE tunnels per chassis; excess
tunnels go through the route processor. The switch supports any number of GRE tunnels, but adding
more VPN modules does not increase the 1023 tunnels per-chassis maximum.
In Catalyst 6500 series switches or Cisco 7600 Series Internet Routers, GRE encapsulation and
decapsulation is traditionally performed by the route processor. When routing indicates that
encapsulated packets for a GRE tunnel will egress through an interface VLAN that is attached to a VPN
module inside port, that VPN module will seize the GRE tunnel. By seizing the tunnel, the VPN module
takes the GRE encapsulation and decapsulation duty from the route processor.
No explicit configuration changes are required to use this feature; configure GRE as you normally
would. As long as routing sends the GRE-encapsulated packets out an interface VLAN, the VPN module
will seize the GRE tunnel.