Manualshelf

Technical information

ManualsBrandsCisco ManualsComputer equipmentWS-SVC-IPSEC-1= - IPSec VPN Services Module
41424344454647484950
50
IPSec VPN Acceleration Services Module Installation and Configuration Note
78-14459-03 Rev C0
Configuring a VPN Using the VPN Module
Follow these guidelines for configuring GRE tunneling:
If routing information changes and the GRE-encapsulated packets no longer egress through an
interface VLAN, the VPN module yields the GRE tunnel. After the VPN module yields the tunnel,
the route processor resumes encapsulation and decapsulation which increases CPU utilization on the
route processor.
Caution Ensure that your GRE tunnel configuration does not overload the route processor.
In Cisco IOS Release 12.2(9)YO and additional YO builds, all GRE encapsulation was performed
on the route processor. In Cisco IOS Release 12.2(14)SY, GRE tunnels that egress through a VPN
module have their GRE encapsulation and decapsulation performed by the VPN module. This
offloads the route processor from packet-processing tasks and also allows GRE scaling with
additional VPN modules.
A delay occurs (up to 10 seconds) between routing changes and the VPN module seizing the GRE
tunnel.
When packets that are destined to a GRE tunnel arrive from a switching module that has a DFC
daughter card installed, GRE encapsulation is done by the route processor. The packets do not reach
the VPN module. The Cisco IOS software encapsulates the packets with the GRE header and then
sends them to the VPN module. When this occurs, the GRE performance is limited by the software.
If the switching module does not have the DFC card, there is no issue and the VPN module
encapsulates the packets.
If you are switching between hardware and software-based cryptographic modes, it is important to
note that the crypto map must only be applied to the interface VLAN and not to the tunnel interface.
This restriction is different from a software-based cryptographic mode where you attach the crypto
map to the physical (or VLAN) interface and to the tunnel interface.
Tunnel mode is the only GRE mode that is supported. You may use the ttl and tos options with the
tunnel mode.
The following options are not supported: sequence, key, and checksum. If any of these options are
specified, the VPN module will not seize the GRE tunnel.
Use the show crypto vlan command to verify that the VPN module has seized the GRE tunnel:
Router-2# show crypto vlan
Interface VLAN 101 on IPSec Service Module port 7/1 connected to AT4/0/0.101
Tunnel101 is accelerated via IPSec SM in slot 7
Router-2#
GRE tunneling of all non-IP packets is done by the route processor even if the tunnel is seized by
the VPN module.
Configuring “service policy” on GRE tunnel interfaces is not supported.
For GRE tunneling configuration examples, see the “GRE Tunneling” section on page 86.