Cisco SA-VAM - VPN Acceleration Module Installation And Configuration Manual
  1. Manuals
  2. Brands
  3. Cisco Manuals
  4. Network Hardware
  5. SA-VAM - VPN Acceleration Module
  6. Installation and configuration manual
Cisco SA-VAM - VPN Acceleration Module Installation And Configuration Manual

Cisco SA-VAM - VPN Acceleration Module Installation And Configuration Manual

Vpn acceleration module 2+ (vam2+) installation and configuration guide
Hide thumbs
Table of Contents

Advertisement

Quick Links

Download this manual
VPN Acceleration Module 2+ (VAM2+)
Installation and Configuration Guide
Product Number: SA-VAM2+(=)
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO
CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS
MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND,
EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY
PRODUCTS.
Americas Headquarters
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
http://www.cisco.com
Tel: 408 526-4000
800 553-NETS (6387)
Fax: 408 527-0883
Text Part Number: OL-5979-03

Advertisement

Table of Contents
loading

Related Manuals for Cisco SA-VAM - VPN Acceleration Module

Summary of Contents for Cisco SA-VAM - VPN Acceleration Module

  • Page 1 MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS. Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 http://www.cisco.com...
  • Page 2 You can determine whether your equipment is causing interference by turning it off. If the interference stops, it was probably caused by the Cisco equipment or one of its peripheral devices. If the equipment causes interference to radio or television reception, try to correct the interference by using one or more of the following measures: •...
  • Page 3 Obtaining Documentation Cisco.com Product Documentation DVD Ordering Documentation Documentation Feedback Cisco Product Security Overview Reporting Security Problems in Cisco Products Obtaining Technical Assistance Cisco Technical Support & Documentation Website xiii Submitting a Service Request xiii Definitions of Service Request Severity...

  • Page 4: Table Of Contents

    Port Adapter Jacket Card 3 - 2 Warnings and Cautions 3 - 2 SA-VAM2+ Removal and Installation 3 - 2 Cisco 7200VXR Router Port Adapter Jacket Card 3 - 3 Cisco 7200VXR Series Routers 3 - 4 Cisco 7301 Router 3 - 6...
  • Page 5 Contents Defining a Transform Set 4 - 5 IPSec Protocols: AH and ESP 4 - 6 Selecting Appropriate Transforms 4 - 7 The Crypto Transform Configuration Mode 4 - 7 Changing Existing Transforms 4 - 7 Transform Example 4 - 8 Configuring IPSec 4 - 8 Ensuring That Access Lists Are Compatible with IPSec...
  • Page 6 Contents VPN Acceleration Module 2+ (VAM2+) Installation and Configuration Guide OL-5979-03...
  • Page 7 • • Related Documentation, page ix • Obtaining Documentation, page x Documentation Feedback, page xi • Cisco Product Security Overview, page xi • Obtaining Technical Assistance, page xii • Obtaining Additional Publications and Information, page xiv • Revision History Document Version...
  • Page 8 Cisco 7206VXR routers with the NPE-225, NPE-400, NPE-G1 or NPE-G2 processors, and the Cisco 7301, and the Port Adapter Jacket Card in the I/O controller slot of a Cisco 7200VXR router with an NPE-G1 or NPE-G2 installed, and allows a port adapter to be installed in it.
  • Page 9 For configuration information and support, refer to the modular configuration and modular • command reference publications in the Cisco IOS software configuration documentation set that corresponds to the software release installed on your Cisco hardware. Access these documents at: http://www.cisco.com/en/US/products/sw/iosswrel/index.html Note Select translated documentation is available at http://www.cisco.com/ by selecting the topic...
  • Page 10 For FIPS 140 Security documents: • http://www.cisco.com/en/US/partner/products/hw/routers/ps341/products_regulatory_approvals_a nd_compliance09186a00800f009e.html For the VPN Device Manager documents: • http://www.cisco.com/en/US/partner/products/sw/cscowork/ps2322/products_release_and_installa tion_notes_list.html • If you are a registered Cisco Direct Customer, you can access the following tools: Bug Toolkit: – http://www.cisco.com/en/US/partner/products/hw/routers/ps341/prod_bug_toolkit.html – Bug Navigator: http://www.cisco.com/cgi-bin/Support/Bugtool/launch_bugtool.pl – Feature Navigator: http://www.cisco.com/en/US/partner/products/prod_feature_navigator_for_cisco_IOS_tool_la...
  • Page 11 The DVD enables you to access multiple versions of installation, configuration, and command guides for Cisco hardware and software products. With the DVD, you have access to the same HTML documentation that is found on the Cisco website without being connected to the Internet.
  • Page 12 We encourage you to use Pretty Good Privacy (PGP) or a compatible product (for example, GnuPG) to encrypt any sensitive information that you send to Cisco. PSIRT can work with information that has been encrypted with PGP versions 2.x through 9.x.
  • Page 13 Cisco engineer. The TAC Service Request Tool is located at this URL: http://www.cisco.com/techsupport/servicerequest For S1 or S2 service requests, or if you do not have Internet access, contact the Cisco TAC by telephone. (S1 or S2 service requests are those in which your production network is down or severely degraded.) Cisco engineers are assigned immediately to S1 and S2 service requests to help keep your business operations running smoothly.
  • Page 14 Cisco products that are sold through channel partners. It is updated twice a year and includes the latest Cisco offerings. To order and find out more about the Cisco Product Quick Reference Guide, go to this URL: http://www.cisco.com/go/guide...
  • Page 15 You can access the Internet Protocol Journal at this URL: http://www.cisco.com/ipj Networking products offered by Cisco Systems, as well as customer support services, can be • obtained at this URL: http://www.cisco.com/en/US/products/index.html...
  • Page 16 Preface Obtaining Additional Publications and Information VPN Acceleration Module 2+ (VAM2+) Installation and Configuration Guide OL-5979-03...
  • Page 17 (IETF) that provides secure transmission of sensitive information over unprotected networks such as the Internet. IPSec includes data authentication, antireplay services and data confidentiality services. Cisco follows these data encryption standards: IPSec—IPSec is an IP layer open standards framework that provides data confidentiality, data •...
  • Page 18 Certificate Enrollment Protocol (SCEP) and Certificate Enrollment Protocol (CEP). CEP permits Cisco IOS software devices and CAs to communicate to permit your Cisco IOS software device to obtain and use digital certificates from the CA. IPSec can be configured with or without CA. The CA must be properly configured to issue certificates.
  • Page 19 Figure 1-5) of the Cisco 7000VXR series routers and the Cisco 7301 router. Alternatively, you can install the SA-VAM2+ into a Port Adapter Jacket Card (product ID:C7200-JC-PA) that is inserted in the I/O controller slot of a Cisco 7200VXR router with an NPE-G1 or NPE-G2 processor, for additional bandwidth (see Figure 1-2).
  • Page 20 Description/Benefit Throughput Up to 292 Mbps using 3DES on the Cisco 7200VXR routers, and up to 392 Mbps using 3DES on the Cisco 7301 router Note The number of IPSec tunnels depends on packet size Number of IPSec protected tunnels...
  • Page 21 Chapter 1 Overview Features 3. To support 5000 tunnels, 512 MB of memory is required. 4. The Cisco 7200VXR with the NPE-G2 is only available with Cisco IOS software version 12.4(4)XD. Performance Table 1-2 lists the performance information for the SA-VAM2+.
  • Page 22 Cisco IOS release, etc. 2. Using Cisco 12.3-10 image. Performance varies by Cisco IOS release. It is recommended that you download the most recent image for your Cisco 7200VXR or Cisco 7301 router.

  • Page 23: Leds

    Chapter 1 Overview Online Insertion and Removal (OIR) Online Insertion and Removal (OIR) SA-VAM2+ Online insertion and removal (OIR) is supported on the SA-VAM2+. Before removing the SA-VAM2+, we recommend that you shut down the interface so that there is no traffic running through the SA-VAM2+ when it is removed.

  • Page 24: Cables, Connectors, And Pinouts

    Chapter 1 Overview Cables, Connectors, and Pinouts Table 1-3 SA-VAM2+ LEDs LED Label Color State Function BOOT Amber Indicates the SA-VAM2+ is operating. ERROR Amber Indicates an encryption error has occurred. This LED is normally off. The following conditions must be met before the enabled LED goes on: The SA-VAM2+ is correctly connected to the backplane and receiving power.

  • Page 25: Slot Locations

    The SA-VAM2+ is supported in the port adapter slots on the Cisco 7200VXR series routers, and the Cisco 7301 routers. It is also supported in the Port Adapter Jacket Card that installs in the I/O controller port of the Cisco 7200VXR routers with the NPE-G1 or NPE-G2 processors.
  • Page 26 Chapter 1 Overview Slot Locations Figure 1-6 Cisco 7301 Slot Numbering SLOT 1 GIGAB IT ETHE RNET 0/0 RJ45 EN GIGAB IT ETHE LINK RNET 0/1 RJ45 EN GBIC GIGAB IT ETHE LINK RNET 0/2 RJ45 EN GBIC LINK CONS OLE...

  • Page 27: Required Tools And Equipment

    (Optional) Port Adapter Jacket Card for installation of a port adapter in the I/O controller slot of • Cisco 7200VXR routers with an NPE-G1 or NPE-G2 processor Hardware and Software Requirements This section describes the minimum software and hardware requirements for the SA-VAM2+: Software Requirements, page 2-2 •...

  • Page 28: Chapter 2 Preparing For Installation

    1. The Cisco IOS Release 12.2(14)SU is no longer available for sale. 2. The Cisco 7200VXR router with the NPE-G2 processor is only available with Cisco IOS Release 12.4(4)XD. To check the minimum software requirements of Cisco IOS software with the hardware installed on your router, Cisco maintains the Software Advisor tool on Cisco.com.

  • Page 29: Restrictions

    Port Adapter Jacket Card. The Port Adapter Jacket Card supported on the Cisco 7200VXR router with the NPE-G1 is available on Cisco IOS Release 12.4(6)T and 12.4(7) or later. The Port Adapter Jacket Card supported on the Cisco 7200VXR router with the NPE-G2 is available on Cisco IOS Release 12.4 (XD) or later.

  • Page 30: Electrical Equipment Guidelines

    Chapter 2 Preparing for Installation Safety Guidelines Electrical Equipment Guidelines Follow these basic guidelines when working with any electrical equipment: Before beginning any procedures requiring access to the chassis interior, locate the emergency • power-off switch for the room in which you are working. Disconnect all power and external cables before moving a chassis;...

  • Page 31: Compliance With U.s. Export Laws And Regulations Regarding Encryption

    See http://www.cisco.com/wwl/export/encrypt.html for more information about Cisco-eligible products, destinations, end users, and end uses. Check local country laws prior to export to determine import and usage requirements as necessary. See http://cwis.kub.nl/~frw/people/koops/lawsurvy.htm as one possible, unofficial source of international encryption laws.
  • Page 32 Chapter 2 Preparing for Installation Compliance with U.S. Export Laws and Regulations Regarding Encryption VPN Acceleration Module 2+ (VAM2+) Installation and Configuration Guide OL-5979-03...

  • Page 33: Removing And Installing The Sa-Vam2

    C H A P T E R Removing and Installing the SA-VAM2+ This chapter describes how to remove the Service Adapter VPN Acceleration Module 2+ (SA-VAM2+) from the supported platforms and how to install a new or replacement SA-VAM2+. Before you begin installation, read Chapter 2, “Preparing for Installation”...

  • Page 34: Online Insertion And Removal (Oir)

    SA-VAM2+ Removal and Installation This section describes how to remove and install the SA-VAM2+, and covers the following topics: Cisco 7200VXR Router Port Adapter Jacket Card, page 3-3 • Cisco 7200VXR Series Routers, page 3-4 •...

  • Page 35: Cisco 7200Vxr Router Port Adapter Jacket Card

    Cisco 7200VXR Router Port Adapter Jacket Card The I/O controller slot of the Cisco 7200VXR router with an NPE-G1 or NPE-G2 processor supports the Port Adapter Jacket Card with a SA-VAM2+ installed in it. The NPE-G1 or NPE-G2, with a third dedicated peripheral component interconnect (PCI) bus, provides additional bandwidth to the chassis.

  • Page 36: Cisco 7200Vxr Series Routers

    Cisco 7200VXR Series Routers Follow these steps to remove and insert the SA-VAM2+ in the Cisco 7200VXR series routers: Turn the power switch to the off position and then remove the power cable. (Optional on Cisco 7200VXR Step 1 series routers; see Caution, above) Attach an ESD wrist strap between you and an unpainted chassis surface.
  • Page 37 Chapter 3 Removing and Installing the SA-VAM2+ SA-VAM2+ Removal and Installation Figure 3-4 Placing the Port Adapter Lever in the Unlocked/Locked Position - Cisco 7206VXR Shown FAST ETHERNET INPUT/OUTPUT CONTROLLER Cisco 7200 Series Unlocked position Locked position Grasp the handle of the SA-VAM2+ and pull the SA-VAM2+ from the router. If you are removing a blank Step 4 port adapter, pull it completely out of the chassis slot.

  • Page 38: Cisco 7301 Router

    Power on the router by turning the power switch to the on position. Cisco 7301 Router Figure 3-6 and follow the steps below to remove and insert an SA-VAM2+ in the Cisco 7301 router: The Cisco 7301 supports a single SA-VAM2+ or port adapter. Note...
  • Page 39 Chapter 3 Removing and Installing the SA-VAM2+ SA-VAM2+ Removal and Installation Latch Slot guides SA-VAM2+ partially removed Ground for ESD wrist strap banana jack Use an ESD wrist strap to ground yourself to the router. A banana jack ground is to the left of the power Step 1 switch.
  • Page 40 Chapter 3 Removing and Installing the SA-VAM2+ SA-VAM2+ Removal and Installation VPN Acceleration Module 2+ (VAM2+) Installation and Configuration Guide OL-5979-03...

  • Page 41: Configuring The Sa-Vam2

    The Cisco 7301 router supports a single SA-VAM2+. When installing two SA-VAM2+s on the Cisco 7200VXR series routers, per packet load balancing is not supported. With dual SA-VAM2+s installed, load balancing is done on a per IPSec tunnel basis, rather than on a per packet basis.

  • Page 42: Chapter 4 Configuring The Sa-Vam2+

    Note a static crypto map. Refer to the online publication, Configuring the VPN Acceleration Module http://www.cisco.com/univercd/cc/td/doc/product/core/7100/7100pacn/vam1/vamconf.htm. Optionally, you can configure certification authority (CA) interoperability (refer to the “Configuring Certification Authority Interoperability” chapter in the Security Configuration Guide). Using the EXEC Command Interpreter You modify the configuration of your router through the software command interpreter called the EXEC (also called enable mode).

  • Page 43: Enabling Sa-Vam2

    Chapter 4 Configuring the SA-VAM2+ Configuration Tasks Enabling SA-VAM2+ SA-VAM2+ is enabled by default. To disable SA-VAM2+, use the following commands, starting in global configuration mode: Command Purpose Step 1 Disables SA-VAM2+. no crypto engine accelerator <slot number> Step 2 Enables SA-VAM2+.

  • Page 44: Configuring A Transform Set

    Chapter 4 Configuring the SA-VAM2+ Configuration Tasks Command Purpose Step 4 (Optional) Specifies the lifetime of an IKE security association Router(config-isakmp)# lifetime seconds (SA). seconds—Number of seconds that each SA should exist before expiring. Use an integer from 60 to 86,400 seconds. If this command is not enabled, the default value (86,400 Note seconds [one day]) will be used.
  • Page 45 Chapter 4 Configuring the SA-VAM2+ Configuration Tasks Defining a Transform Set A transform set is a combination of security protocols and algorithms. During the IPSec security association negotiation, peers agree to use a specific transform set to protect a particular data flow. To define a transform set, use the following commands, starting in global configuration mode: Command Purpose...
  • Page 46 Chapter 4 Configuring the SA-VAM2+ Configuration Tasks Table 4-1 Allowed Transform Combinations (continued) Transform type Transform Description ESP Encryption Transform (Note: If an ESP esp-aes ESP with the 128-bit Advanced Encryption Authentication Transform is used, you must Standard (AES) encryption algorithm pick one.) esp-aes 128 ESP with the 128-bit AES encryption algorithm...

  • Page 47: Selecting Appropriate Transforms

    Chapter 4 Configuring the SA-VAM2+ Configuration Tasks ESP encapsulates the protected data—either a full IP datagram (or only the payload)—with an ESP header and an ESP trailer. AH is embedded in the protected data; it inserts an AH header immediately after the outer IP header and before the inner IP datagram or payload.

  • Page 48: Transform Example

    For IPSec configuration examples, refer to the “IPSec Configuration Example” section on page 4-17. See the “Configuring IPSec Network Security” of the Cisco IOS Security Configuration Guide for more information on configuring IPSec. Ensuring That Access Lists Are Compatible with IPSec IKE uses UDP port 500.

  • Page 49: Creating Crypto Access Lists

    Chapter 4 Configuring the SA-VAM2+ Configuration Tasks Step Command Purpose Step 1 Enables privileged EXEC mode. Enter your password if Router# enable prompted. Step 2 Enters global configuration mode. Router# configure terminal Step 3 Changes global lifetime values used when negotiating Router(config)# crypto ipsec security-association lifetime seconds seconds IPSec security associations (SAs).

  • Page 50: Creating Crypto Map Entries

    Chapter 4 Configuring the SA-VAM2+ Configuration Tasks Step Command Purpose Step 1 Specifies conditions to determine which IP packets Router(config)# access-list access-list-number {deny | permit} protocol source source-wildcard will be protected. (Enable or disable crypto for destination destination-wildcard [log] traffic that matches these conditions.) We recommend that you configure “mirror image”...
  • Page 51 Chapter 4 Configuring the SA-VAM2+ Configuration Tasks Command Purpose Step 5 Sets the AH Security Parameter Indexes (SPIs) and Router(config-crypto-m)# set session-key inbound ah spi hex-key-string keys to apply to inbound and outbound protected traffic if the specified transform set includes the AH protocol.

  • Page 52: Creating Dynamic Crypto Maps

    Chapter 4 Configuring the SA-VAM2+ Configuration Tasks Command Purpose Step 6 (Optional) Specifies that separate security Router(config-crypto-m)# set security-association level per-host associations should be established for each source/destination host pair. Without this command, a single IPSec “tunnel” could carry traffic for multiple source hosts and multiple destination hosts.
  • Page 53 Chapter 4 Configuring the SA-VAM2+ Configuration Tasks Command Purpose Step 3 (Optional) Accesses list number or name of an Router(config-crypto-m)# match address access-list-id extended access list. This access list determines which traffic should be protected by IPSec and which traffic should not be protected by IPSec security in the context of this crypto map entry.

  • Page 54: Applying Crypto Map Sets To Interfaces

    For IPSec configuration examples, refer to the “Configuring Compression Example”. See the “Configuring IPSec Network Security” of the Cisco IOS Security Configuration Guide for more information on configuring IPSec. Configure IKE Policy To configure IKE policy, follow the steps in “Configuring an IKE Policy”...

  • Page 55: Configure Ike Preshared Key

    Chapter 4 Configuring the SA-VAM2+ Configuration Tasks Configure IKE Preshared Key To specify preshared keys at a peer, use the following commands in global configuration mode: Command Purpose Step 1 At the local peer: Router (config)# crypto isakmp key keystring address peer-address Specify the shared key to be used with a particular remote peer.

  • Page 56: Configure Crypto Map

    Chapter 4 Configuring the SA-VAM2+ Configuration Tasks Command Purpose access-list-number Router (config)# access-list access-list-number {permit | deny} address mask Specify an integer from 700 to 799 that you select for the list. permit Permits the frame. deny Denies the frame. address mask Specify 48-bit MAC addresses written in dotted triplet form.

  • Page 57: Monitoring And Maintaining Ipsec

    Chapter 4 Configuring the SA-VAM2+ Configuration Tasks Monitoring and Maintaining IPSec To clear (and reinitialize) IPSec security associations, use one of the following commands in global configuration mode: Command Purpose Clears IPSec security associations. Router(config)# clear crypto sa Using the clear crypto sa command without parameters Note will clear out the full SA database, which will clear out Router(config)# clear crypto sa counters...

  • Page 58: Verifying Ike And Ipsec Configurations

    Chapter 4 Configuring the SA-VAM2+ Configuration Tasks Another transform set example is “myset2,” which uses Triple DES encryptions and MD5 (HMAC variant) for data packet authentication: crypto ipsec transform-set myset2 esp-3des esp-md5-hmac A crypto map joins together the IPSec access list and transform set and specifies where the protected traffic is sent (the remote IPSec peer): crypto map toRemoteSite 10 ipsec-isakmp match address 101...

  • Page 59: Verifying The Configuration

    Chapter 4 Configuring the SA-VAM2+ Configuration Tasks Diffie-Hellman group: #1 (768 bit) lifetime: 3600 seconds, no volume limit Verifying the Configuration Some configuration changes take effect only after subsequent security associations are negotiated. For the new settings to take effect immediately, clear the existing security associations. To clear (and reinitialize) IPSec security associations, use one of the commands in Table 4-2 in global...
  • Page 60 Chapter 4 Configuring the SA-VAM2+ Configuration Tasks Router# show crypto ipsec sa interface: Ethernet0 Crypto map tag: router-alice, local addr. 172.21.114.123 local ident (addr/mask/prot/port): (172.21.114.123/255.255.255.255/0/0) remote ident (addr/mask/prot/port): (172.21.114.67/255.255.255.255/0/0) current_peer: 172.21.114.67 PERMIT, flags={origin_is_acl,} #pkts encaps: 10, #pkts encrypt: 10, #pkts digest 10 #pkts decaps: 10, #pkts decrypt: 10, #pkts verify 10 #send errors 10, #recv errors 0 local crypto endpt.: 172.21.114.123, remote crypto endpt.: 172.21.114.67...

  • Page 61: Configuration Examples

    Chapter 4 Configuring the SA-VAM2+ Configuration Examples For a detailed description of the information displayed by the show commands, refer to the “IP Security and Encryption” chapter of the Security Command Reference publication. Configuration Examples This section provides the following configuration examples: Configuring IKE Policies Example, page 4-21 •...

  • Page 62: Configuring Compression Example

    Chapter 4 Configuring the SA-VAM2+ Basic IPSec Configuration Illustration The crypto map is applied to an interface: interface Serial0 ip address 10.0.0.2 crypto map toRemoteSite In this example, IKE must be enabled. Note Configuring Compression Example The following example shows a simple configuration example for configuring compression. To configure an IKE policy: crypto isakmp policy 1 hash md5...

  • Page 63: Router A Configuration

    Chapter 4 Configuring the SA-VAM2+ Basic IPSec Configuration Illustration Figure 4-1 Basic IPSec Configuration Only packets from 10.0.0.2 to 10.2.2.2 are encrypted and authenticated across the network. Clear text Encrypted text Clear text 10.0.0.2 10.2.2.2 10.0.0.3 10.2.2.3 Router A Router B 10.0.0.1 10.2.2.1 All other packets are not encrypted...

  • Page 64: Router B Configuration

    101 permit ip host 10.2.2.3 host 10.0.0.3 Troubleshooting Tips To verify that Cisco IOS software has recognized SA-VAM2+, enter the show diag command and check the output. For example, when the router has the SA-VAM2+ in slot 4, the following output appears:...
  • Page 65 Chapter 4 Configuring the SA-VAM2+ Troubleshooting Tips 0x40:FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 0x50:FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 0x60:FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 0x70:FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF To see if the SA-VAM2+ is currently processing crypto packets, enter the show pas vam interface command.

  • Page 66: Monitoring And Maintaining The Sa-Vam2

    When the software crypto engine is active, the show crypto eli command yields no output. During bootup or OIR, when the Cisco IOS software agrees to redirect crypto traffic to the SA-VAM2+, it prints a message similar to the following: %ISA-6-INFO:Recognised crypto engine (0) at slot-1 ...switching to hardware crypto engine...

  • Page 67: I N D E X

    I N D E X crypto dynamic-map command 4 - 12 crypto ipsec security-association lifetime command 4 - 9 acceleration module, VPN (see VAM) 1 - 1 crypto map command 4 - 10, 4 - 11 access-list (encryption) command 4 - 10 crypto sa command, clear 4 - 19 crypto transform configuration mode, enabling...
  • Page 68 Index match address command 4 - 11, 4 - 13 MIBs 1 - 6 hardware requirements 2 - 2 module, VPN acceleration (see VAM) 1 - 1 prevention, ESD 2 - 4 configuring policies example 4 - 21 interpreter, EXEC command 4 - 2 IPSec access lists...
  • Page 69 Index software and hardware compatability ix, 2 - 2 standards supported 1 - 6 This 2 - 1 tips, troubleshooting 4 - 24 tools and equipment, required 2 - 1 troubleshooting tips 4 - 24 features 1 - 4 handling 3 - 1 monitoring and maintaining 4 - 26...

This manual is also suitable for:

Sa-vam2+

Table of Contents