Cisco Systems C7200 manual Enabling/Disabling the VSA, Disabling the VSA during Operation

Page 20

Chapter 1 Overview

Enabling/Disabling the VSA

Enabling/Disabling the VSA

This section includes the following topics:

Disabling the VSA during Operation, page 1-6

Enabling/Disabling Scheme, page 1-6

The VSA crypto card does not support OIR. The VSA boots up only during system initialization. The VSA will not work if it is inserted after the system is up and running. The VSA can be shut down by a disabling CLI command. The VSA is ready for removal after the disabling CLI command is executed.

Disabling the VSA during Operation

Before removing the VSA, we recommend that you shut down the interface so that there is no traffic running through the VSA when it is removed. Removing an VSA while traffic is flowing through the ports can cause system disruption.

Caution You could damage the VSA, if you remove the VSA without entering the CLI command.

To disable the C7200 VSA, use the following commands, starting in global configuration mode:

 

Command

Purpose

 

 

 

Step 1

no crypto engine [slot accelerator]

Disables the C7200 VSA.

 

0

 

 

 

 

Step 2

crypto engine [slot accelerator] 0

Enables the C7200 VSA after it has been

 

 

disabled.

 

 

Note See Table 1-5for more details.

 

 

 

Enabling/Disabling Scheme

This section describes how the VSA operates without OIR support.

Table 1-3describes what occurs when the system boots up after power-on or after the reload command is entered.

Table 1-4describes what occurs when the system is in run-time operation.

Table 1-5describes what occurs when the crypto engine command is entered.

Table 1-3 System Boots Up After Power-on or After the reload Command is Entered

Condition

System Initialization

 

 

VSA is present

The VSA subsystem comes up and initializes automatically. Other crypto

 

engines will be disabled.

 

 

VSA is not present

The VSA subsystem will not be initialized and system will use other crypto

 

engine if exist.

 

 

C7200 VSA (VPN Services Adapter) Installation and Configuration Guide

1-6

OL-9129-02

 

 

Image 20
Contents Corporate Headquarters Text Part Number OL-9129-02Page N T E N T S Preventing Electrostatic Discharge Damage 2 Creating Dynamic Crypto Maps 4 OL-9129-02 Preface AudienceChapter Title Description ObjectivesOrganization Cisco.com Related DocumentationObtaining Documentation Product Documentation DVD Ordering Documentation Documentation FeedbackCisco Product Security Overview Reporting Security Problems in Cisco Products Product Alerts and Field NoticesObtaining Technical Assistance Cisco Technical Support & Documentation WebsiteObtaining Additional Publications and Information Submitting a Service RequestDefinitions of Service Request Severity Xiv Overview Data Encryption OverviewVSA Overview Screws Handle Status LED light VSA Module Front ViewFeatures This section describes the VSA features, as listed in TableFeature Description/Benefit Hardware RequiredSupported Standards, MIBs, and RFCs PerformanceStandards MIBsCommand Purpose Enabling/Disabling the VSADisabling the VSA during Operation Enabling/Disabling SchemeLEDs Condition System is ConfiguredCommand Description of VSA Behavior Connectors See -2for the VSA connectorsSlot Locations Cisco 7204VXR RouterPort adapter VSA in I/O controller slot Port adapter lever Cisco 7204VXR Router Front ViewCisco 7206VXR Router Cisco 7206VXR Front ViewRequired Tools and Equipment Hardware and Software RequirementsSoftware Requirements Hardware RequirementsRestrictions PlatformOnline Insertion and Removal OIR Safety GuidelinesSafety Warnings Electrical Equipment Guidelines Preventing Electrostatic Discharge DamagePreparing for Installation OL-9129-02 Handling the VSA VSA circuit board is sensitive to ESD damageVSA Removal and Installation This section describes how to remove and install the VSARemoving and Installing the VSA VSA Removal and Installation OL-9129-02 Configuration Tasks OverviewUsing the Exec Command Interpreter Configuring an IKE PolicyKey Management Protocol Isakmp policy configuration Config-isakmp modeOptional Specifies the authentication method within an IKE Signatures as the authentication methodConfiguring a Transform Set Disabling VSA OptionalDefining a Transform Set Transform type Description Selecting Appropriate Transforms Crypto Transform Configuration ModeIPSec Protocols AH and ESP Configuring IPSec Ensuring That Access Lists Are Compatible with IPSecSetting Global Lifetimes for IPSec Security Associations Changing Existing TransformsStep Command Purpose Creating Crypto Access Lists Creating Crypto Map EntriesOnly one transform set can be specified when IKE is Authenticator keys if the transform set includes anESP authenticator algorithm Exits crypto-map configuration mode and return toCreating Dynamic Crypto Maps Optional Accesses list number or name of an Extended access list. This access list determinesIf this is configured, the data flow identity proposed For this crypto access listMonitoring and Maintaining IPSec Applying Crypto Map Sets to InterfacesVerifying IKE and IPSec Configurations Router# show crypto isakmp policyVerifying the Configuration Currentpeer 172.21.114.67 PERMIT, flags=originisacl Configuration Examples Configuring IKE Policies ExampleConfiguring IPSec Configuration Example This section provides the following configuration examplesCrypto map is applied to an interface Basic IPSec Configuration IllustrationRouter a Configuration Specify the parameters to be used during an IKE negotiation Router B ConfigurationTransform set defines how the traffic will be protected Troubleshooting Tips Router# show diagTunnel I/F Using Deny Policies in Access Lists Monitoring and Maintaining the VSAMonitor and Maintenance Commands Configuration Guidelines and RestrictionsD E Set session-key command Set transform-set command Sa command, clear crypto Entries, creatingSet pfs command Features Handling Monitoring and maintaining 4 Overview Handling VPN Acceleration Module see VAM 1IN-4