Cisco Systems C7200 LEDs, Condition System is Configured, Command Description of VSA Behavior

Page 21

Chapter 1 Overview

LEDs

Table 1-4 System is in Run-time Operation

Condition	System is Configured

Inserting the VSA	The VSA runs in power-off, but you need to perform a system reload or a
	reset to bring the VSA up.

CLI Enabling VSA	Not supported.

CLI Disabling VSA	Hw-module slot 0 shutdown—Not supported.
	[no] crypto engine [slot accelerator] 0—SeeTable 1-5

Removing VSA	You must enter a disabling CLI (see Table 1-5) before removing the card
	to avoid damaging the hardware.

Table 1-5 crypto engine Command

Command	Description of VSA Behavior

Crypto engine slot 0	This allows the VSA to come up and be registered
Crypto engine accelerator 0	as a crypto engine with the system.
Note The VSA can only be inserted in slot 0	If you just performed this configuration and the
(the I/O controller slot).	VSA is currently disabled, reload or reset the
	system to bring the VSA up.
	Note The current crypto engine will be still
	running, and the VSA will take over after
	the next system reboot.

No crypto engine slot 0	These CLIs will disable the VSA. This is a
No crypto engine accelerator 0	configuration setting, so the VSA will remain
	disabled until you remove this configuration and
	system reloads or resets.

LEDs

The VSA has one LED, as shown in Figure 1-3.

C7200 VSA (VPN Services Adapter) Installation and Configuration Guide

	OL-9129-02	1-7

Image 21

Contents Text Part Number OL-9129-02 Corporate HeadquartersPage N T E N T S Preventing Electrostatic Discharge Damage 2 Creating Dynamic Crypto Maps 4 OL-9129-02 Audience PrefaceObjectives OrganizationChapter Title Description Related Documentation Obtaining DocumentationCisco.com Documentation Feedback Cisco Product Security OverviewProduct Documentation DVD Ordering Documentation Product Alerts and Field Notices Reporting Security Problems in Cisco ProductsCisco Technical Support & Documentation Website Obtaining Technical AssistanceSubmitting a Service Request Definitions of Service Request SeverityObtaining Additional Publications and Information Xiv Data Encryption Overview OverviewVSA Overview VSA Module Front View Screws Handle Status LED lightThis section describes the VSA features, as listed in Table FeaturesFeature Description/Benefit Hardware RequiredPerformance Supported Standards, MIBs, and RFCsStandards MIBsEnabling/Disabling the VSA Command PurposeDisabling the VSA during Operation Enabling/Disabling SchemeCondition System is Configured Command Description of VSA BehaviorLEDs See -2for the VSA connectors ConnectorsSlot Locations Cisco 7204VXR RouterCisco 7204VXR Router Front View Port adapter VSA in I/O controller slot Port adapter leverCisco 7206VXR Front View Cisco 7206VXR RouterHardware and Software Requirements Required Tools and EquipmentHardware Requirements Software RequirementsRestrictions PlatformSafety Guidelines Safety WarningsOnline Insertion and Removal OIR Preventing Electrostatic Discharge Damage Electrical Equipment GuidelinesPreparing for Installation OL-9129-02 VSA circuit board is sensitive to ESD damage Handling the VSAThis section describes how to remove and install the VSA VSA Removal and InstallationRemoving and Installing the VSA VSA Removal and Installation OL-9129-02 Overview Configuration TasksConfiguring an IKE Policy Using the Exec Command InterpreterConfig-isakmp mode Key Management Protocol Isakmp policy configurationOptional Specifies the authentication method within an IKE Signatures as the authentication methodDisabling VSA Optional Configuring a Transform SetDefining a Transform Set Transform type Description Crypto Transform Configuration Mode IPSec Protocols AH and ESPSelecting Appropriate Transforms Ensuring That Access Lists Are Compatible with IPSec Configuring IPSecSetting Global Lifetimes for IPSec Security Associations Changing Existing TransformsStep Command Purpose Creating Crypto Map Entries Creating Crypto Access ListsAuthenticator keys if the transform set includes an Only one transform set can be specified when IKE isESP authenticator algorithm Exits crypto-map configuration mode and return toCreating Dynamic Crypto Maps Extended access list. This access list determines Optional Accesses list number or name of anIf this is configured, the data flow identity proposed For this crypto access listApplying Crypto Map Sets to Interfaces Monitoring and Maintaining IPSecRouter# show crypto isakmp policy Verifying IKE and IPSec ConfigurationsVerifying the Configuration Currentpeer 172.21.114.67 PERMIT, flags=originisacl Configuring IKE Policies Example Configuration ExamplesConfiguring IPSec Configuration Example This section provides the following configuration examplesBasic IPSec Configuration Illustration Router a ConfigurationCrypto map is applied to an interface Router B Configuration Transform set defines how the traffic will be protectedSpecify the parameters to be used during an IKE negotiation Router# show diag Troubleshooting TipsTunnel I/F Monitoring and Maintaining the VSA Using Deny Policies in Access ListsConfiguration Guidelines and Restrictions Monitor and Maintenance CommandsD E Sa command, clear crypto Entries, creating Set pfs commandSet session-key command Set transform-set command Handling VPN Acceleration Module see VAM 1 Features Handling Monitoring and maintaining 4 OverviewIN-4