Monitor and Maintenance Commands | Cisco Systems C7200 specs

Chapter 4 Configuring the VSA

Monitoring and Maintaining the VSA

The crypto ipsec ipv4 deny-policy{jump clear drop} command helps you avoid this problem. The clear keyword allows a deny address range to be programmed in hardware, the deny addresses are then filtered out for encryption and decryption. When a deny address is hit, the search is stopped and traffic is allowed to pass in the clear (unencrypted) state. The drop keyword causes traffic to be dropped when a deny address is hit. These two new keywords are used to prevent repeated address ranges from being programmed in the hardware, resulting in more efficient space utilization.

Configuration Guidelines and Restrictions

•The crypto ipsec ipv4 deny-policy{jump clear drop} command is a global command that can be applied to a VSA module. The specified keyword (jump, clear, or drop) is propagated to the ACE software of the VSA module. The default behavior is jump.

•If you apply the specified keyword (jump, clear, or drop) when crypto maps are already configured on the VSA module, all existing IPSec sessions are temporarily removed and restarted which impacts traffic on your network.

•The number of deny entries that can be specified in an access list are dependent on the keyword specified:

–jump—Supports up to 8 deny entries in an access list

–clear—Supports up to 1000 deny entries in an access list

–drop—Supports up to 1000 deny entries in an access list

Monitor and Maintenance Commands

Use the commands that follow to monitor and maintain the VSA:

Command	Purpose

Router# show crypto engine	Verifies the VSA is currently processing crypto packets.
accelerator statistic 0

Router# Show version	Displays integrated service adapter as part of the interfaces.

C7200 VSA (VPN Services Adapter) Installation and Configuration Guide

4-24	OL-9129-02

Image 58

Cisco Systems C7200 manual Monitor and Maintenance Commands, Configuration Guidelines and Restrictions

Contents

Corporate Headquarters Text Part Number OL-9129-02Page N T E N T S Preventing Electrostatic Discharge Damage 2 Creating Dynamic Crypto Maps 4 OL-9129-02 Preface Audience Organization ObjectivesChapter Title Description Obtaining Documentation Related DocumentationCisco.com Cisco Product Security Overview Documentation FeedbackProduct Documentation DVD Ordering Documentation Reporting Security Problems in Cisco Products Product Alerts and Field Notices Obtaining Technical Assistance Cisco Technical Support & Documentation Website Definitions of Service Request Severity Submitting a Service RequestObtaining Additional Publications and Information Xiv Overview Data Encryption Overview VSA Overview Screws Handle Status LED light VSA Module Front View Feature Description/Benefit FeaturesThis section describes the VSA features, as listed in Table Hardware Required Standards Supported Standards, MIBs, and RFCsPerformance MIBs Disabling the VSA during Operation Command PurposeEnabling/Disabling the VSA Enabling/Disabling Scheme Command Description of VSA Behavior Condition System is ConfiguredLEDs Slot Locations ConnectorsSee -2for the VSA connectors Cisco 7204VXR Router Port adapter VSA in I/O controller slot Port adapter lever Cisco 7204VXR Router Front View Cisco 7206VXR Router Cisco 7206VXR Front View Required Tools and Equipment Hardware and Software Requirements Restrictions Software RequirementsHardware Requirements Platform Safety Warnings Safety GuidelinesOnline Insertion and Removal OIR Electrical Equipment Guidelines Preventing Electrostatic Discharge Damage Preparing for Installation OL-9129-02 Handling the VSA VSA circuit board is sensitive to ESD damage VSA Removal and Installation This section describes how to remove and install the VSA Removing and Installing the VSA VSA Removal and Installation OL-9129-02 Configuration Tasks Overview Using the Exec Command Interpreter Configuring an IKE Policy Optional Specifies the authentication method within an IKE Key Management Protocol Isakmp policy configurationConfig-isakmp mode Signatures as the authentication method Configuring a Transform Set Disabling VSA Optional Defining a Transform Set Transform type Description IPSec Protocols AH and ESP Crypto Transform Configuration ModeSelecting Appropriate Transforms Setting Global Lifetimes for IPSec Security Associations Configuring IPSecEnsuring That Access Lists Are Compatible with IPSec Changing Existing Transforms Step Command Purpose Creating Crypto Access Lists Creating Crypto Map Entries ESP authenticator algorithm Only one transform set can be specified when IKE isAuthenticator keys if the transform set includes an Exits crypto-map configuration mode and return to Creating Dynamic Crypto Maps If this is configured, the data flow identity proposed Optional Accesses list number or name of anExtended access list. This access list determines For this crypto access list Monitoring and Maintaining IPSec Applying Crypto Map Sets to Interfaces Verifying IKE and IPSec Configurations Router# show crypto isakmp policy Verifying the Configuration Currentpeer 172.21.114.67 PERMIT, flags=originisacl Configuring IPSec Configuration Example Configuration ExamplesConfiguring IKE Policies Example This section provides the following configuration examples Router a Configuration Basic IPSec Configuration IllustrationCrypto map is applied to an interface Transform set defines how the traffic will be protected Router B ConfigurationSpecify the parameters to be used during an IKE negotiation Troubleshooting Tips Router# show diag Tunnel I/F Using Deny Policies in Access Lists Monitoring and Maintaining the VSA Monitor and Maintenance Commands Configuration Guidelines and Restrictions D E Set pfs command Sa command, clear crypto Entries, creatingSet session-key command Set transform-set command Features Handling Monitoring and maintaining 4 Overview Handling VPN Acceleration Module see VAM 1 IN-4