24-41
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter24 Managing Site-to-Site VPNs: The Basics
Creating or Editing VPN Topologies
Field Reference
Configuring VPNSM or VPN SPA/VSPA Endpoint Settings
When you select a Catalyst 6500/7600 device in the Endpoints table for editing, the VPN Interface tab
of the Edit Endpoints dialog box provides settings for configuring Cisco VPN Services Modules
(VPNSM), Cisco VPN Shared Port Adapters (VPN SPAs), and Cisco VPN Service Port Adapters
(VSPAs) on the device. You can select more than one Catalyst 6500/7600 device at the same time. Your
changes are applied to all the selected devices.
The device can be in a point-to-point or full mesh VPN topology, or a hub or spoke in a hub-and-spoke
VPN topology managed by Security Manager (except in an Easy VPN configuration, where the device
cannot be a spoke). These settings must also be configured if the selected device is an IPsec Terminator
in a large scale DMVPN, although not all settings described below are available. See Configuring Large
Scale DMVPNs, page 26-16.
General Notes
A Catalyst 6500/7600 device can contain from 3 to 13 chassis slots. Due to the design of the blades,
you can install one VPNSM or two VPNSPA/VSPA per slot. The location of a VPNSPA/VSPA is
identified with a slot and subslot number. Security Manager stores this information in its inventory,
so that Security Manager can manage the VPN topologies.
If you are configuring intra-chassis high availability, you cannot use a VPNSM blade and a
VPNSPA/VSPA blade on the same device as primary and failover blades.
In a remote access VPN, you can configure only one failover unit for each IPsec proposal. See
VPNSM/VPN SPA/VSPA Settings Dialog Box, page 32-6.
If the Catalyst 6500/7600 has a Firewall Services Module (FWSM), you can configure it to work
with these modules. For more information, see Configuring a Firewall Services Module (FWSM)
Interface with VPNSM or VPNSPA/VSPA, page 24-45.
Table24-7 Dial Backup Settings Dialog Box
Element Description
Next Hop Forwarding
Backup Next Hop IP Address
If required, enter the next hop IP address of the ISDN BRI or analog
modem backup interface (that is, the IP address to which the backup
interface will connect when it is active). You can enter an IP address or
the name of a network/host object, or click Select to select a
network/host object that specifies the IP address.
If you do not enter the next hop IP address, Security Manager
configures a static route using the interface name.
Tracking Object Settings
Timeout The number of milliseconds the Service Assurance Agent operation
waits to receive a response from the destination device. The default is
5000 ms.
Frequency How often Response Time Reporter (RTR) should be used to detect loss
of performance on the primary route. The default is every 60 seconds.
Threshold The rising threshold in milliseconds that generates a reaction event and
stores history information for the RTR operation. The default is 5000
ms.