Chapter 8 Ipsec Vpn Acceleration Services Module - Cisco 7600 Series Module Manual

IPSec VPN Acceleration Services Module
This chapter describes the IPSec VPN Acceleration Services Module (WS-SVC-IPSEC-1).
The IPSec VPN Acceleration Services module is a Gigabit Ethernet IPSec cryptographic module that
you can install in the Cisco 7600 series routers. (See
bump-in-the-wire (BITW) IPSec implementation using VLANs.
BITW is an IPSec implementation that starts egress packet processing after the IP stack has finished with
Note
the packet, and completes ingress packet processing before the IP stack receives the packet.
Specific combinations of supervisor engines and modules may not be supported in your chassis. Refer
Note
to the release notes of the software version running on your system for specific information on modules
and supervisor engine combinations that are not supported.
Figure 8-1
Configuring VPNs using the VPN module is similar to configuring VPNs on routers running Cisco IOS
software. When you configure VPNs with the VPN module, you attach crypto maps to VLANs (using
interface VLANs); when you configure VPNs on routers running Cisco IOS software, you configure
individual interfaces.
With the VPN module, crypto maps are still attached to individual interfaces, but the set of interfaces
Note
allowed is restricted to "interface VLANs."
When you configure a VPN on the Cisco routers, a packet is sent to a routed interface that is associated
with an IP address. If the interface has an attached crypto map, the software checks that the packet is on
an access control list (ACL) specified by the crypto map. If a match occurs, the packet is transformed
(encrypted) before it is routed to the appropriate IPSec peer; otherwise, the packet is routed in the clear
(unencrypted) state.
OL-9392-05
IPSec VPN Acceleration Services Module (WS-SVC-IPSEC-1)
STATUS LED
WS-SVC-IPSEC-1
IPSec VPN Acceleration Services Module
8
C H A P T E R
Figure 8-1.) The VPN module provides
Cisco 7600 Series Router Module Guide
8-1