Cisco 7100 Series Spezifikationen PDF herunterladen (Seite 61)

Intranet VPN Business Scenario 3-31

Configuring Crypto Maps

For redundancy, you could apply the same crypto map set to more than one interface. The

default behavior is as follows:

• Each interface will have its own piece of the SA database.

• The IP address of the local interface will be used as the local address for IPSec trafﬁc

originating from or destined to that interface.

If you apply the same crypto map set to multiple interfaces for redundancy purposes, you

need to specify an identifying interface. This has the following effects:

• The per-interface portion of the IPSec SA database will be established one time and

shared for trafﬁc through all the interfaces that share the same crypto map.

• The IP address of the identifying interface will be used as the local address for IPSec

trafﬁc originating from or destined to those interfaces sharing the same crypto map set.

One suggestion is to use a loopback interface as the identifying interface.

Use the crypto map map-name local-address interface-id command in global

conﬁguration mode tospecify redundantinterfaces and name an identifyinginterface. This

command permits redundant interfaces to share the same crypto map, using the same local

identity.

hq-sanjose# clear crypto sa

In privileged EXEC mode, clear the existing

IPSec SAs so that any changes are used

immediately. (Manually established SAs are

reestablished immediately.)

Note Using the clear crypto sa command

withoutparameters clears out the full SA database,

which clears out active security sessions. You may

also specify the peer, map, or entry keywords to

clear out only a subset of the SA database.

Step Command Purpose

1 2 ... 56 57 58 59 60 61 62 63 64 65 66 ... 111 112

Keine Kommentare

Cisco 7100 Series Spezifikationen Seite 61