Filter
Top Products
4-24
C7200 VSA (VPN Services Adapter) Installation and Configuration Guide
OL-9129-02
Chapter 4 Configuring the VSA
Monitoring and Maintaining the VSA
The crypto ipsec ipv4 deny-policy {jump | clear | drop} command helps you avoid this problem. The
clear keyword allows a deny address range to be programmed in hardware, the deny addresses are then
filtered out for encryption and decryption. When a deny address is hit, the search is stopped and traffic
is allowed to pass in the clear (unencrypted) state. The drop keyword causes traffic to be dropped when
a deny address is hit. These two new keywords are used to prevent repeated address ranges from being
programmed in the hardware, resulting in more efficient space utilization.
Configuration Guidelines and Restrictions
• The crypto ipsec ipv4 deny-policy {jump | clear | drop} command is a global command that can be
applied to a VSA module. The specified keyword (jump, clear, or drop) is propagated to the ACE
software of the VSA module. The default behavior is jump.
• If you apply the specified keyword (jump, clear, or drop) when crypto maps are already configured
on the VSA module, all existing IPSec sessions are temporarily removed and restarted which
impacts traffic on your network.
• The number of deny entries that can be specified in an access list are dependent on the keyword
specified:
–
jump—Supports up to 8 deny entries in an access list
–
clear—Supports up to 1000 deny entries in an access list
–
drop—Supports up to 1000 deny entries in an access list
Monitor and Maintenance Commands
Use the commands that follow to monitor and maintain the VSA:
Command Purpose
Router# show crypto engine
accelerator statistic 0
Verifies the VSA is currently processing crypto packets.
Router# Show version
Displays integrated service adapter as part of the interfaces.