[c-nsp] IPsec Stateful Failure question
Terry Baranski
tbaranski at mail.com
Thu Nov 5 14:00:02 EST 2009
Strange -- we've done stateful IPSec on a VRF interface before. I wasn't
aware of this supposed restriction.
-Terry
-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Ronan Mullally
Sent: Thursday, November 05, 2009 7:18 AM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] IPsec Stateful Failure question
Before I jump in both feet first and try configuring it, the Stateful
Failure for IPsec guide (12.4) says:
"A stateful failover crypto map applied to an interface in a VRF instance
is not supported. However, VRF-aware IPSEC features are supported when a
stateful failover crypto map is applied to an interface in the global
VRF".
If I read this right, then configuring things like this:
interface Port-channel1.106
description Customer X VPN - Front Door VRF
mtu 1600
encapsulation dot1Q 106
ip vrf forwarding f-CustomerX
ip address 1.2.3.4 255.255.255.248
ip mtu 1500
standby 106 ip 1.2.3.5
standby 106 follow vpn-vip
standby 106 name f-customerx-vip
crypto map CustomerX redundancy f-customerx-vip
end
Means I'm not going to be able to do stateful failover, correct?
More information about the cisco-nsp
mailing list