tbaranski at mail
Nov 5, 2009, 11:00 AM
Post #2 of 2
(389 views)
Permalink
|
Strange -- we've done stateful IPSec on a VRF interface before. I wasn't
aware of this supposed restriction.
-Terry
-----Original Message-----
From: cisco-nsp-bounces [at] puck
[mailto:cisco-nsp-bounces [at] puck] On Behalf Of Ronan Mullally
Sent: Thursday, November 05, 2009 7:18 AM
To: cisco-nsp [at] puck
Subject: [c-nsp] IPsec Stateful Failure question
Before I jump in both feet first and try configuring it, the Stateful
Failure for IPsec guide (12.4) says:
"A stateful failover crypto map applied to an interface in a VRF instance
is not supported. However, VRF-aware IPSEC features are supported when a
stateful failover crypto map is applied to an interface in the global
VRF".
If I read this right, then configuring things like this:
interface Port-channel1.106
description Customer X VPN - Front Door VRF
mtu 1600
encapsulation dot1Q 106
ip vrf forwarding f-CustomerX
ip address 1.2.3.4 255.255.255.248
ip mtu 1500
standby 106 ip 1.2.3.5
standby 106 follow vpn-vip
standby 106 name f-customerx-vip
crypto map CustomerX redundancy f-customerx-vip
end
Means I'm not going to be able to do stateful failover, correct?
_______________________________________________
cisco-nsp mailing list cisco-nsp [at] puck
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
|
