Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Is IPSec over dot1q sub-interface possible?

I've been working a bit on trying to see if I can do IPSec over a trunked interface and have come up pretty empty. I have the IPSec setup and working on other standard interfaces in the same router, but have run into a bump with the IOS interface not letting me configure the crypto map on the trunked interface.

Starting with (just relivant part of the config shown):

#ip cef


interface Vif1

no ip address

ip cef accounting non-recursive external

crypto map MYMAP


interface FastEthernet0/0/0.1

encapsulation dot1Q 1 native

ip address


interface FastEthernet0/0/0.2

encapsulation dot1Q 2

ip address


interface FastEthernet0/0/0.4

encapsulation dot1Q 4

ip address


interface FastEthernet0/0/0.5

encapsulation dot1Q 5

ip address

When I go to apply the crypto map to the FastEthernet0/0/0.4 interface, here is what I get:

r7(config-subif)#crypto map MYMAP

ERROR: The VIP interface must be configured with cef distributed switching before enabling encryption. Please configure this interface with cef distributed and route cache distributed switching then try again.

No biggie (I think), so I change the config to:

#ip cef distributed

then try again:

r7(config-subif)#crypto map MYMAP

ERROR: Cannot apply IPSEC crypto map with tag MYMAP to VIP interfaces.

Any thoughts on what the problem might be?



Re: Is IPSec over dot1q sub-interface possible?

I do not think this is currently supported,you cannot configure IPSec on a trunk port.

CreatePlease login to create content