Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Is IPSec over dot1q sub-interface possible?

I've been working a bit on trying to see if I can do IPSec over a trunked interface and have come up pretty empty. I have the IPSec setup and working on other standard interfaces in the same router, but have run into a bump with the IOS interface not letting me configure the crypto map on the trunked interface.

Starting with (just relivant part of the config shown):

#ip cef

!

interface Vif1

no ip address

ip cef accounting non-recursive external

crypto map MYMAP

!

interface FastEthernet0/0/0.1

encapsulation dot1Q 1 native

ip address 30.70.10.7 255.255.255.0

!

interface FastEthernet0/0/0.2

encapsulation dot1Q 2

ip address 30.70.21.7 255.255.254.0

!

interface FastEthernet0/0/0.4

encapsulation dot1Q 4

ip address 30.70.40.7 255.255.255.0

!

interface FastEthernet0/0/0.5

encapsulation dot1Q 5

ip address 30.70.50.4 255.255.248.0

When I go to apply the crypto map to the FastEthernet0/0/0.4 interface, here is what I get:

r7(config-subif)#crypto map MYMAP

ERROR: The VIP interface must be configured with cef distributed switching before enabling encryption. Please configure this interface with cef distributed and route cache distributed switching then try again.

No biggie (I think), so I change the config to:

#ip cef distributed

then try again:

r7(config-subif)#crypto map MYMAP

ERROR: Cannot apply IPSEC crypto map with tag MYMAP to VIP interfaces.

Any thoughts on what the problem might be?

Thanks!

1 REPLY
Silver

Re: Is IPSec over dot1q sub-interface possible?

I do not think this is currently supported,you cannot configure IPSec on a trunk port.

527
Views
0
Helpful
1
Replies
CreatePlease login to create content