Filter
Top Products
24-17
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 24 Managing Site-to-Site VPNs: The Basics
Accessing Site-to-Site VPN Topologies and Policies
• Defining the Endpoints and Protected Networks, page 24-33
Enabling and Disabling VRF on Catalyst Switches and 7600 Devices
Deployment fails when you change the virtual routing and forwarding (VRF) mode on the Catalyst
switches and 7600 hub of an existing site-to-site VPN. For example, if you initially configured VRF in
the Create VPN wizard and deployed, but later return to the Peers policy and deselect the Enable VRF
Settings check box, deployment fails. (This setting is found in the VRF Aware IPSec tab of the Edit
Endpoints dialog box; see Configuring VRF Aware IPsec Settings, page 24-46.) Deployment likewise
fails if you try to enable VRF on a VPN that was not initially configured with it.
You cannot change the VRF mode on a Catalyst 6500/7600 during VPN operation. This restriction
applies only to Catalyst 6500/7600 hubs, not to any other device type.
This restriction does not apply to changes made to the VRF settings themselves. For example, if VRF is
configured on the VPN topology, you can return to the Peers policy and change the VRF name or route
distinguisher.
If you need to change the VRF mode of a VPN, and you are using Catalyst 6500/7600 devices as hubs,
use the following procedure.
Related topics
• Understanding VRF-Aware IPsec, page 24-14
• VRF-Aware IPsec One-Box Solution, page 24-14
• VRF-Aware IPsec Two-Box Solution, page 24-15
Step 1 Delete the VPN topology from Security Manager.
Step 2 Deploy your changes.
Step 3 Reload (restart) the Catalyst 6500/7600 device.
Step 4 Right-click the device in Security Manager and select Discover Policies on Device. Perform a complete
policy rediscovery.
Step 5 Open the Create VPN wizard and redefine the VPN topology. At this point, you can select a different
VRF mode. See Configuring VRF Aware IPsec Settings, page 24-46 and Creating or Editing VPN
Topologies, page 24-28.
Accessing Site-to-Site VPN Topologies and Policies
You can use the following methods to access and configure site-to-site VPN topologies and policies:
• Site-to-Site VPN Manager—This is the main tool for configuring VPN topologies. You can view
a list of all site-to-site VPNs configured in Security Manager and edit their configurations and
policies, including device membership. For information on using this tool, see Site-to-Site VPN
Manager Window, page 24-18.
• Site-to-Site VPN policy in Device view—When you select a device in device view, you can select
the Site-to-Site VPN policy in the Policies selector to see a list of all site-to-site VPNs in which the
device participates and edit those topologies. You can also create new VPNs, or select a VPN and