Table Of Contents
Option to Disable Hardware Crypto Engine
Failover to Software Crypto EnginePrerequisites for Option to Disable Hardware Crypto Engine Failover to Software Crypto Engine
Information About Option to Disable Hardware Crypto Engine Failover to Software Crypto Engine
Hardware Crypto Engine Failover to the Software Crypto Engine: Overview
Option to Disable Hardware Crypto Engine Failover
How to Configure Option to Disable Hardware Crypto Engine Failover to Software Crypto Engine
Disabling Hardware Crypto Engine Failover to the Software Crypto Engine
Disabled Hardware Crypto Engine Failover: Example
no crypto engine software ipsec
Option to Disable Hardware Crypto Engine
Failover to Software Crypto Engine
The Option to Disable Hardware Crypto Engine Failover to Software Crypto Engine feature gives you the option of configurirng your router so that failover to the software crypto engine does not occur even if the hardware crypto engine fails.
Feature History for Option to Disable Hardware Crypto Engine Failover to Software Crypto Engine
Finding Support Information for Platforms and Cisco IOS Software Images
Use Cisco Feature Navigator to find information about platform support and Cisco IOS software image support. Access Cisco Feature Navigator at http://www.cisco.com/go/fn. You must have an account on Cisco.com. If you do not have an account or have forgotten your username or password, click Cancel at the login dialog box and follow the instructions that appear.
Contents
•
Prerequisites for Option to Disable Hardware Crypto Engine Failover to Software Crypto Engine
•
•
Prerequisites for Option to Disable Hardware Crypto Engine Failover to Software Crypto Engine
•
Information About Option to Disable Hardware Crypto Engine Failover to Software Crypto Engine
To configure the Disable Hardware Crypto Engine Failover to Software Crypto Engine feature, you should understand the following concepts:
•
•
Hardware Crypto Engine Failover to the Software Crypto Engine: Overview
Cisco IOS IPSec traffic can be supported both by a hardware encryption engine and by a software crypto engine (that is, by the main CPU, which is running a software encryption algorithm). If the hardware encryption engine fails, the software on the main CPU attempts to perform the IPSec functions. However, the main CPU software routines have only a small percentage of bandwidth compared with those of the hardware encryption engine. If a sufficient amount of traffic is being handled by the hardware engine, it is possible that on failover, the main CPU may try to handle more traffic than it can, causing the router to fail.
Option to Disable Hardware Crypto Engine Failover
The Option to Disable Hardware Crypto Engine Failover to Software Crypto Engine feature allows you to configure your router so that the hardware crypto engine does not automatically fail over to the software crypto engine.
For situations in which you prefer that the software routines on the main CPU handle the hardware crypto engine failover, the default is that failover does occur.
How to Configure Option to Disable Hardware Crypto Engine Failover to Software Crypto Engine
This section contains the following procedure:
•
Disabling Hardware Crypto Engine Failover to the Software Crypto Engine
To disable hardware crypto engine failover to the software crypto engine, perform the following steps.
SUMMARY STEPS
1.
2.
3.
DETAILED STEPS
Configuration Examples for Option to Disable Hardware Crypto Engine Failover to Software Crypto Engine
This section includes the following configuration example:
•
Disabled Hardware Crypto Engine Failover: Example
The following example shows that hardware crypto engine failover to the software crypto engine has been disabled:
version 12.3service timestamps debug datetime msecservice timestamps log datetime msecno service password-encryption!hostname VPN-Gateway1!boot-start-markerboot-end-marker!!clock timezone EST 0no aaa new-modelip subnet-zero!!ip audit po max-events 100no ftp-server write-enable!!no crypto engine software ipsec!crypto isakmp policy 10authentication pre-sharecrypto isakmp key cisco123 address 209.165.201.2!!crypto ipsec transform-set basic esp-des esp-md5-hmac!crypto map mymap 10 ipsec-isakmpset peer 209.165.201.2set transform-set basicmatch address 101!!interface Ethernet0/0ip address 192.168.1.1 255.255.255.0!interface Serial1/0ip address 209.165.200.2 255.255.255.252 serial restart-delay 0 crypto map mymap!ip classlessip route 0.0.0.0 0.0.0.0 209.165.200.1no ip http serverno ip http secure-server!!access-list 101 permit ip 192.168.1.0 0.0.0.255 172.16.2.0 0.0.0.255 access-list 101 remark Crypto ACL!!!control-plane!!line con 0line aux 0line vty 0 4!!endAdditional References
The following sections provide references related to Option to Disable Hardware Crypto Engine Failover to Software Crypto Engine.
Related Documents
Standards
No new or modified standards are supported by this feature, and support for existing standards has not been modified by this feature.
—
MIBs
RFCs
No new or modified RFCs are supported by this feature, and support for existing RFCs has not been modified by this feature.
—
Technical Assistance
Command Reference
This section documents the following new commands. All other commands used with this feature are documented in the Cisco IOS Release 12.3T command reference publications.
•
no crypto engine software ipsec
To disable hardware crypto engine failover to the software crypto engine, use the no crypto engine software ipsec command in global configuration mode. To reenable failover, use the crypto engine software ipsec form of this command.
no crypto engine software ipsec
crypto engine software ipsec
Syntax Description
This command has no arguments or keywords.
Defaults
Failover is enabled.
Command Modes
Global configuration
Command History
12.1E
This command was introduced.
12.3(14)T
This command was integrated into Cisco IOS Release 12.3(14)T.
Usage Guidelines
Use this command for those situations in which the amount of IP Security (IPSec) traffic is more than can be handled (because of bandwidth) by the software routines on the CPU.
Examples
The following example shows that hardware crypto engine failover to the software crypto engine has been disabled:
no crypto engine software ipsecThe following example shows that hardware crypto engine failover has been reenabled:
crypto engine software ipsecRelated Commands
crypto engine accelerator
Enables the onboard hardware accelerator of the router for IPSec encryption.
Copyright © 2005 Cisco Systems, Inc. All rights reserved.
Guest
