crypto map [name]
The crypto map command in interface configuration mode applies a previously defined crypto map set to a router interface, enabling IPsec VPN encryption and decryption on that interface.
crypto map [name]When to Use This Command
- Apply a site-to-site VPN crypto map to the outside interface of a branch router to secure traffic to the main office.
- Attach a crypto map to a tunnel interface for a DMVPN configuration.
- Apply a dynamic crypto map to a router interface to allow remote access VPN clients to initiate connections.
- Remove a crypto map from an interface when decommissioning a VPN tunnel.
Command Examples
Apply a static crypto map to an interface
interface GigabitEthernet0/0
crypto map MYVPN_MAPGigabitEthernet0/0 is up, line protocol is up
Hardware is ISR4321, address is aaaa.bbbb.cccc (bia aaaa.bbbb.cccc)
Internet address is 203.0.113.1/24
MTU 1500 bytes, BW 100000 Kbit/sec, DLY 100 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
Crypto map: MYVPN_MAP
...The output shows the interface configuration. The line 'Crypto map: MYVPN_MAP' confirms the crypto map is applied. No errors indicate successful application.
Remove a crypto map from an interface
interface GigabitEthernet0/0
no crypto map MYVPN_MAPGigabitEthernet0/0 is up, line protocol is up
Hardware is ISR4321, address is aaaa.bbbb.cccc (bia aaaa.bbbb.cccc)
Internet address is 203.0.113.1/24
MTU 1500 bytes, BW 100000 Kbit/sec, DLY 100 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
...After the 'no crypto map' command, the 'Crypto map' line disappears from the interface output, indicating the map is no longer applied.
Understanding the Output
When you apply a crypto map to an interface, the interface configuration output (via 'show running-config interface' or 'show interfaces') will include a line indicating the crypto map name. This confirms that IPsec processing is enabled on that interface. If the crypto map is not applied, that line will be absent. In production, you can verify with 'show crypto map' to see active maps and their status. A missing crypto map on the expected interface means VPN traffic will not be encrypted/decrypted, leading to connectivity issues.
CCNA Exam Tips
CCNA exam tip: Remember that crypto maps are applied in interface configuration mode, not globally.
CCNA exam tip: You can only apply one crypto map per interface; if you need multiple policies, use a crypto map set with multiple map entries.
CCNA exam tip: The 'no crypto map' command removes the map from the interface but does not delete the crypto map definition itself.
CCNA exam tip: For dynamic crypto maps (used with IKEv1), you apply them the same way, but they are typically used for remote access VPNs.
Common Mistakes
Mistake 1: Applying the crypto map in global configuration mode instead of interface configuration mode — results in error 'Invalid input detected'.
Mistake 2: Forgetting to apply the crypto map to the correct interface (e.g., applying to inside LAN interface instead of outside WAN interface) — VPN traffic will not be encrypted.
Mistake 3: Applying a crypto map that references an invalid or missing transform set or peer — the interface will accept the command but IPsec will fail to establish.
Related Commands
crypto ipsec transform-set [name] esp-aes esp-sha-hmac
Defines an IPsec transform set specifying the encryption and authentication algorithms to protect VPN traffic, used when configuring an IPsec VPN policy.
crypto isakmp policy [priority]
Creates or modifies an ISAKMP (IKE) policy for IPsec VPN negotiations, defining encryption, authentication, and key exchange parameters.
crypto map [name] [seq] ipsec-isakmp
Creates or modifies a crypto map entry for IPsec VPN configuration, defining the security policies and peer parameters for IKE and IPsec negotiations.
show crypto map
Displays the configured crypto map entries, including their match criteria, peer addresses, and transform sets, used to verify IPsec VPN policy configuration.
Practice for the CCNA 200-301
Test your knowledge with hundreds of CCNA practice questions covering all exam domains.
Practice CCNA Questions