Multiple VPN SPA cards in 7600 chassis

Unanswered Question
Jul 10th, 2007
User Badges:

I am trying to find best solution how to increase IPSec capacity (more Gbps enc/dec) on 7600 with extra VPN SPA card. Configuration with only one card is quite simple and supports most of configurations - routed, switched, VTI, GRE/IPSec, crypto-maps. Problem occurs when single card is used with only one routed outside interface (many inside tunnel interfaces) and capacity limit is reached. From configuration guide I understand that separate VLAN for each VPN SPA card is needed. This requires separate outside interface for each VPN SPA card. This may not be a problem if adding new routed interface for new VPN SPA card does not cause any problems. Since this is not my case - I was wondering if anyone came across this problem and found another then turning simple routed interface to several interfaces by trunking VLAN's on same physical interface solution. Any suggestion are welcome.



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
b.hsu Mon, 07/16/2007 - 12:33
User Badges:
  • Silver, 250 points or more

IPSec VPN SPA can use multiple Fast Ethernet or Gigabit Ethernet ports on other Catalyst 6500 series switch modules to connect to the Internet through WAN routers. Packets that are received from the WAN routers pass through the IPSec VPN SPA for IPSec processing.

On the LAN side, traffic between the LAN ports can be routed or bridged on multiple Fast Ethernet or Gigabit Ethernet ports. Because the LAN traffic is not encrypted or decrypted, it does not pass through the IPSec VPN SPA. The IPSec VPN SPA does not maintain routing information, route, or change the MAC header of a packet (except for the VLAN ID from one VLAN to another).


This Discussion