Unanswered Question
Apr 24th, 2009

Welcome to the Cisco Networking Professionals Ask the Expert conversation. This is an opportunity to learn how to encrypt any-to-any IP and Multiprotocol Label Switching networks with Cisco expert Anand Nuggihalli. Anand is the product manager for Cisco Virtual Office. Nuggihalli has been with Cisco for more than 10 years, promoting Cisco IOS software based strategy and services including VPN, security, and Data-Link Switching Plus (DLSw+). Nuggihalli holds a bachelor of technology degree from Indian Institute of Technology, Madras, and a postgraduate diploma in management from Indian Institute of Management, Calcutta.

Remember to use the rating system to let Anand know if you have received an adequate response.

Anand might not be able to answer each question due to the volume expected during this event. Our moderators will post many of the unanswered questions in other discussion forums shortly after the event. This event lasts through May 8, 2009. Visit this forum often to view responses to your questions and the questions of other community members.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Umang.pandya Mon, 04/27/2009 - 04:40

IPSec SA packets will be handled by VAM2+ card or Network Processor (NPE-G1/G2) in 7206VXR router??

anuggiha Mon, 04/27/2009 - 10:13

Hello Umang, on Cisco 7200 routers you have two options: VAM2+ with NPE-G1/G2, and VSA with NPE-G2. VSA costs more upfront, but offers better price-to-performance. Using the NPE itself for IPsec is not recommended.

Thanks, Anand

b.hsu Tue, 04/28/2009 - 11:28

So if I have Internet connections between locations that does not support routing of multicast traffic, does it mean that GET VPN is only beneficial if we have a private WAN?

anuggiha Tue, 04/28/2009 - 13:37

Yes, GET VPN is for private WANs. If you have Internet-facing links, you can look into connecting them using DMVPN.

mrrussell Tue, 05/05/2009 - 05:04

Hi Anand, I'm checking out features of GET VPN currently, soI thought I'd take this opportunity to as a few questions.

running with phase 1.1 12.4 (15)T8 ...

Changing an encryption SA ACL on the Key Server does not get changed on the GM unless a reauthentication takes place i.e. clear crypto gdoi . Will a TEK rekey (typically 1-24 hours) cause the changed ACL to be sent to the GM? Is there any way force the ACL download from the Key Server?



anuggiha Fri, 05/08/2009 - 11:02

Hi Mick, Please see Table 1 list various commands and expected behavior. In short, depending on the specific change, rekey may or may not be sent; independent of this, changes may take effect immediately or at TEK expiry.

For ACLs specifically, changing them will result in rekey being sent out and changes become effective at the GMs immediately. If you delete them however, the behavior is a bit different. Please refer to the last column in the above table.

In general, if you require changes to take effect immediately, it would be best if you time the configuration activity just before the next rekey.

Hope that helps. Please email me if you have any questions.

Thanks, Anand

mrrussell Tue, 05/05/2009 - 05:12

Hi Anand, another question using (phase 1.1) 12.4(15)T8 . I would like to use multiple Key Servers, but phase 1.2 12.4 (22)T onwards promises better functionality for COOP Key Servers. I tried to use 12.4 (22)T but COOP does not work properly yet. Is it worth staying with 15 T8 or can we expect fixes in a 12.4 (22)TX version soon?



anuggiha Thu, 05/07/2009 - 14:28

Hi Mick, 15T8 is recommended if you require mainline quality. You can use multiple KS reliably with 15T8 as well, although 22T does have some extra features. There was one issue with COOP KS that will be fixed in 22T2 target end June 2009.

Can you please send me an email describing the issues you are seeing with 22T? My email is anuggiha at cisco.

Thanks, Anand

joe-vieira Thu, 05/07/2009 - 07:10

Hi there.

Is it possible to encapsulate sna/dlsw traffic over a site to site vpn, maybe using gre?

joe-vieira Fri, 05/08/2009 - 05:06

Could you send me a link to configure this type of setup. Specifically I am looking for configurations of a site to site vpn transporting SNA traffic.


anuggiha Fri, 05/08/2009 - 11:16

Hi Joe, we have not published this yet. Depending on the complexity of your requirement, you may want to schedule a CPOC. Please email me, anuggiha at cisco, and I'll share some guidelines.


This Discussion