Attention: The Community will be in read-only mode on 12/14/2017 from 12:00 am pacific to 11:30 am.
During this time you will only be able to see content. Other interactions such as posting, replying to questions, or marking content as helpful will be disabled for few hours.
We apologize for the inconvenience while we perform important updates to the Community.
Welcome to the Cisco Networking Professionals Ask the Expert conversation. This is an opportunity to learn how to encrypt any-to-any IP and Multiprotocol Label Switching networks with Cisco expert Anand Nuggihalli. Anand is the product manager for Cisco Virtual Office. Nuggihalli has been with Cisco for more than 10 years, promoting Cisco IOS software based strategy and services including VPN, security, and Data-Link Switching Plus (DLSw+). Nuggihalli holds a bachelor of technology degree from Indian Institute of Technology, Madras, and a postgraduate diploma in management from Indian Institute of Management, Calcutta.
Remember to use the rating system to let Anand know if you have received an adequate response.
Anand might not be able to answer each question due to the volume expected during this event. Our moderators will post many of the unanswered questions in other discussion forums shortly after the event. This event lasts through May 8, 2009. Visit this forum often to view responses to your questions and the questions of other community members.
Hello Umang, on Cisco 7200 routers you have two options: VAM2+ with NPE-G1/G2, and VSA with NPE-G2. VSA costs more upfront, but offers better price-to-performance. Using the NPE itself for IPsec is not recommended.
So if I have Internet connections between locations that does not support routing of multicast traffic, does it mean that GET VPN is only beneficial if we have a private WAN?
Hi Anand, I'm checking out features of GET VPN currently, soI thought I'd take this opportunity to as a few questions.
running with phase 1.1 12.4 (15)T8 ...
Changing an encryption SA ACL on the Key Server does not get changed on the GM unless a reauthentication takes place i.e. clear crypto gdoi . Will a TEK rekey (typically 1-24 hours) cause the changed ACL to be sent to the GM? Is there any way force the ACL download from the Key Server?
Hi Mick, Please see http://www.cisco.com/en/US/docs/ios/security/configuration/guide/sec_encrypt_trns_vpn.html#wp1150130. Table 1 list various commands and expected behavior. In short, depending on the specific change, rekey may or may not be sent; independent of this, changes may take effect immediately or at TEK expiry.
For ACLs specifically, changing them will result in rekey being sent out and changes become effective at the GMs immediately. If you delete them however, the behavior is a bit different. Please refer to the last column in the above table.
In general, if you require changes to take effect immediately, it would be best if you time the configuration activity just before the next rekey.
Hope that helps. Please email me if you have any questions.
Hi Anand, another question using (phase 1.1) 12.4(15)T8 . I would like to use multiple Key Servers, but phase 1.2 12.4 (22)T onwards promises better functionality for COOP Key Servers. I tried to use 12.4 (22)T but COOP does not work properly yet. Is it worth staying with 15 T8 or can we expect fixes in a 12.4 (22)TX version soon?
Hi Mick, 15T8 is recommended if you require mainline quality. You can use multiple KS reliably with 15T8 as well, although 22T does have some extra features. There was one issue with COOP KS that will be fixed in 22T2 target end June 2009.
Can you please send me an email describing the issues you are seeing with 22T? My email is anuggiha at cisco.
Could you send me a link to configure this type of setup. Specifically I am looking for configurations of a site to site vpn transporting SNA traffic.
Hi Joe, we have not published this yet. Depending on the complexity of your requirement, you may want to schedule a CPOC. Please email me, anuggiha at cisco, and I'll share some guidelines.