Re: 6500 VPN SPA module question ????

kirkster · ‎03-07-2006

Guys,

I have read through the tech docs about this module and it says it supports the 6148 series of modules. I assume it also supports other ethernet modules in the 6500 such as the 6748 series too?

Using a 6500 with a VPN SPA, I want to create an IPsec router in a box. There will be numerous 100Meg LAN links terminating onto the box (on the 6748 blades) from remote sites from where IP routes will be learnt. The VPN SPA will be ok in this scenario encrytping/decryping packets according to crypto map policy?

Thanks guys,

Steve

attrgautam · ‎03-08-2006

Yes but note that there are certain restrictions wrt to the SPA

a) Cannot toggle back to the Software mode

b) different crypto maps per interface. It cannot same crypto map on 2 interfaces. This is a pain if you are having some kind of fallback where u ll have 2 active SA's. Suggest using crypto ipsec idle-time

c) Performance is hit by using RRI and DPD.

It is supported on the 6148s not sure abt the 6748s.

http://www.cisco.com/univercd/cc/td/doc/product/core/cis7600/76sipspa/sipspasw/76vpnspa/76ovwvpn.htm

HTH

kirkster · ‎03-08-2006

Hi and thanks for the reply. Sorry to be verbose but just to bottom this out. I am fairly new to IPsec on the 6500/7600.

I can use routing through the vlan interfaces ok? The routing table of the 6500 would be populated through these vlan interfaces (attatched to the port vlan by the crypto connect command). Whether or not traffic gets encrypted is down to crypto policy on the vlan interface just as a normal router?

If I used a loopback address on my 6500 and advertised this to the remote routers then they could peer to this address. Then, because of redundancy elsewhere in my network, if an etherent WAN interface were to fail then the packets could get round another way to the loopback address through another of the 6500 interfaces.

Does that sound feasible?

Thanks for your help.

Steve

attrgautam · ‎03-08-2006

This is what i am suggesting(and doing as well). You can have all the WAN interfaces in a single VLAN and do the crypto connect on a single VLAN instead of having a seperate VLAN per WAN interface. This will make your WAN links as L2 Links with IP and VLAN will route the traffic. I found this more comfortable.

kirkster · ‎03-09-2006

That is a great idea !!!!

So rather than have numerous /30 point to point 100 Meg links with a seperate VLAN each, you are using a larger subnet , say a /27, with the remote "WAN" side interfaces in the same subnet and one "WAN" vlan only on the 6500? Then you could run OSPF across this and make the 6500 VLAN interface the DR?

Great idea. I will model this in our lab. Any chance you can post a config from your 6500?

Cheers and regards,

Steve

attrgautam · ‎03-09-2006

Mate really sorry can show you only an edited config. IPSec config remains the same.Made up the config myself. Let me know if it helps.

interface GigabitEthernet2/1 //WAN Port 1

switchport

switchport access vlan 50

switchport mode access

no ip address

interface GigabitEthernet2/3 //WAN Port 2

switchport

switchport access vlan 50

switchport mode access

no ip address

!

interface GigabitEthernet5/1 //SM Ports

switchport

switchport trunk encapsulation dot1q

switchport trunk allowed vlan 1,10,20,30,1002-1005

switchport mode trunk

no ip address

interface GigabitEthernet5/2

switchport

switchport trunk encapsulation dot1q

switchport trunk allowed vlan 1,50,1002-1005

switchport mode trunk

interface Vlan10

ip address 172.16.5.66 255.255.255.248

crypto map test

crypto engine slot 5

interface Vlan50

no ip address

crypto connect vlan 10