03-07-2006 10:18 PM - edited 02-21-2020 02:18 PM
Guys,
I have read through the tech docs about this module and it says it supports the 6148 series of modules. I assume it also supports other ethernet modules in the 6500 such as the 6748 series too?
Using a 6500 with a VPN SPA, I want to create an IPsec router in a box. There will be numerous 100Meg LAN links terminating onto the box (on the 6748 blades) from remote sites from where IP routes will be learnt. The VPN SPA will be ok in this scenario encrytping/decryping packets according to crypto map policy?
Thanks guys,
Steve
03-08-2006 02:46 AM
Yes but note that there are certain restrictions wrt to the SPA
a) Cannot toggle back to the Software mode
b) different crypto maps per interface. It cannot same crypto map on 2 interfaces. This is a pain if you are having some kind of fallback where u ll have 2 active SA's. Suggest using crypto ipsec idle-time
c) Performance is hit by using RRI and DPD.
It is supported on the 6148s not sure abt the 6748s.
http://www.cisco.com/univercd/cc/td/doc/product/core/cis7600/76sipspa/sipspasw/76vpnspa/76ovwvpn.htm
HTH
03-08-2006 05:39 AM
Hi and thanks for the reply. Sorry to be verbose but just to bottom this out. I am fairly new to IPsec on the 6500/7600.
I can use routing through the vlan interfaces ok? The routing table of the 6500 would be populated through these vlan interfaces (attatched to the port vlan by the crypto connect command). Whether or not traffic gets encrypted is down to crypto policy on the vlan interface just as a normal router?
If I used a loopback address on my 6500 and advertised this to the remote routers then they could peer to this address. Then, because of redundancy elsewhere in my network, if an etherent WAN interface were to fail then the packets could get round another way to the loopback address through another of the 6500 interfaces.
Does that sound feasible?
Thanks for your help.
Steve
03-08-2006 09:19 PM
This is what i am suggesting(and doing as well). You can have all the WAN interfaces in a single VLAN and do the crypto connect on a single VLAN instead of having a seperate VLAN per WAN interface. This will make your WAN links as L2 Links with IP and VLAN will route the traffic. I found this more comfortable.
03-09-2006 01:07 AM
That is a great idea !!!!
So rather than have numerous /30 point to point 100 Meg links with a seperate VLAN each, you are using a larger subnet , say a /27, with the remote "WAN" side interfaces in the same subnet and one "WAN" vlan only on the 6500? Then you could run OSPF across this and make the 6500 VLAN interface the DR?
Great idea. I will model this in our lab. Any chance you can post a config from your 6500?
Cheers and regards,
Steve
03-09-2006 04:07 AM
Mate really sorry can show you only an edited config. IPSec config remains the same.Made up the config myself. Let me know if it helps.
interface GigabitEthernet2/1 //WAN Port 1
switchport
switchport access vlan 50
switchport mode access
no ip address
interface GigabitEthernet2/3 //WAN Port 2
switchport
switchport access vlan 50
switchport mode access
no ip address
!
interface GigabitEthernet5/1 //SM Ports
switchport
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,10,20,30,1002-1005
switchport mode trunk
no ip address
interface GigabitEthernet5/2
switchport
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,50,1002-1005
switchport mode trunk
interface Vlan10
ip address 172.16.5.66 255.255.255.248
crypto map test
crypto engine slot 5
interface Vlan50
no ip address
crypto connect vlan 10
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide