I have read through the tech docs about this module and it says it supports the 6148 series of modules. I assume it also supports other ethernet modules in the 6500 such as the 6748 series too?
Using a 6500 with a VPN SPA, I want to create an IPsec router in a box. There will be numerous 100Meg LAN links terminating onto the box (on the 6748 blades) from remote sites from where IP routes will be learnt. The VPN SPA will be ok in this scenario encrytping/decryping packets according to crypto map policy?
Yes but note that there are certain restrictions wrt to the SPA
a) Cannot toggle back to the Software mode
b) different crypto maps per interface. It cannot same crypto map on 2 interfaces. This is a pain if you are having some kind of fallback where u ll have 2 active SA's. Suggest using crypto ipsec idle-time
c) Performance is hit by using RRI and DPD.
It is supported on the 6148s not sure abt the 6748s.
Hi and thanks for the reply. Sorry to be verbose but just to bottom this out. I am fairly new to IPsec on the 6500/7600.
I can use routing through the vlan interfaces ok? The routing table of the 6500 would be populated through these vlan interfaces (attatched to the port vlan by the crypto connect command). Whether or not traffic gets encrypted is down to crypto policy on the vlan interface just as a normal router?
If I used a loopback address on my 6500 and advertised this to the remote routers then they could peer to this address. Then, because of redundancy elsewhere in my network, if an etherent WAN interface were to fail then the packets could get round another way to the loopback address through another of the 6500 interfaces.
This is what i am suggesting(and doing as well). You can have all the WAN interfaces in a single VLAN and do the crypto connect on a single VLAN instead of having a seperate VLAN per WAN interface. This will make your WAN links as L2 Links with IP and VLAN will route the traffic. I found this more comfortable.
So rather than have numerous /30 point to point 100 Meg links with a seperate VLAN each, you are using a larger subnet , say a /27, with the remote "WAN" side interfaces in the same subnet and one "WAN" vlan only on the 6500? Then you could run OSPF across this and make the 6500 VLAN interface the DR?
Great idea. I will model this in our lab. Any chance you can post a config from your 6500?
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...