Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

VPN SPA stateless failover in VRF mode

Hi,

I would like your advices about what is written in the VPN SPA Cisco documentation (Catalyst 6500 Series Switch SIP, SSC, and SPA Software Configuration Guide.pdf).

It say in the chapter "Configuring IPsec Stateless and stateful failover with VRF Mode" :

"Chassis-to- chassis failover with VRF mode is configured differently than in non-VRF (crypto-connect)

mode. In VRF mode, the HSRP configuration goes on the physical interface, but the crypto map is added

to the interface VLAN. In non-VRF mode, both the HSRP configuration and the crypto map are on the

same interface."

And the configuration given by the documentation :

hostname router-1

!

ip vrf ivrf

rd 1000:1

route-target export 1000:1

route-target import 1000:1

!

crypto engine mode vrf

!

vlan 2,3

!

crypto keyring key1

pre-shared-key address 14.0.1.1 key 12345

!

crypto isakmp policy 1

encr 3des

hash md5

authentication pre-share

crypto isakmp keepalive 10

crypto isakmp profile ivrf

vrf ivrf

keyring key1

match identity address 14.0.1.1 255.255.255.255

!

crypto ipsec transform-set ts esp-3des esp-sha-hmac

!

crypto map map_vrf_1 local-address Vlan3

crypto map map_vrf_1 10 ipsec-isakmp

set peer 14.0.1.1

set transform-set ts

set isakmp-profile ivrf

match address acl_1

!

interface GigabitEthernet1/1

!switch inside port

ip address 13.254.254.1 255.255.255.0

!

interface GigabitEthernet1/1.1

encapsulation dot1Q 2000

ip vrf forwarding ivrf

ip address 13.254.254.1 255.0.0.0

!

interface GigabitEthernet1/2

!switch outside port

switchport

switchport access vlan 3

switchport mode access

!

interface GigabitEthernet4/0/1

!IPsec VPN SPA inside port

switchport

switchport trunk encapsulation dot1q

switchport trunk allowed vlan 1,2,1002-1005

switchport mode trunk

mtu 9216

flowcontrol receive on

flowcontrol send off

spanning-tree portfast trunk

!

interface GigabitEthernet4/0/2

!IPsec VPN SPA outside port

switchport

switchport trunk encapsulation dot1q

switchport trunk allowed vlan 1,1002-1005

switchport mode trunk

mtu 9216

flowcontrol receive on

flowcontrol send off

spanning-tree portfast trunk

!

interface Vlan3

ip address 15.0.0.2 255.255.255.0

standby delay minimum 0 reload 0

standby 1 ip 15.0.0.100

standby 1 timers msec 100 1

standby 1 priority 105

standby 1 preempt

standby 1 name std-hsrp

standby 1 track GigabitEthernet1/2

crypto engine slot 4/0 outside

!

interface Vlan2

ip vrf forwarding ivrf

ip address 15.0.0.252 255.255.255.0

crypto map map_vrf_1 redundancy std-hsrp

crypto engine slot 4/0 inside

!

ip classless

ip route 12.0.0.0 255.0.0.0 15.0.0.1

ip route 13.0.0.0 255.0.0.0 13.254.254.2

ip route 14.0.0.0 255.0.0.0 15.0.0.1

ip route 223.255.254.0 255.255.255.0 17.1.0.1

ip route vrf ivrf 12.0.0.1 255.255.255.255 15.0.0.1

!

ip access-list extended acl_1

permit ip host 13.0.0.1 host 12.0.0.1

!

!

arp vrf ivrf 13.0.0.1 0000.0000.2222 ARPA

It seems that in this example, the HSRP is not on the physical interface...

Somebody can say me what it the real way to configure stateless HSRP with VPN SPA ?

Thank you for your help :)

4 REPLIES
Cisco Employee

Re: VPN SPA stateless failover in VRF mode

The config above should be fine. The most important thing is the separation of crypto map and HSRP config. The documentation is referring that. Since the exit interface Gi1/2 is just a layer 2 vlan, HSRP is associated with an SVI Vlan 3. The crypto map is applied on Vlan 2.

interface GigabitEthernet1/2

!switch outside port

switchport

switchport access vlan 3

switchport mode access

!

You can refer this link if it helps. It shows HSRP in the physical interface.

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/hardware/Config_Notes/78_14459.html#wp1459986

New Member

Re: VPN SPA stateless failover in VRF mode

Thank you for your answer. I have got separation of crypto map and HSRP config but my crypto map is applied on an SVI is it a problem ?

This is my configuration :

ip vrf ipsec-inside1

rd 30:1

!

ip vrf ipsec-internet

rd 10:1

!

ip vrf ipsec-outside

rd 20:1

vlan 10,20,30,40,50

crypto keyring stg-keys vrf ipsec-outside

pre-shared-key address 1.1.1.1 key cisco

!

crypto isakmp policy 10

encr 3des

hash md5

authentication pre-share

group 2

!

crypto isakmp policy 20

encr aes 256

authentication pre-share

crypto isakmp key cisco address 1.1.1.1

crypto isakmp profile stg

vrf ipsec-inside1

keyring stg-keys

match identity address 1.1.1.1 255.255.255.255 ipsec-outside

!

crypto ipsec transform-set 3des-md5 esp-3des esp-md5-hmac

!

crypto map cm local-address Vlan20

crypto map cm 10 ipsec-isakmp

set peer 1.1.1.1

set transform-set 3des-md5

set isakmp-profile stg

match address acl

!

interface FastEthernet3/25

switchport

switchport access vlan 10

switchport mode access

spanning-tree portfast

!

interface FastEthernet3/26

switchport

switchport access vlan 40

switchport mode access

!

interface GigabitEthernet7/0/1

switchport

switchport trunk encapsulation dot1q

switchport trunk allowed vlan 30

switchport mode trunk

mtu 9216

flowcontrol receive on

flowcontrol send off

spanning-tree portfast trunk

!

interface Vlan20

ip vrf forwarding ipsec-outside

ip address 10.20.1.4 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

no ip route-cache

standby delay minimum 0 reload 0

standby 84 ip 10.20.1.2

standby 84 timers msec 100 1

standby 84 preempt

standby 84 name spa-hsrp

standby 84 track GigabitEthernet7/0/1 20

crypto engine slot 7/0 outside

!

interface Vlan30

ip vrf forwarding ipsec-inside1

ip address 10.30.1.1 255.255.255.0

crypto map cm redundancy spa-hsrp

crypto engine slot 7/0 inside

!

interface Vlan40

ip vrf forwarding ipsec-inside1

ip address 10.30.4.3 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

no ip route-cache

standby delay minimum 0 reload 0

standby 85 ip 10.30.4.1

standby 85 timers msec 100 1

standby 85 preempt

standby 85 track GigabitEthernet7/0/1 20

!

ip access-list extended acl

permit ip 10.0.0.0 0.255.255.255 192.168.1.0 0.0.0.255

Cisco Employee

Re: VPN SPA stateless failover in VRF mode

Yes, crypto map should be in SVI, thats the only way the packet can be forwarded to VPN SPA for encryption. I noticed you have FVRF configured on vlan 20. It should be fine if you are using latest release. Otherwise you would need to use it as global (no vrf) interface for Vlan 20.

New Member

Re: VPN SPA stateless failover in VRF mode

Yes,

I'm using 12.2(33)SXI, it should be okay.

397
Views
0
Helpful
4
Replies
CreatePlease to create content