Table Of Contents
IPsec VPN Acceleration Services Module Installation and Configuration Note
Understanding How the VPN Module Works
Catalyst Switch Outside Ports and Inside Ports
VPN Module Outside Port and Inside Port
Supported Features in Release 12.2(9)YO4 and Release 12.2(14)SY
Supported Features in Release 12.2(14)SY
Supported Features in Release 12.2(17b)SXA
Supported Features in Release 12.2(18)SXD
Supported Features in Release 12.2(18)SXD1
Supported Features in Release 12.2(18)SXE
Supported Features in Release 12.2(18)SXF
Modules Supported with the VPN Module in Releases 12.2(17b)SXA and 12.2(17d)SXB
Hardware and Software Requirements
Installing and Removing the VPN Module
Configuring a VPN Using the VPN Module
Hardware- and Software-Based Cryptographic Modes
Transitioning In and Out of Hardware-Based Cryptographic Mode
Effects of Exiting the Hardware-Based Cryptographic Mode on Existing IPsec SAs
Configuring the VPN Module Using the crypto engine slot Command
VPN Module Feature Configuration Guidelines and Configuration Procedures
Interaction with Other Features
Preventing VPN Module Misconfigurations
Configuring the VPN Module Inside Port and Outside Port
Using Multiple VPN Modules in a Chassis
Using IPsec Stateful Failover and the VPN Module
Using IPsec Anti-Replay Window Size Expansion
Using Look-Ahead Fragmentation
Using Per-Crypto Map IPsec Security Association (SA) Idle Timers
Using VPN Module-to-Module Failover
Using the Invalid SPI Recovery Protocol
Configuring a VPN Access Port Connection
Configuring a VPN Routed Port Connection
Configuring a VPN Trunk Port Connection
Displaying the VPN Running State
Configuring VPN Module-to-Module Failover
Catalyst Switch 1 (Access Port)
Catalyst Switch 2 (Access Port)
Catalyst Switch 1 (Routed Port)
Catalyst Switch 2 (Routed Port)
Catalyst Switch 1 (Trunk Port)
Catalyst Switch 2 (Trunk Port)
Catalyst Switch 1 (Frame Relay Port)
Catalyst Switch 2 (Frame Relay Port)
Active Catalyst Switch Configuration
Standby Catalyst Switch Configuration
Remote Catalyst Switch Configuration
Obtaining Documentation and Submitting a Service Request
IPsec VPN Acceleration Services Module Installation and Configuration Note
Product Number: WS-SVC-IPSEC-1
This publication describes how to install and configure the IPsec Virtual Private Network (VPN) Acceleration Services Module in the Catalyst 6500 series switches and Cisco 7600 series routers.
Tip
When configuring policy-based routing (PBR) with a Supervisor Engine 2 and a VPN module installed, you must ensure that your PBR configuration is done correctly. If PBR is not configured correctly, all traffic might be handled by the MSFC2 rather than being hardware-switched. Refer to the following URL for detailed information on configuring PBR:
http://www-tac.cisco.com/Support_Library/Hardware/Cat6000/hwfib-native-pbr.html
Note
•
•
•
Note
Cisco IOS Release 12.2(9)YO4 or later release notes at this URL: http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/relnotes/ol_2864.htm
Cisco IOS Release 12.2(14)SY or later release notes at this URL: http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/relnotes/ol_3975.htm
Cisco IOS Release 12.2(17b)SXA or later release notes at this URL:
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/122sx/ol_4164.htm
Cisco IOS Release 12.2(18)SXD or later release notes at this URL:
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/122sx/ol_4164.htm
Cisco IOS Release 12.2(18)SXD1 or later release notes at this URL:
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/122sx/ol_4164.htm
Cisco IOS Release 12.2(18)SXE or later release notes at this URL:
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/122sx/ol_4164.htm
Cisco IOS Release 12.2(18)SXF or later release notes at this URL:
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SXF/native/release/notes/OL_4164.html
Contents
This publication consists of these sections:
•
•
•
•
•
•
•
Understanding How the VPN Module Works
These sections describe the functionality of the VPN module:
•
•
Overview
The VPN module is a Gigabit Ethernet IPsec cryptographic module that you can install in the
Catalyst 6500 series switches and Cisco 7600 series routers. The VPN module provides bump-in-the-wire (BITW) IPsec implementation using VLANs.
Note
Configuring VPNs using the VPN module is similar to configuring VPNs on routers running Cisco IOS software. When you configure VPNs with the VPN module, you attach crypto maps to VLANs (using interface VLANs); when you configure VPNs on routers running Cisco IOS software, you configure individual interfaces.
Note
When you configure a VPN on the Cisco routers, a packet is sent to a routed interface that is associated with an IP address. If the interface has an attached crypto map, the software checks that the packet is on an access control list (ACL) that is specified by the crypto map. If a match occurs, the packet is transformed (encrypted) before it is routed to the appropriate IPsec peer; otherwise, the packet is routed in the clear (unencrypted) state.
When you configure the VPN module, the same cryptographic operations are performed as on Cisco routers. The VPN module's implementation of VPN is generally the same as on Cisco routers other than the use of interface VLANs and some configuration guidelines that are specific to the VPN module (for details, see the "VPN Module Feature Configuration Guidelines and Configuration Procedures" section).
Note
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_c/fipsenc/index.htmWhen you configure the VPN module on the Catalyst 6500 series switches and Cisco 7600 series routers, you ensure that all packets coming from or going to the Internet pass through the VPN module. The VPN module has an extensive set of policies that validate a packet before the packet is sent onto the local (trusted) LAN. The VPN module can use multiple Fast Ethernet or Gigabit Ethernet ports on other Catalyst 6500 series modules to connect to the Internet through WAN routers. Packets that are received from the WAN routers pass through the VPN module for IPsec processing.
On the local LAN side, traffic between the LAN ports can be routed or bridged on multiple Fast Ethernet or Gigabit Ethernet ports. Because the local LAN traffic is not encrypted or decrypted, it does not pass though the VPN module.
The VPN module does not maintain routing information, route, or change the MAC header of a packet (except for the VLAN ID from one VLAN to another).
Catalyst Switch Outside Ports and Inside Ports
The Fast Ethernet or Gigabit Ethernet ports on the Catalyst 6500 series switch and Cisco 7600 series routers that connect to the WAN routers are referred to as Catalyst switch outside ports. These ports connect the local LAN to the Internet or to remote sites. Cryptographic policies are applied to the Catalyst switch outside ports.
The Fast Ethernet or Gigabit Ethernet ports on the Catalyst 6500 series switch and Cisco 7600 series routers that connect to the local LAN are referred to as Catalyst switch inside ports.
The VPN module sends encrypted packets to the Catalyst switch outside ports and decrypted packets to the Policy Feature Card 2 (PFC2) for Layer-3 forwarding to the Catalyst switch inside ports.
VPN Module Outside Port and Inside Port
The VPN module appears to the CLI as a module with two Gigabit Ethernet ports. The VPN module has no external connectors; the Gigabit Ethernet ports connect the VPN module to the switch backplane and Switch Fabric Module (if installed).
One Gigabit Ethernet port handles all the traffic going to and coming from the Catalyst switch outside ports. This port is referred to as the VPN module outside port. The other Gigabit Ethernet port handles all traffic going to and coming from the local LAN or inside ports. This port is referred to as the VPN module inside port.
Note
Port VLAN and Interface VLAN
Your VPN configuration can have one or more Catalyst switch outside ports. To handle the packets from multiple Catalyst switch outside ports, you need to direct the packets from multiple Catalyst switch outside ports to the VPN module outside port by placing the Catalyst switch outside ports in a VLAN with the outside port of the VPN module. This VLAN is referred to as the port VLAN. The port VLAN is a Layer 2-only VLAN. You do not configure Layer 3 addresses or features on this VLAN; the packets within the port VLAN are bridged by the PFC2.
Before the router can forward the packets using the correct routing table entries, the router needs to know which interface that a packet was received on. For each port VLAN, you need to create another VLAN so that the packets from every Catalyst switch outside port are presented to the router with the corresponding VLAN ID. This VLAN contains only the VPN module inside port and is referred to as the interface VLAN. The interface VLAN is a Layer 3-VLAN. You configure the Layer 3 address and Layer 3 features, such as ACLs and the crypto map, to the interface VLAN.
After you create and configure the port VLAN and the interface VLAN, you tie the VLANs together using the crypto connect vlan command. See the "Configuring a VPN Using the VPN Module" section for detailed information. Figure 1 shows the port VLAN and interface VLAN configurations.
Figure 1 Port VLAN and Interface VLAN Configuration Example
Port VLAN 501 and port VLAN 502 are the port VLANs that are associated with the Catalyst switch outside ports W1 and W2.
Interface VLAN 1 and interface VLAN 2 are the interface VLANs that correspond to port VLAN 501 and port VLAN 502.
You configure the IP address, ACLs, and crypto map that apply to the Catalyst switch outside port W1 on interface VLAN 1. You configure the features that apply to the Catalyst switch outside port W2 on interface VLAN 2.
Packets coming from the WAN through port W1 (port W1 belongs to port VLAN 501) are directed by the PFC2 to the VPN module outside port. The VPN module decrypts the packets and changes the VLAN to interface VLAN 1 and then presents the packet to the router through the VPN module inside port. The PFC2 then routes the packet to the proper destination.
Packets going from the LAN to the outside ports are first routed by the PFC2. Based on the route, the PFC2 routes the packets to one of the interface VLANs and directs the packet to the VPN module inside port. The VPN module applies the cryptographic policies that are configured on the corresponding interface VLAN, encrypts the packet, changes the VLAN ID to the corresponding port VLAN, and sends the packet to the Catalyst switch outside port through the VPN module outside port.
Supported Features
These sections list the supported features for the VPN module:
•
•
•
•
•
•
•
Note
Supported Features in Release 12.2(9)YO4 and Release 12.2(14)SY
The VPN module supports the following features in Cisco IOS Release 12.2(9)YO4 and later releases and Cisco IOS Release 12.2(14)SY and later releases:
•
–
•
–
•
–
–
–
•
–
–
–
–
•
•
–
–
–
Note
Note
•
–
–
•
Note
For complete configuration details for VDM, refer to this URL:
http://www.cisco.com//univercd/cc/td/doc/product/software/ios121/121newft/121limit/121e/121e6/vdm_e.htmSupported Features in Release 12.2(14)SY
The VPN module supports the following features in Cisco IOS Release 12.2(14)SY and later releases:
•
•
•
•
•
•
•
•
•
•
•
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
•
–
–
–
Note
Supported Features in Release 12.2(17b)SXA
In addition to supporting the features that are listed in the "Supported Features in Release 12.2(9)YO4 and Release 12.2(14)SY" and "Supported Features in Release 12.2(14)SY" sections, the VPN module supports the following features in Cisco IOS Release 12.2(17b)SXA and later releases:
•
•
•
•
•
–
–
–
–
Note
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/122sx/ol_4164.htm
Supported Features in Release 12.2(18)SXD
In addition to supporting the features in Cisco IOS Release 12.2(9)YO4, Cisco IOS Release 12.2(14)SY, Cisco IOS Release 12.2(14)SY, and Cisco IOS Release 12.2(17b)SXA, the VPN module supports the following features in Cisco IOS Release 12.2(18)SXD and later releases:
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Note
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/122sx/ol_4164.htm
Supported Features in Release 12.2(18)SXD1
In addition to supporting the features in Cisco IOS Release 12.2(9)YO4, Cisco IOS Release 12.2(14)SY, Cisco IOS Release 12.2(14)SY, Cisco IOS Release 12.2(17b)SXA, and Cisco IOS Release 12.2(18)SXD, the VPN module supports the following features in Cisco IOS Release 12.2(18)SXD1 and later releases:
•
•
Note
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/122sx/ol_4164.htm
Supported Features in Release 12.2(18)SXE
In addition to supporting the features in Cisco IOS Release 12.2(9)YO4, Cisco IOS Release 12.2(14)SY, Cisco IOS Release 12.2(14)SY, Cisco IOS Release 12.2(17b)SXA, Cisco IOS Release 12.2(18)SXD, and Cisco IOS Release 12.2(18)SXD1, the VPN module supports the following features in Cisco IOS Release 12.2(18)SXE and later releases:
•
•
•
•
•
•
Note
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/122sx/ol_4164.htm
Supported Features in Release 12.2(18)SXF
No new features are added in Cisco IOS Release 12.2(18)SXF.
Note
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/122sx/ol_4164.htm
Modules Supported with the VPN Module in Releases 12.2(17b)SXA and 12.2(17d)SXB
Table 1 lists the modules that are supported with the VPN module in Cisco IOS Release 12.2(17b)SXA and 12.2(17d)SXB.
Note
Table 1 Modules Supported with the VPN Module in Cisco IOS Release 12.2(17b)SXA and 12.2(17d)SXB
WS-C6500-SFM
X
WS-C6500-SFM2
X
WS-X6024-10FL-MT
X
X
WS-X6248A-TEL
X
X
WS-X6248A-RJ-45
X
X
WS-X6316-GE-TX
X
X
WS-X6324-100FX-MM
X
X
WS-X6324-100FX-SM
X
X
WS-X6348-RJ-45
X
X
WS-X6348-RJ-21
X
X
WS-X6348-RJ21V
X
X
WS-X6348-RJ45V
X
X
WS-X6148-RJ-45
X
X
WS-X6148-RJ-21
X
X
WS-X6148-RJ21V
X
X
WS-X6148-RJ45V
X
X
WS-X6148-GE-TX
X
X
WS-X6148V-GE-TX
X
X
WS-X6408A-GBIC
X
X
WS-X6416-GBIC
X
X
WS-X6416-GE-MT
X
X
WS-X6516-GBIC
X
X
WS-X6516A-GBIC
X
X
WS-X6516-GE-TX
X
X
WS-X6548-RJ-45
X
X
WS-X6548-RJ-21
X
X
WS-X6548-GE-TX
X
X
WS-X6548V-GE-TX
X
X
WS-X6524-100FX-MM
X
X
WS-X6501-10GEX4
WS-X6502-10GE
X
X
WS-X6816-GBIC
X
X
OSM-1OC48-POS-SI
X
X
OSM-1OC48-POS-SL
X
X
OSM-1OC48-POS-SS
X
X
OSM-1OC48-POS-SI+
X
X
OSM-1OC48-POS-SL+
X
X
OSM-1OC48-POS-SS+
X
X
OSM-2OC48/1DPT-SS
X
X
OSM-2OC48/1DPT-SI
X
X
OSM-2OC48/1DPT-SL
X
X
OSM-2OC12-POS-MM
X
X
OSM-2OC12-POS-SI
X
X
OSM-2OC12-POS-SL
X
X
OSM-2OC12-POS-MM+
X
X
OSM-2OC12-POS-SI+
X
X
OSM-4GE-WAN-GBIC
X
X
OSM-4OC12-POS-MM
X
X
OSM-4OC12-POS-SI
X
X
OSM-4OC12-POS-SL
X
X
OSM-4OC12-POS-SI+
X
X
OSM-8OC3-POS-MM
X
X
OSM-8OC3-POS-SI
X
X
OSM-8OC3-POS-SL
X
X
OSM-8OC3-POS-SI+
X
X
OSM-4OC3-POS-SI
X
X
OSM-4OC3-POS-SL+
X
X
OSM-16OC3-POS-MM
X
X
OSM-16OC3-POS-SI
X
X
OSM-16OC3-POS-SL
X
X
OSM-16OC3-POS-SI+
X
X
OSM-2OC12-ATM-MM
X
X
OSM-2OC12-ATM-SI
X
X
OSM-2OC12-ATM-MM+
X
X
OSM-2OC12-ATM-SI+
X
X
OSM-1CHOC12/T3-SI
X
X
OSM-1CHOC12/T1-SI
OSM-12CT3/T1
OSM-2+4GE-WAN+
X
X
WS-6182-2PA
X
X
WS-6582-2PA
X
X
WS-SVC-IDSM2-BUN-K9
X
X
WS-SVC-NAM1
X
X
WS-SVC-NAM2
X
X
WS-X6066-SLB-APC
X
X
WS-SVC-CSG-1
X
X
WS-SVC-FWM-1-K9
X
X
WS-SVC-SSL-1-K9
X
X
WS-SVC-MWAM-1
WS-SVC-CMM
X
X
WS-SVC-CMM-6T1
X
X
WS-SVC-CMM-6E1
X
X
WS-X6248-RJ-45
X
X
WS-X6748-GE-TX
X
X
WS-X6704-10GE
X
X
WS-X6724-SFP
X
X
WS-X6748-SFP
X
X
WS-SVC-WLAN-1-K91
X
WS-SVC-MWAM-1
X
X2
1 Support for the WS-SVC-WLAN-1-K9 module started in Cisco IOS Release 12.2(18)SXD.
2 Support for Supervisor Engine 720 with the WS-SVC-MWAM-1 module started in Cisco IOS Release 12.2(18)SXD1.
Hardware and Software Requirements
This section describes the hardware and software requirements for the VPN module.
Software Requirements
This section lists the software requirements for the VPN module:
•
•
•
•
•
•
•
Hardware Requirements
This section lists the hardware requirements for the VPN module:
•
–
–
–
–
Note
Note
•
–
–
–
–
Note
•
•
•
Note
Support for the FlexWAN module is added with Cisco IOS Release 12.2(14)SY (see the "Supported Features in Release 12.2(14)SY" section for a complete list of supported port adapters). OSMs are not supported by Cisco IOS Release 12.2(14)SY.
OSMs are supported by Cisco IOS Release 12.2(17b)SXA.
Note
- Up to 500 tunnels with 128-MB DRAM
- Up to 4,000 tunnels with 256-MB DRAM
- Up to 8,000 tunnels with 512-MB DRAM
These numbers are chosen to leave some memory available for routing protocols and other applications. However, your particular use of the MSFC may demand more memory than the quantities that are listed above. In an extreme case, you could have one tunnel but still require 512-MB DRAM for other protocols and applications running on the MSFC.
The Supervisor Engine 720 MSFC3 (WS-SUP720) ships with 512-MB DRAM. The Supervisor Engine 2 MSFC2 (WS-X6K-S2U-MSFC2) ships with 256-MB DRAM. The Supervisor Engine 2 MSFC2 (WS-X6K-S2-MSFC2) ships with 128-MB DRAM.
For MSFC2 DRAM upgrade information, refer to the following publication at this URL:
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/cfgnotes/78_6953.htm
Front Panel Description
The LED on the VPN module front panel (see Figure 2) indicates the status of the module. Table 2 describes the LED operation.
Figure 2 VPN Module Front Panel
Installing and Removing the VPN Module
These sections describe how to remove and install the VPN module in the Catalyst 6500 series switches:
Safety Overview
Safety warnings appear throughout these procedures indicating tasks that may harm you if performed incorrectly. A warning symbol precedes each warning statement.
Warning
Only trained and qualified personnel should be allowed to install, replace, or service this equipment. Statement 1030
Caution
Required Tools
These tools are required to install the VPN module in the Catalyst 6500 series switches:
•
•
•
Removing a VPN Module
This section describes how to remove an existing VPN module from a chassis slot.
Caution
Caution
Warning
Invisible laser radiation may be emitted from disconnected fibers or connectors. Do not stare into beams or view directly with optical instruments. Statement 1051
To remove a VPN module from the chassis, perform these steps:
Step 1
Note
Step 2
Step 3
Horizontal slots
a.
b.
Vertical slots
a.
b.
Step 4
Step 5
Installing a VPN Module
This section describes how to install a VPN module in the chassis.
Caution
Caution
Warning
Invisible laser radiation may be emitted from disconnected fibers or connectors. Do not stare into beams or view directly with optical instruments. Statement 1051
Caution
To install a VPN module in the chassis, perform these steps:
Step 1
Step 2
Step 3
Note
Step 4
Step 5
Step 6
Horizontal slots
a.
b.
c.
Caution
Figure 3 Positioning the Module in a Horizontal Slot Chassis
d.
Note
e.
Note
Figure 4 Clearing the EMI Gasket in a Horizontal Slot Chassis
Figure 5 Ejector Lever Closure in a Horizontal Slot Chassis
Vertical slots
a.
b.
c.
Caution
d.
e.
Note
Figure 6 Positioning the Module in a Vertical Slot Chassis
Figure 7 Clearing the EMI Gasket in a Vertical Slot Chassis
Figure 8 Ejector Lever Closure in a Vertical Slot Chassis
Verifying the Installation
Enter the show module [mod-num | all] command to verify that the system acknowledges the new VPN module and has brought it online.
This example shows the output of the show module command:
Router# show moduleMod Ports Card Type Model Serial No.--- ----- -------------------------------------- ------------------ -----------1 2 Catalyst 6000 supervisor 2 (Active) WS-X6K-S2U-MSFC2 SAD055106AH2 16 SFM-capable 16 port 1000mb GBIC WS-X6516-GBIC SAD0546024C4 48 SFM-capable 48-port 10/100 Mbps RJ45 WS-X6548-RJ-45 SAD060904PU5 2 IPsec VPN Accelerator WS-SVC-IPSEC-1 SAD0636025EMod MAC addresses Hw Fw Sw Status--- ---------------------------------- ------ ------------ ------------ -------1 0002.7e38.6c4c to 0002.7e38.6c4d 3.2 6.1(3) 6.2(2.107) Ok2 0002.7ee0.28c0 to 0002.7ee0.28cf 3.0 6.1(3) 6.2(2.107) Ok4 0001.63d6.94da to 0001.63d6.9509 4.2 6.3(1) 6.2(2.107) Ok5 0060.0217.0000 to 0060.0217.0000 1.0 7.2(0.74-Eng 6.2(2.107) OkMod Sub-Module Model Serial Hw Status--- --------------------------- --------------- --------------- ------- -------1 Policy Feature Card 2 WS-F6K-PFC2 SAD055200K7 3.0 Ok1 Cat6k MSFC 2 daughterboard WS-F6K-MSFC2 SAD055107JD 2.0 OkRouter#Configuring a VPN Using the VPN Module
These sections describe how to configure a VPN using the VPN module:
•
•
•
•
–
–
–
–
–
–
Tip
Note
Hardware- and Software-Based Cryptographic Modes
With Cisco IOS Releases 12.2(9)Y04 and 12.2(14)SY when the VPN module is configured and active in the chassis, software encryption by the MSFC2 is disabled. This mode of operation is referred to as hardware-based cryptographic mode. In hardware-based cryptographic mode, any software-based cryptographic configurations that use the MSFC2 have an undefined or unspecified effect. In hardware-based cryptographic mode, if you associate a crypto ACL with a non-VLAN interface, packets do not get encrypted or dropped. You need to remove the software-based cryptographic configuration from the interface and then configure the interface correctly for hardware-based cryptographic operation with the VPN module.
With Cisco IOS Release 12.2(17b)SXA, when you install and power on a VPN module, the chassis is automatically placed in hardware-based cryptographic mode. Only a removal of the VPN module and a reboot of the switch returns the switch to software-based cryptographic operation.
Transitioning In and Out of Hardware-Based Cryptographic Mode
These sections describe how to transition in and out of the hardware-based cryptographic mode.
Cisco IOS Release 12.2(9)YO4 or Later Releases and Cisco IOS Release 12.2(14)SY and Later Releases
When you add the crypto connect vlan command to the running configuration, you enter hardware-based cryptographic mode. When you remove the last crypto connect vlan command from the running configuration (using the no crypto connect vlan command), you exit the hardware-based cryptographic mode.
Note
Cisco IOS Release 12.2(17b)SXA and Later Releases
When you power on a chassis with a VPN module installed or if you insert a VPN module into a chassis, the module enters the hardware-based cryptographic mode. In this mode, the encryption and decryption is done by the VPN module. The MSFC stops performing encryption and decryption in software; the software-based cryptographic mode does not function in this mode. In the hardware-based cryptographic mode, you need to configure a VPN module-specific configuration.
A VPN module in a chassis is active only if power to the module is enabled. If the power to the VPN module is disabled, the module is in the inactive state. Use the [no] power enable module slot command to enable or disable power to the VPN module.
When you power on a chassis with an active VPN module, the chassis enters the hardware-based cryptographic mode even if there is no VPN module-specific configuration. If you power on a chassis with an inactive VPN module, the chassis enters the software-based cryptographic mode; any VPN module-specific configurations in the startup configuration are not implemented.
When a chassis is in the hardware-based cryptographic mode, it stays in the hardware-based cryptographic mode even if you remove the VPN module or turn off the power to the VPN module. In these cases, all the packets that normally would have gone through the VPN module are dropped.
If you power on a chassis with no VPN module or an inactive VPN module, the chassis enters the software-based cryptographic mode. Inserting a VPN module into the chassis or enabling power to the VPN module results in a change to the hardware-based cryptographic mode.
To switch from hardware-based cryptographic mode to software-based cryptographic mode, you need to remove the VPN module(s) or power off the VPN module(s) and reset the chassis.
After you enter the hardware-based cryptographic mode by inserting one VPN module into the chassis, inserting additional VPN modules has no effect on the cryptographic mode.
Effects of Exiting the Hardware-Based Cryptographic Mode on Existing IPsec SAs
These sections describe the configuration guidelines for exiting the hardware-based cryptographic mode on existing IPsec SAs.
Cisco IOS Release 12.2(9)YO4 or Later Releases
The configuration guidelines for Cisco IOS Release 12.2(9)YO4 or later releases are as follows:
•
Note
•
Cisco IOS Release 12.2(14)SY and Later Releases and Cisco IOS Release 12.2(17b)SXA and Later Releases
The configuration guidelines for Cisco IOS Release 12.2(14)SY or later releases are as follows:
•
•
•
•
•
•
Note that the behavior described above depends on the type of interface as follows:
•
–
–
•
–
–
–
•
–
Configuring the VPN Module Using the crypto engine slot Command
Note
The crypto engine slot slot command makes it easier to assign interface VLANs to VPN modules. With this command, you do not need to explicitly add interface VLANs to the VPN module inside trunk port. Prior to Cisco IOS Release 12.2(17b)SXA, the VPN module that would be used to protect a particular interface was determined by adding VLANs to a VPN module inside trunk port as follows:
interface GigabitEthernet3/1no ip addressswitchportswitchport trunk encapsulation dot1qswitchport trunk allowed vlan 1,100,1002-1005switchport mode trunkWith Cisco IOS Release 12.2(17b)SXA and later releases, you can assign VPN modules to interfaces that require encryption using the crypto engine slot slot command as follows:
interface Vlan101ip address 192.168.101.1 255.255.255.0crypto map cmapcrypto engine slot 3interface GigabitEthernet2/1crypto connect vlan 101Use the no crypto engine slot slot command to remove the interface VLAN from the inside trunk port.
Follow these guidelines and restrictions when configuring VPN modules using the crypto engine slot command:
•
•
When you add an interface VLAN to an inside trunk port and that interface VLAN is not already added to another inside trunk port, the "crypto engine slot" configuration state on the interface VLAN is combined. If the interface VLAN is already added to another inside trunk port, the command is rejected.
•
When you remove an interface VLAN from an inside trunk port and a corresponding "crypto engine slot" configuration state exists, then that "crypto engine slot" configuration state is not removed. If you remove a VLAN that has a "crypto engine slot" configuration state, you need to manually add it back to recover. While in this inconsistent state, any attempt to enter the no crypto connect command is rejected.
•
You should not try to add all VLANs to an inside trunk port at one time (if you attempt this, you can recover by manually removing the VLANs from the inside trunk port).
•
When you enter the crypto connect command, a target VLAN is made an interface VLAN if and only if the target VLAN is not currently an interface VLAN, and the target VLAN has been added to an inside trunk port. If the VLAN has been added to more than one inside trunk port, the crypto connect command is rejected.
•
When you enter the no crypto connect command, the interface VLAN status is removed from a VLAN. Any associated "crypto engine slot" configuration state is not altered.
•
The crypto engine slot command is only available for VLANs prior to the VLANs being made interface VLANs by the crypto connect command.
If you enter the no crypto engine command and the interface VLAN is crypto-connected, the no crypto engine command is rejected. The no crypto engine command is allowed only after you enter the no crypto connect command, or before you enter the crypto connect command. Similarly, the crypto engine slot command is rejected if you enter it on a crypto-connected interface VLAN whose current crypto engine slot is different from the slot specified in the crypto engine slot command. To change the crypto engine slot on an interface VLAN, you must ensure that the VLAN is not crypto-connected.
•
•
When you write the configuration or show the configuration, the "crypto engine slot" configuration state is expressed in the context of the associated interface VLAN. The interface VLAN is also shown as having been added to the appropriate inside trunk port. This is the case even if the configuration was loaded from a legacy (pre-"crypto engine slot") configuration file, or if VLANs were manually added instead of being added through the crypto engine slot command.
•
By editing the crypto engine slot commands and inside trunk port VLANs, it is possible to produce an inconsistent configuration file.
•
–
–
Configuration Summaries
These sections provide Ethernet configuration summaries for the three modes of operation that are supported by the VPN module:
Note
Access Port Mode Summary
This section summarizes the steps that are required to configure a Catalyst switch outside port as an access port (see the "Configuring a VPN Access Port Connection" section for detailed information):
1.
a.
b.
c.
d.
2.
3.
Note
4.
5.
Note
6.
Note
Routed Port Mode Summary
This section summarizes the steps that are required to configure a Catalyst switch outside port as a routed port (see the "Configuring a VPN Routed Port Connection" section for detailed information):
1.
a.
b.
c.
d.
2.
3.
Note
4.
Note
5.
Trunk Port Mode Summary
Caution
This section summarizes the steps that are required to configure a Catalyst switch outside port as a trunk port (see the "Configuring a VPN Trunk Port Connection" section for detailed information):
1.
a.
b.
c.
d.
2.
3.
Note
4.
Note
5.
6.
VPN Module Feature Configuration Guidelines and Configuration Procedures
Use the VPN module feature configuration guidelines and configuration procedures in the following sections when configuring a VPN using the VPN module:
•
•
•
•
•
•
•
•
•
•
Interaction with Other Features
Follow these configuration guidelines for configuring a VPN using the VPN module:
Caution
The VPN module is not compatible with stateful switchover (SSO mode). The VPN module does not work if you enable SSO mode. If you enable SSO mode and there is a VPN module in the chassis, the following warning message is displayed: Warn:Card:<slot_num> can NOT co-exist with SSO mode---
You should either change the mode to RPR or RPR+, or remove the VPN module from the chassis.
•
You can enter the crypto connect vlan command only from the following:
–
–
•
When a routed port has a crypto connection, the IP ACLs that are attached to the routed port work correctly even if the routed port does not have an IP address.
•
–
–
Note
•
Interaction with the SPAN feature is as follows:
–
–
–
•
Attaching a crypto map set to a generic routing encapsulation (GRE) tunnel interface is not supported. You can attach a crypto map set to a GRE tunnel interface, but there are configuration restrictions. You can configure the GRE tunnel interface in the same manner as on other Cisco routers, but you cannot attach a crypto map set to the interface. Instead, you attach the crypto map set to all of the ingress/egress interfaces over which the GRE tunnel spans. Note that HSRP/GRE is supported.
Note
Preventing VPN Module Misconfigurations
Follow these guidelines to prevent VPN module misconfigurations:
•
•
•
–
–
–
In this example, a crypto connection exists, and when the associated interface VLAN is removed from the VPN module inside port, a misconfigured startup-configuration file is created.
Note
When you enter the write memory command, the following misconfigured startup-configuration file is created:
...interface GigabitEthernet1/1no ip addresssnmp trap link-statusswitchportswitchport access vlan 200switchport mode accesscrypto connect vlan 100end...interface GigabitEthernet2/1no ip addresssnmp trap link-statusswitchportswitchport trunk encapsulation dot1qswitchport trunk allowed vlan 1,1002-1005 <-- misconfiguration switchport mode trunkflowcontrol receive oncdp enableend...In this example, when you use this startup-configuration file to boot a switch, the misconfigured crypto connections are removed after the VPN module boots and this warning message is displayed:
%CRYPTO: crypto connection to VLAN 100 is removed from gi1/1 because VLAN 100 doesn'tbelong to any IPsec Service Module.Note that all the configurations on the interface VLAN, such as the crypto map, are intact.
•
When you enter the crypto connect vlan command and the interface VLAN or port VLAN is not in the VLAN database, this warning message is displayed:
VLAN id 100 not found in current VLAN database. It may not function correctly unlessVLAN 100 is added to VLAN database.•
Miscellaneous Guidelines
Follow these configuration guidelines for configuring a VPN using the VPN module:
•
Attaching a crypto map set to a loopback interface is not supported. However, you can maintain an IPsec security association database independent of physical ingress/egress interfaces with the VPN module by entering the crypto map map-name local-address interface command.
If you apply the same crypto map set to each secure interface and enter the crypto map map-name local-address interface command with interface as a loopback interface, you will have a single security association database for the set of secure interfaces.
Note
•
When the interface VLAN belongs to the VPN module inside port, the show crypto vlan command output is as follows:
Interface VLAN 2 on IPsec Service Module port 7/1 connected to Fa8/3When there is a crypto connection, but the VPN module inside port does not include the interface VLAN due to a misconfiguration, the output is as follows:
Interface VLAN 2 connected to Fa8/3 (no IPsec Service Module attached)
Note
•
The show crypto engine command and all keyword variations (such as show crypto engine configuration) are not supported by the VPN module.
•
After a supervisor engine switchover, the installed modules reboot and come back online. During this period, the VPN module's established tunnels (SAs) are temporarily lost and are reconstructed after the VPN module comes back online. The reconstruction is through IKE (it is not instantaneous).
•
When you remove a switching module that has some ports participating in crypto connection, the crypto connections remain intact. When you reinsert the same type of switching module, the traffic starts to run again on all the crypto connections. You must manually remove the crypto connections that are associated with the removed switching module. You can enter the no crypto connect vlan command from any interface when the associated physical port is removed.
•
When you reboot a VPN module that has crypto connections, the existing crypto connections are kept intact. The traffic starts running again when the VPN module reboots. When a crypto connection exists but the associated interface VLAN is missing from the VPN module inside port, the crypto connection is removed after the VPN module reboots.
•
•
Handling Multicast Traffic
In Cisco IOS Release 12.2(9)YO and later releases, when a chassis contains a Switch Fabric Module the VPN module drops all multicast traffic. This action does not occur if there is no Switch Fabric Module installed. To handle this multicast traffic issue, in Cisco IOS Release 12.2(14)SY and later releases, the Cisco IOS software recognizes when a VPN module has been inserted into a chassis where there is a Switch Fabric Module and automatically configures a SPAN session to forward the multicast traffic.
Note
See Table 3 for the descriptions of the switching modes that are used when the Switch Fabric Module is installed.
Follow these guidelines for multicast traffic:
•
•
•
•
•
•
•
•
•
Configuring MTU Settings
Note
There are two MTU settings on the switch:
•
•
Configurable interface MTU values depend on the interface type as follows:
•
•
–
–
–
•
•
The switch makes forwarding decisions that are based on the MTU settings as follows:
•
•
–
–
If the received packet length is greater than the outgoing interface's interface MTU value, the packets are sent to the MSFC2 to be fragmented.
If the received packet length is less than or equal to the outgoing interface's interface MTU value, the packets are sent directly to the outgoing interface through hardware (PFC2).
•
In Cisco IOS Release 12.2(18)SXF, the GRE fragmentation behavior of the VPN module is changed to be consistent with the fragmentation behavior of the route processor. For additional information, see the "Using GRE Tunneling" section.
Note
Configuring Trunk Ports
Caution
When you configure a trunk port for cryptographic connection, do not use the "all VLANs allowed" default. You need to explicitly specify all the desirable VLANs using the switchport trunk allowed vlan vlan-list command.
To verify the VLANs allowed by a trunk port, enter the show interface trunk command or the show int interface trunk command. The following display shows that all VLANs are allowed:
Router# show interfaces GigabitEthernet 2/1 trunkPort Mode Encapsulation Status Native vlanGi2/1 on 802.1q trunking 1Port Vlans allowed on trunkGi2/1 1-4094Port Vlans allowed and active in management domainGi2/1 1-4,7-8,513,1002-1005Port Vlans in spanning tree forwarding state and not prunedGi2/1 1-4,7-8,513,1002-1005Router#Due to an incorrect startup configuration or through the default trunk port configuration, an interface VLAN might be associated with a trunk port. When you try to remove the interface VLAN from the VLAN list, you might receive an error message similar to the following:
Router# conf tRouter(config)# int g1/1Router(config-if)# switchport trunk allowed vlan rem 71Command rejected:VLAN 61 is crypto connected to Vl62.To remove the interface VLAN from the VLAN list, enter the following commands:
Router# conf tRouter(config)# int g1/1Router(config-if)# no switchport mode trunkRouter(config-if)# switchport trunk allowed vlan 1Router(config-if)# switchport mode trunkRouter(config-if)# switchport trunk allowed vlan add vlan-list
Note
To avoid having an interface VLAN incorrectly associated with a trunk port, when you put an Ethernet port into the trunk mode, enter the following commands in the exact order given:
Router# conf tRouter(config)# int g1/1Router(config)# no shutRouter(config-if)# switchportRouter(config-if)# switchport trunk allowed vlan 1Router(config-if)# switchport trunk encapsulation dot1qRouter(config-if)# switchport mode trunkRouter(config-if)# switchport trunk allowed vlan add vlan-list
Note
A common mistake when configuring a trunk port occurs when you use the add option as follows: switchport trunk allowed vlan add 100. If the switchport trunk allowed vlan vlan-list command has not already been used, the add option does not make VLAN 100 the only allowed VLAN on the trunk port; all VLANs are still allowed after entering the command because all the VLANs are allowed by default. After you use the switchport trunk allowed vlan vlan-list command to add a VLAN, you can then use the switchport trunk allowed vlan add vlan-list command to add additional VLANs.
Note
Caution
Configuring the VPN Module Inside Port and Outside Port
Follow these guidelines for configuring the VPN module inside port and outside port:
•
•
•
Router(config-if)# switchportRouter(config-if)# no switchport access vlanRouter(config-if)# switchport trunk allowed vlan 1,1002-1005Router(config-if)# switchport trunk encapsulation dot1qRouter(config-if)# switchport mode trunk•
Note
•
Using Multiple VPN Modules in a Chassis
Note
Follow these guidelines when configuring multiple VPN modules in a chassis:
•
•
•
Assigning interface VLANs to the inside ports of the VPN modules allow you to decide which VPN module can be used to provide IPsec services for a particular interface VLAN.
Note
Note
•
•
A summary of the switch 1 configuration that is used in the configuration example is as follows (see Figure 9).
Note
•
•
Figure 9 Configuring Multiple VPN Modules Example
The following is a configuration example for switch 1:
crypto isakmp policy 1encr 3deshash md5authentication pre-sharegroup 2crypto isakmp key mykey address 10.8.1.1crypto isakmp key mykey address 10.13.1.1!crypto ipsec transform-set xform1 ah-md5-hmac esp-des esp-sha-hmaccrypto ipsec transform-set xform2 esp-3des esp-sha-hmac!!!! crypto map applied to VLAN 12, which is!!! assigned to "inside" port of VPN-SM in slot 3crypto map cmap2 10 ipsec-isakmpset peer 10.8.1.1set transform-set xform1match address 102!!!! crypto map applied to VLAN 20, which is!!! assigned to "inside" port of VPN-SM in slot 2crypto map cmap3 10 ipsec-isakmpset peer 10.13.1.1set transform-set xform2match address 103!!!! "inside" port of VPN-SM in slot 2:!!! encrypts traffic from VLAN 20, sending encrypted!!! packets to VLAN 19 via "outside" port Gig2/2interface GigabitEthernet2/1no ip addressflowcontrol receive onswitchportswitchport trunk encapsulation dot1qswitchport trunk allowed vlan 1,20,1002-1005switchport mode trunkcdp enable!!!! "outside" port of VPN-SM in slot 2:!!! decrypts traffic from VLAN 19, sending decrypted!!! packets to VLAN 20 via "inside" port Gig2/1interface GigabitEthernet2/2no ip addressflowcontrol receive onswitchportswitchport trunk encapsulation dot1qswitchport trunk allowed vlan 1,19,1002-1005switchport mode trunkcdp enable!!!! "inside" port of VPN-SM in slot 3:!!! encrypts traffic from VLAN 12, sending encrypted!!! packets to VLAN 11 via "outside" port Gig3/2interface GigabitEthernet3/1no ip addressflowcontrol receive onswitchportswitchport trunk encapsulation dot1qswitchport trunk allowed vlan 1,12,1002-1005switchport mode trunkcdp enable!!!! "outside" port of VPN-SM in slot 3:!!! decrypts traffic from VLAN 11, sending decrypted!!! packets to VLAN 12 via "inside" port Gig3/1interface GigabitEthernet3/2no ip addressflowcontrol receive onswitchportswitchport trunk encapsulation dot1qswitchport trunk allowed vlan 1,11,1002-1005switchport mode trunkcdp enable!!!! "port" VLAN, crypto connected to VLAN 12 by VPN-SM on slot 3interface Vlan11no ip addresscrypto connect vlan 12!!!! "interface" VLAN, assigned to VPN-SM on slot 3interface Vlan12ip address 10.8.1.2 255.255.0.0crypto map cmap2!!!! "port" VLAN, crypto connected to VLAN 20 by VPN-SM on slot 2interface Vlan19no ip addresscrypto connect vlan 20!!!! "interface" VLAN, assigned to VPN-SM on slot 2interface Vlan20ip address 10.13.1.2 255.255.0.0crypto map cmap3!!!! connected to Host 1interface FastEthernet6/1ip address 10.9.1.2 255.255.255.0!!!! connected to Host 2interface FastEthernet6/2ip address 10.9.2.2 255.255.255.0!!!! connected to Switch 2interface GigabitEthernet5/3switchportswitchport mode accessswitchport access vlan 11!!!! connected to Switch 2interface GigabitEthernet5/4switchportswitchport mode accessswitchport access vlan 19!ip classless!!!! packets from Host 1 to Host 3 are routed from FastEthernet6/1!!! to VLAN 12, encrypted with crypto map cmap2!!! using VPN-SM in slot 3, and forwarded to peer 10.8.1.1!!! through GigabitEthernet5/3ip route 10.6.1.4 255.255.255.255 10.8.1.1!!!! packets from Host 2 to Host 4 are routed from FastEthernet6/2!!! to VLAN 20, encrypted with crypto map cmap3!!! using VPN-SM in slot 2, and forwarded to peer 10.13.1.1!!! through GigabitEthernet5/4ip route 10.6.2.1 255.255.255.255 10.13.1.1!!!! ACL matching traffic between Host 1 and Host 3access-list 102 permit ip host 10.9.1.3 host 10.6.1.4!!!! ACL matching traffic between Host 2 and Host 4access-list 103 permit ip host 10.9.2.1 host 10.6.2.1For Cisco IOS Release 12.2(17b)SXA or later releases:
The following is a configuration example for switch 1 using the crypto engine slot command:
crypto isakmp policy 1encr 3deshash md5authentication pre-sharegroup 2crypto isakmp key mykey address 10.8.1.1crypto isakmp key mykey address 10.13.1.1!crypto ipsec transform-set xform1 ah-md5-hmac esp-des esp-sha-hmaccrypto ipsec transform-set xform2 esp-3des esp-sha-hmac!!!! crypto map applied to VLAN 12, which is!!! assigned to "inside" port of VPN-SM in slot 3crypto map cmap2 10 ipsec-isakmpset peer 10.8.1.1set transform-set xform1match address 102!!!! crypto map applied to VLAN 20, which is!!! assigned to "inside" port of VPN-SM in slot 2crypto map cmap3 10 ipsec-isakmpset peer 10.13.1.1set transform-set xform2match address 103!!!! "port" VLAN, crypto connected to VLAN 12 by VPN-SM on slot 3interface Vlan11no ip addresscrypto connect vlan 12!!!! "interface" VLAN, assigned to VPN-SM on slot 3interface Vlan12ip address 10.8.1.2 255.255.0.0crypto map cmap2crypto engine slot 3!!!! "port" VLAN, crypto connected to VLAN 20 by VPN-SM on slot 2interface Vlan19no ip addresscrypto connect vlan 20!!!! "interface" VLAN, assigned to VPN-SM on slot 2interface Vlan20ip address 10.13.1.2 255.255.0.0crypto map cmap3crypto engine slot 2!!!! connected to Host 1interface FastEthernet6/1ip address 10.9.1.2 255.255.255.0!!!! connected to Host 2interface FastEthernet6/2ip address 10.9.2.2 255.255.255.0!!!! connected to Switch 2interface GigabitEthernet5/3switchportswitchport mode accessswitchport access vlan 11!!!! connected to Switch 2interface GigabitEthernet5/4switchportswitchport mode accessswitchport access vlan 19!ip classless!!!! packets from Host 1 to Host 3 are routed from FastEthernet6/1!!! to VLAN 12, encrypted with crypto map cmap2!!! using VPN-SM in slot 3, and forwarded to peer 10.8.1.1!!! through GigabitEthernet5/3ip route 10.6.1.4 255.255.255.255 10.8.1.1!!!! packets from Host 2 to Host 4 are routed from FastEthernet6/2!!! to VLAN 20, encrypted with crypto map cmap3!!! using VPN-SM in slot 2, and forwarded to peer 10.13.1.1!!! through GigabitEthernet5/4ip route 10.6.2.1 255.255.255.255 10.13.1.1!!!! ACL matching traffic between Host 1 and Host 3access-list 102 permit ip host 10.9.1.3 host 10.6.1.4!!!! ACL matching traffic between Host 2 and Host 4access-list 103 permit ip host 10.9.2.1 host 10.6.2.1Using IPsec Stateful Failover and the VPN Module
Note
Note
For complete configuration information for Cisco IOS IPsec stateful failover support, refer to this URL: http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6635/white_paper_c11_472859.html
Follow these guidelines when configuring IPsec stateful failover:•
•
•
•
•
These timer values can be adjusted upward if you are running high loads or have a large number of HSRP groups. Temporary failures and load-related system stability can be positively affected by raising the timer values as needed. The hello timer value should be approximately a third of the hold timer value.
•
•
•
•
The following is a configuration example for the active chassis that is configured for an IPsec stateful failover (at the end of this example, see the configuration example for the standby chassis):
Note
Active# show runBuilding configuration...Current configuration : 2235 bytes!version 12.2service timestamps debug uptimeservice timestamps log uptimeno service password-encryption!hostname Active!boot system flash sup-bootflash:!redundancymain-cpuauto-sync standardip subnet-zero!!no ip domain-lookup!!ssp group 100remote 40.0.0.2redundancy KNIGHTSOFNIno mls ip multicast aggregateno mls ip multicast non-rpf cef!crypto isakmp policy 1encr 3desauthentication pre-sharecrypto isakmp key NEEWOMM address 0.0.0.0 0.0.0.0crypto isakmp ssp 100!!crypto ipsec security-association lifetime seconds 86400!crypto ipsec transform-set TS1 esp-3des esp-sha-hmac!crypto map ha ha replay-interval inbound 10 outbound 1000crypto map ha 10 ipsec-isakmpset peer 172.16.31.3set transform-set TS1match address 101!!spanning-tree extend system-idno spanning-tree vlan 4!!!interface GigabitEthernet1/1no ip addressno ip redirectscrypto connect vlan 4!interface GigabitEthernet1/2ip address 40.0.0.1 255.255.255.0no ip redirectsstandby delay minimum 35 reload 60standby ip 40.0.0.100standby timers 1 3standby preemptstandby track GigabitEthernet1/1!interface GigabitEthernet3/1mtu 4500no ip addresssnmp trap link-statusswitchportswitchport trunk encapsulation dot1qswitchport trunk allowed vlan 1,4,1002-1005switchport mode trunkflowcontrol receive oncdp enable!interface GigabitEthernet3/2mtu 4500no ip addresssnmp trap link-statusswitchportswitchport trunk encapsulation dot1qswitchport trunk allowed vlan 1,1002-1005switchport mode trunkflowcontrol receive oncdp enable!interface Vlan1no ip addressshutdown!interface Vlan4ip address 172.16.31.1 255.255.255.0standby delay minimum 35 reload 60standby ip 172.16.31.100standby timers 1 3standby preemptstandby name KNIGHTSOFNIstandby track GigabitEthernet1/1standby track GigabitEthernet1/2crypto map ha ssp 100!ip classlessip route 10.11.1.1 255.255.255.255 172.16.31.3no ip http serverip pim bidir-enable!access-list 101 permit ip host 40.0.0.3 host 10.11.1.1arp 127.0.0.12 0000.2100.0000 ARPA!!!line con 0line vty 0 4logintransport input lat pad mop telnet rlogin udptn nasi ssh!endThe following is a configuration example for the standby chassis that is configured for IPsec stateful failover:StandBy# show runBuilding configuration...Current configuration : 2236 bytes!version 12.2service timestamps debug uptimeservice timestamps log uptimeno service password-encryption!hostname StandBy!boot system flash sup-bootflash:!redundancymain-cpuauto-sync standardip subnet-zero!!no ip domain-lookup!!ssp group 100remote 40.0.0.1redundancy KNIGHTSOFNIno mls ip multicast aggregateno mls ip multicast non-rpf cef!crypto isakmp policy 1encr 3desauthentication pre-sharecrypto isakmp key NEEWOMM address 0.0.0.0 0.0.0.0crypto isakmp ssp 100!!crypto ipsec security-association lifetime seconds 86400!crypto ipsec transform-set TS1 esp-3des esp-sha-hmac!crypto map ha ha replay-interval inbound 10 outbound 1000crypto map ha 10 ipsec-isakmpset peer 172.16.31.3set transform-set TS1match address 101!!spanning-tree extend system-idno spanning-tree vlan 4!!!interface GigabitEthernet1/1no ip addressno ip redirectscrypto connect vlan 4!interface GigabitEthernet1/2ip address 40.0.0.2 255.255.255.0no ip redirectsstandby delay minimum 35 reload 60standby ip 40.0.0.100standby timers 1 3standby preemptstandby track GigabitEthernet1/1!interface GigabitEthernet3/1mtu 4500no ip addresssnmp trap link-statusswitchportswitchport trunk encapsulation dot1qswitchport trunk allowed vlan 1,4,1002-1005switchport mode trunkflowcontrol receive oncdp enable!interface GigabitEthernet3/2mtu 4500no ip addresssnmp trap link-statusswitchportswitchport trunk encapsulation dot1qswitchport trunk allowed vlan 1,1002-1005switchport mode trunkflowcontrol receive oncdp enable!interface Vlan1no ip addressshutdown!interface Vlan4ip address 172.16.31.2 255.255.255.0standby delay minimum 35 reload 60standby ip 172.16.31.100standby timers 1 3standby preemptstandby name KNIGHTSOFNIstandby track GigabitEthernet1/1standby track GigabitEthernet1/2crypto map ha ssp 100!ip classlessip route 10.11.1.1 255.255.255.255 172.16.31.3no ip http serverip pim bidir-enable!access-list 101 permit ip host 40.0.0.3 host 10.11.1.1arp 127.0.0.12 0000.2100.0000 ARPA!!!line con 0line vty 0 4logintransport input lat pad mop telnet rlogin udptn nasi ssh!endUsing IPsec NAT Transparency
Note
For complete configuration information for Cisco IOS IPsec NAT transparency support, refer to this URL: http://www.cisco.com/en/US/docs/ios/12_2t/12_2t13/feature/guide/ftipsnat.html
There is no VPN module-specific configuration requirements or restrictions for IPsec NAT transparency. Use the standard Cisco IOS configuration that is described at the above URL.
Using TopN Acceleration
Note
Note
For complete configuration information for TopN acceleration support, refer to this URL: http://www.cisco.com/en/US/docs/ios/12_2t/fun/command/reference/fft310.html
Using IPsec Anti-Replay Window Size Expansion
Note
The per-security association (SA) anti-replay window size has been increased to 64 from 32. No configuration is required to obtain the larger anti-replay window size.
Using Easy-VPN Client
Note
Caution
For complete configuration information for Easy-VPN client support, refer to this URL: http://www.cisco.com/en/US/products/sw/secursw/ps2308/products_user_guide_chapter09186a00800e7251.html#xtocid2
For complete configuration information for Easy-VPN server (router side) support, refer to this URL: http://www.cisco.com/en/US/products/sw/iosswrel/ps1839/products_feature_guide09186a0080087d1e.html
The following is a configuration example of the router-side configuration:
!version 12.2!hostname User1!boot system flash:c6sup22-jk2sv-mzlogging snmp-authfaillogging buffered 1000000 debuggingaaa new-modelaaa authentication login authen localaaa authorization network author local!username unity password 0 ucip subnet-zerono ip source-route!mpls ldp logging neighbor-changesmls flow ip destinationmls flow ipx destination!crypto isakmp policy 1encr 3deshash md5authentication pre-sharegroup 2crypto isakmp key 12345 address 0.0.0.0 0.0.0.0crypto isakmp keepalive 10 2!crypto isakmp client configuration group group1key 12345domain cisco.compool pool1!crypto isakmp client configuration group defaultkey 12345domain cisco.compool pool2!crypto ipsec transform-set myset3 esp-3des esp-md5-hmac!crypto dynamic-map test_dyn 1set transform-set myset3reverse-route!! Static client mappingcrypto map testtag client authentication list authencrypto map testtag isakmp authorization list authorcrypto map testtag client configuration address respondcrypto map testtag 10 ipsec-isakmpset peer 10.5.1.4set security-association lifetime seconds 900set transform-set myset3match address 109!! Dynamic client mappingcrypto map test_dyn client authentication list authencrypto map test_dyn isakmp authorization list authorcrypto map test_dyn client configuration address respondcrypto map test_dyn 1 ipsec-isakmp dynamic test_dyn!!no spanning-tree vlan 513!redundancymain-cpuauto-sync running-configauto-sync standard!interface GigabitEthernet2/1no ip addressswitchportswitchport trunk encapsulation dot1qswitchport trunk allowed vlan 1,513,1002-1005switchport mode trunk!interface GigabitEthernet2/2no ip addressshutdown!interface GigabitEthernet6/1no ip addressflowcontrol receive onflowcontrol send offswitchportswitchport trunk encapsulation dot1qswitchport trunk allowed vlan 1,513,1002-1005switchport mode trunkcdp enable!interface GigabitEthernet6/2no ip addressflowcontrol receive onflowcontrol send offswitchportswitchport trunk encapsulation dot1qswitchport trunk allowed vlan 1,2,1002-1005switchport mode trunkcdp enable!interface Vlan1no ip addressshutdown!interface Vlan2no ip addresscrypto connect vlan 513!interface Vlan513ip address 10.5.1.1 255.255.0.0crypto map test_dyn!ip local pool pool1 22.0.0.2ip local pool pool2 23.0.0.3ip classlessip pim bidir-enable!access-list 109 permit ip host 10.5.1.1 host 22.0.0.2arp 127.0.0.12 0000.2100.0000 ARPA!snmp-server enable traps ttysnmp-server enable traps ipsec tunnel startsnmp-server enable traps ipsec tunnel stop!line con 0line vty 0 4password labtransport input lat pad mop telnet rlogin udptn nasi!endUsing Dead-Peer-Detection
Note
For complete configuration information for Cisco IOS Dead-Peer-Detection (DPD) support, refer to this URL:
http://www.cisco.com/en/US/products/sw/secursw/ps2308/products_user_guide_chapter09186a00800ecb3d.htmlUsing WAN Interfaces
Note
Follow these guidelines when configuring WAN interfaces:
•
interface Vlan101ip address 192.168.101.1 255.255.255.0no mop enabledcrypto map cwaninterface ATM6/0/0.101 point-to-pointpvc 0/101crypto connect vlan 101•
interface ATM6/0/0pvc 0/101crypto connect vlan 101•
•
router ospf 10passive-interface multilink1•
WAN interface configuration examples are as follows:
•
•
•
Crypto Connection for a Channelized T3 Port Adapter in the FlexWAN Module
The configuration for this example is as follows:
•
•
•
•
•
•
!controller T3 2/0/0t1 1 channel-group 0 timeslots 1-24t1 2 channel-group 0 timeslots 1-24t1 3 channel-group 0 timeslots 1-24t1 4 channel-group 0 timeslots 1-24t1 5 channel-group 0 timeslots 1-24t1 6 channel-group 0 timeslots 1-24t1 7 channel-group 0 timeslots 1-24t1 8 channel-group 0 timeslots 1-24t1 9 channel-group 0 timeslots 1-24t1 10 channel-group 0 timeslots 1-24t1 11 channel-group 0 timeslots 1-24t1 12 channel-group 0 timeslots 1-24t1 13 channel-group 0 timeslots 1-24t1 14 channel-group 0 timeslots 1-24t1 15 channel-group 0 timeslots 1-24t1 16 channel-group 0 timeslots 1-24t1 17 channel-group 0 timeslots 1-24t1 18 channel-group 0 timeslots 1-24t1 19 channel-group 0 timeslots 1-24t1 20 channel-group 0 timeslots 1-24t1 21 channel-group 0 timeslots 1-24t1 22 channel-group 0 timeslots 1-24t1 23 channel-group 0 timeslots 1-24t1 24 channel-group 0 timeslots 1-24t1 25 channel-group 0 timeslots 1-24t1 26 channel-group 0 timeslots 1-24t1 27 channel-group 0 timeslots 1-24t1 28 channel-group 0 timeslots 1-24!!interface Multilink1ip unnumbered Vlan211no cdp enableppp multilinkmultilink-group 1crypto connect vlan 211!interface Serial2/0/0/1:0no ip addressno fair-queueno cdp enablecrypto connect vlan 201!interface Serial2/0/0/6:0ip unnumbered Vlan206encapsulation pppno fair-queueno cdp enablecrypto connect vlan 206!interface Serial2/0/0/11:0no ip addressencapsulation pppno cdp enableppp chap hostname m1ppp multilinkmultilink-group 1!interface Serial2/0/0/12:0no ip addressencapsulation pppno cdp enableppp chap hostname m1ppp multilinkmultilink-group 1!interface Serial2/0/0/13:0no ip addressencapsulation pppno cdp enableppp chap hostname m1ppp multilinkmultilink-group 1!interface GigabitEthernet5/1no ip addressflowcontrol receive onflowcontrol send offswitchportswitchport trunk encapsulation dot1qswitchport trunk allowed vlan 1,201,206,211,1002-1005switchport mode trunkcdp enable!interface Vlan206ip address 192.168.206.1 255.255.255.0no mop enabled!interface Vlan211ip address 192.168.211.1 255.255.255.0no mop enabled!Crypto Connection for an ATM Port Adapter in the FlexWAN Module
The configuration for this example is as follows:
•
•
•
•
•
!interface GigabitEthernet5/1no ip addressflowcontrol receive onflowcontrol send offswitchportswitchport trunk encapsulation dot1qswitchport trunk allowed vlan 1,101,1002-1005switchport mode trunkcdp enable!interface ATM6/0/0no ip addressatm clock INTERNAL!interface ATM6/0/0.101 point-to-pointpvc 1/101!crypto connect vlan 101!interface Vlan101ip address 192.168.101.1 255.255.255.0no mop enabled!Crypto Connection for a POS Port Adapter in the FlexWAN Module
The configuration for this example is as follows:
•
•
•
•
!frame-relay switching!!interface GigabitEthernet5/1no ip addressflowcontrol receive onflowcontrol send offswitchportswitchport trunk encapsulation dot1qswitchport trunk allowed vlan 1,16,1002-1005switchport mode trunkcdp enable!interface POS6/1/0no ip addressencapsulation frame-relay!!!!!! The peer POS interface config does not need!!! to have the following two lines.!!!no keepaliveclock source internalframe-relay intf-type dce!interface POS6/1/0.16 point-to-pointno cdp enableframe-relay interface-dlci 16crypto connect vlan 16!interface Vlan16ip address 192.168.16.1 255.255.255.0no mop enabledUsing Look-Ahead Fragmentation
Note
Follow these guidelines for using Look-Ahead Fragmentation (LAF):
•
•
•
For complete configuration information for LAF, refer to this URL:
http://www.cisco.com/en/US/products/sw/iosswrel/ps1839/products_feature_guide09186a0080115533.htmlUsing GRE Tunneling
Note
In Catalyst 6500 series switches or Cisco 7600 series routers, GRE encapsulation and decapsulation is traditionally performed by the route processor. When routing indicates that encapsulated packets for a GRE tunnel will egress through an interface VLAN that is attached to a VPN module inside port, that VPN module will seize the GRE tunnel when certain criteria are met. By seizing the tunnel, the VPN module takes the GRE encapsulation and decapsulation duty from the route processor. This action offloads the route processor from packet-processing tasks and also allows GRE scaling with additional VPN modules.
No explicit configuration changes are required to use this feature; configure GRE as you normally would. If routing sends the GRE-encapsulated packets out an interface VLAN, and all other takeover criteria are met, the VPN module will seize the GRE tunnel.
The GRE takeover behavior of the VPN module varies by software release as follows:
•
•
•
•
–
–
Follow these guidelines for configuring GRE tunneling:
•
•
Caution
•
•
•
•
•
•
•
•
Router-2# show crypto vlanInterface VLAN 101 on IPsec Service Module port 7/1 connected to AT4/0/0.101Tunnel101 is accelerated via IPsec SM in slot 7Router-2#•
•
•
–
–
–
For GRE tunneling configuration examples, see the "GRE Tunneling" section.
Using QoS
Note
The VPN module uses the QoS capabilities of the Catalyst 6500 series switches and Cisco 7600 series router software. Before configuring QoS for the VPN module, refer to this URL:
http://www.cisco.com/en/US/products/hw/switches/ps700/products_tech_note09186a008014a29f.shtml
The VPN module supports two-level, strict-priority QoS (high priority versus low priority). To take advantage of the VPN module's QoS capability, you must use standard QoS commands to ensure that the CoS of packets are marked on ingress. You must configure the CoS map for the VPN module inside and outside ports. The VPN module behaves according to the settings of the inside and outside ports. You must enable QoS globally for the VPN module to acknowledge the CoS mapping.
For example, if the CoS map of the inside and outside ports map CoS value 5 to the high-priority queue and you have globally enabled QoS, the VPN module will give traffic marked CoS 5 higher priority than traffic marked with any of the other seven CoS values. If you alter the CoS map of the inside and outside ports so that CoS 6 additionally maps to the high-priority queue, then packets marked with either CoS 5 or CoS 6 will be given higher priority within the VPN module.
As many as three high-priority CoS map values are supported per VPN module. When global QoS is enabled, the CoS value of 5 is preconfigured. This allows you to add only two more values in addition to the preconfigured CoS 5 value. For QoS configuration examples, see the "QoS" section.
Using Per-Crypto Map IPsec Security Association (SA) Idle Timers
Note
When a router running Cisco IOS software creates an IPsec SA for a peer, resources must be allocated to maintain the SA. The SA requires both memory and several managed timers. For idle peers, these resources are wasted. If enough resources are wasted by idle peers, the router could be prevented from creating new SAs with other peers. The IPsec SA idle timers feature introduces a configurable idle timer to monitor SAs for activity, allowing SAs for idle peers to be deleted. The idle timers can be configured either globally, on a per-crypto map basis, or through an isakmp profile. The benefits of this feature include the following:
•
•
For detailed information on configuring IPsec SA idle timers, refer to the following Cisco IOS documentation:
/en/US/docs/ios/12_2t/12_2t15/feature/guide/ftsaidle.html#wp1027129
Note
Using Sequenced ACLs
Note
Access-control lists (ACLs) are made up of access-control entries (ACEs). Prior to Cisco IOS Release 12.2(18)SXD, ACEs were processed in the order that they were entered. Additionally, when you deleted one ACE, all of the ACEs in the ACL were removed. With sequenced ACLs, ACEs can be entered with a sequence number in front of the ACE and the ACEs are then processed by sequence number. Additionally, ACEs can now be deleted one at a time by using the sequence number in the front of the ACE that you want to delete. The sequence numbers do not appear in the configuration but they can be displayed using the show access-list command.
Using VRF-Aware IPsec
Note
Note
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122newft/122t/122t15/ft_vrfip.htm
Note
Note
These sections describe how to configure VRF-aware IPsec on the VPN module:
•
•
Functional Overview
The VRF-aware IPsec feature introduces IPsec tunnel mapping to Multiprotocol Label Switching (MPLS) VPNs. Using the VRF-aware IPsec feature, you can map IPsec tunnels to Virtual Routing and Forwarding (VRF) instances using a single public-facing address.
With the VRF-aware IPsec feature, packets belonging to a specific VRF instance are routed through the VPN module for IPsec processing. Through the CLI, you associate a VRF instance with an interface VLAN that has been configured to point to the VPN module. An interface VLAN must be created for each VRF instance. Packets traveling from an MPLS cloud to the Internet that are received from an inside VRF instance are routed to an interface VLAN and then to the VPN module for IPsec processing. The VPN module modifies the packets so that they are placed on a special Layer 3 VLAN for routing to the WAN-side port after they leave the VPN module.
Note
Packets traveling in the inbound direction from a protected port on which the crypto engine slot command has been entered hit an ACL and are redirected to the VPN module where they are processed according to the Security Parameter Index (SPI) contained in the packet's IPsec header. Processing on the VPN module ensures that the decapsulated packet is mapped to the appropriate interface VLAN corresponding to the inside VRF. This interface VLAN has been associated with a specific VRF instance, so packets are routed within the VRF instance to the correct inside interface.
Configuring VRF-Aware IPsec
To configure the VRF-aware IPsec feature (see the example configuration in this section for assistance in following the configuration steps), perform these steps:
Step 1
Step 2
Note
Step 3
Note
If your IPsec configuration is using tunnel protection, you do not need to perform Steps 4, 5, and 6. Instead, enter the ip vrf forwarding vrf-name command on the tunnel interfaces. After doing this, continue the procedure with Step 7.Step 4
Step 5
Note
Step 6
Step 7
Step 8
Configuration Overview
Traditional Cisco IOS IPsec with the VPN module is configured by attaching crypto maps to interface VLANs and then crypto-connecting a physical port to the interface VLAN. For VRF-aware IPsec with the VPN module, the idea of interface VLANs is preserved, but the crypto connect vlan CLI command is not used. When a packet comes into an interface on a specific VRF, the packet must get to the proper interface VLAN. A route must be installed so that packets destined for that particular subnet in that particular VRF are directed to that interface VLAN. This can be achieved through the following configuration options:
•
int vlan 100ip vrf forwarding cokeip address 10.1.1.254 255.255.255.0 <-- same subnet as 10.1.1.x that we are trying to reach.crypto map mymapcrypto engine slot 4•
ip route vrf coke 10.1.1.0 255.255.255.0 vlan 100•
Note
•
With VRF-aware IPsec, the router sees the interface VLAN as a point-to-point connection; the packets are placed directly onto the interface VLAN. Each VRF instance has its own interface VLAN.
When a crypto map is attached to an interface VLAN and the ip vrf forwarding command has associated that VLAN with a particular VRF instance, the software creates a point-to-point connection so that all routes pointing to the interface VLAN do not attempt to run the Address Resolution Protocol (ARP). Through normal routing within the VRF instance, packets to be processed by the VPN module are sent to the interface VLAN. You may configure features on the interface VLAN. The IP address of the interface VLAN must be on the same subnet as the desired destination subnet for packets to be properly routed.
Entering the ip vrf forwarding command on an inside interface ensures that all packets coming in on that interface are routed correctly within that VRF instance.
When you enter the crypto engine slot command on an interface and enable the crypto engine mode vrf command, a special ACL is installed that forces all incoming Encapsulating Security Payload (ESP)/Authentication Header (AH) IPsec packets addressed to a system IP address to be sent to the VPN module WAN-side port. NAT Traversal (NAT-T) packets are also directed to the VPN module by the special ACL.
Note
All packets destined for a protected outside interface received in this VRF context are placed on the associated interface VLAN. Similarly, all decapsulated ingress packets associated with this VRF are placed on the appropriate interface VLAN so that they may be routed in the proper VRF context.An example configuration for VRF-aware IPsec follows:
ip vrf pepsird 1000:1route-target export 1000:1route-target import 1000:1!ip vrf cokerd 2000:1route-target export 2000:1route-target import 2000:1crypto engine mode vrfinterface vlan 100ip vrf forwarding pepsiip address 10.2.1.1 255.255.255.0crypto engine slot 3crypto map map100interface vlan 200ip vrf forwarding cokeip address 10.2.1.1 255.255.255.0crypto engine slot 3crypto map map200interface gi1/1 (hidden VLAN 1000)ip address 171.1.1.1crypto engine slot 3! BASIC MPLS CONFIGURATIONmpls label protocol ldptag-switching tdp router-id Loopback0mls ip multicast flow-stat-timer 9no mls flow ipno mls flow ipv6!! CONFIGURE THE INTERFACE CONNECTED TO THE MPLS BACKBONE WITH LABEL/TAG SWITCHINGinterface GigabitEthernet2/12ip address 20.1.0.34 255.255.255.252logging event link-statusspeed nonegotiatempls label protocol ldptag-switching ipIn the above example, the gi1/1 interface is where the IPsec packets ingress/egress and the gi2/12 interface is the MPLS backbone interface configured with tag switching. Packets entering the switch through gi2/12 arrive with different tags that direct them to a specific VRF.
The VPN module is located in slot 3. VLAN 100 and VLAN 200 are allowed VLANs for interface gi3/1. Interface gi3/1 is the VPN module's clear port. All traffic that is to be encrypted enters the VPN module through the clear port and all traffic that is decrypted exits the VPN module through the clear port.
A special Layer 3 VLAN is created for the VPN module. All IPsec packets are directed to this VLAN after encapsulation so they may be Layer 3 routed. Additionally, an ACL is installed on each selected public interface (PE) configured with the crypto engine slot command. The ACL directs IPsec traffic (AH or ESP packets) addressed to a system IP address for inbound processing directly to the VPN module's secure port. Encrypted traffic exits the VPN module and decrypted traffic enters the VPN module through the secure port.
Guidelines and Restrictions
This section describes the guidelines and restrictions for using VRF-aware IPsec in Cisco IOS Release 12.2(18)SXD1 or later releases and Cisco IOS Release 12.2(18)SXE or later releases. Features listed are supported (or unsupported) in both releases unless noted otherwise:
•
–
Reverse Route Injection (RRI)
Proxy AAA (one VRF is proxied to a dedicated AAA)
–
Routing update propagation between CEs
IGP/eBGP routing update propagation between the PE and CEs
–
–
–
–
–
–
Note
–
–
•
–
–
–
–
–
–
–
•
–
Note
Interface Tu1 on IPsec Service Module port Gi7/1 connected to VRF vrf1
Interface VLAN 2 on IPsec Service Module port Gi8/1 connected to VRF vrf2–
–
–
–
–
–
–
–
–
–
–
Interface Gigabit 6/1crypto engine slot 6match address 100 <--- You should not add this ACL to the port.access-list 100 permit ip host 10.9.1.3 host 10.6.1.4•
–
–
–
–
•
–
–
–
–
–
–
•
–
–
–
–
•
–
–
–
–
–
–
–
–
–
–
–
–
–
–
•
•
•
•
•
•
•
•
Do not use the no interface vlan vlan_num command when deconfiguring a VLAN that has been configured with the ip vrf forwarding command. Using the no interface vlan vlan_num command fails to remove the VRF forwarding information from the interface. You need to deconfigure an interface the same way you configured it as shown in the following example:
–
int vlan 100ip vrf forwarding cokeip address x.x.x.xcmapcrypto engine slot x–
conf tint vlan 100no ip vrf forwarding cokeno cmapno crypto engine slot x–
no int vlan 100When deconfigured incorrectly, the next time the VLAN 100 interface is reconfigured, it will still be in VRF "coke" which the user will not be aware of:
conf tint vlan 100This behavior is tracked with caveat CSCea58224.
•
•
With release 12.2(18)SXE, you must use the mls mpls tunnel-recir command when configuring tunnel protection with MPLS.
Example Configurations
This section provides these example configurations:
•
•
•
•
VPN Module Configuration without VRF-Aware IPsec
The VPN module without VRF-aware IPsec configuration follows:
Note
crypto engine slot 3!crypto isakmp policy 1authentication pre-sharecrypto isakmp key 12345 address 0.0.0.0 0.0.0.0!crypto ipsec transform-set ts esp-3des esp-sha-hmacmode transport!crypto map map 10 ipsec-isakmpset peer 171.1.1.2set transform-set tsmatch address 101!!interface GigabitEthernet3/1mtu 4500no ip addresssnmp trap link-statusswitchportswitchport trunk encapsulation dot1qswitchport trunk allowed vlan 1,100,1002-1005switchport mode trunkflowcontrol receive on!interface GigabitEthernet3/2mtu 4500no ip addresssnmp trap link-statusswitchportswitchport trunk encapsulation dot1qswitchport trunk allowed vlan 1,1002-1005switchport mode trunkflowcontrol receive on!interface GigabitEthernet2/1ip address 10.1.1.1 255.255.255.0!interface GigabitEthernet2/2no ip addresscrypto connect vlan 100!interface Vlan100ip address 171.1.1.1 255.255.255.0crypto map map!access-list 101 permit ip 10.1.1.0 0.0.0.255 10.2.1.0 0.0.0.255VPN Module Configuration with VRF-Aware IPsec - Example 1
The VPN module with VRF-aware IPsec configuration (Example 1) follows:
Note
!ip vrf pepsird 1000:1route-target export 1000:1route-target import 1000:1!ip vrf cokerd 2000:1route-target export 2000:1route-target import 2000:1!crypto engine mode vrf!crypto keyring key0pre-shared-key address 0.0.0.0 0.0.0.0 key happy-piggy!crypto isakmp policy 1authentication pre-sharecrypto isakmp profile prof1vrf pepsikeyring key0match identity address 1.1.1.2 255.255.255.255crypto isakmp profile prof2vrf cokekeyring key0match identity address 2.2.2.2 255.255.255.255!crypto ipsec transform-set ts esp-3des esp-sha-hmacmode transport!crypto map map100 10 ipsec-isakmpset peer 171.1.1.2set transform-set tsset isakmp-profile prof1match address 101!crypto map map200 10 ipsec-isakmpset peer 171.1.1.2set transform-set tsset isakmp-profile prof2match address 101!interface GigabitEthernet3/1mtu 4500no ip addresssnmp trap link-statusswitchportswitchport trunk encapsulation dot1qswitchport trunk allowed vlan 1,100, 200, 1002-1005switchport mode trunkflowcontrol receive on!interface GigabitEthernet3/2mtu 4500no ip addresssnmp trap link-statusswitchportswitchport trunk encapsulation dot1qswitchport trunk allowed vlan 1,1002-1005switchport mode trunkflowcontrol receive on!interface GigabitEthernet1/1ip address 171.1.1.1 255.255.255.0crypto engine slot 3!interface GigabitEthernet2/1ip vrf forwarding pepsiip address 10.1.1.1 255.255.255.0!interface GigabitEthernet2/2ip vrf forwarding cokeip address 10.1.1.1 255.255.255.0!...!interface Vlan100ip vrf forwarding pepsiip address 10.2.1.1 255.255.255.0crypto engine slot 3crypto map map 100 local-address ge1/1crypto map map100!interface Vlan200ip vrf forwarding cokeip address 10.2.1.1 255.255.255.0crypto engine slot 3crypto map map 100 local-address ge1/1crypto map map200!access-list 101 permit ip 10.1.1.0 0.0.0.255 10.2.1.0 0.0.0.255The following example shows that you may configure multiple outside interfaces and set the different peer addresses in the crypto maps accordingly.
!interface GigabitEthernet1/1ip address 171.1.1.1 255.255.255.0crypto engine slot 3!!interface GigabitEthernet1/2ip address 170.1.1.1 255.255.255.0crypto engine slot 3!crypto map map100 10 ipsec-isakmpset peer 171.1.1.2set transform-set tsset isakmp-profile prof1match address 101!crypto map map200 10 ipsec-isakmpset peer 170.1.1.2set transform-set tsset isakmp-profile prof2match address 101!The following example configuration shows that you can also configure the interface VLAN to use an IP address that is different from the actual destination network subnet, and add a static route:
!interface Vlan100ip vrf forwarding pepsiip address 10.3.1.1 255.255.255.0crypto map map100crypto engine slot 3!ip route vrf coke 10.2.1.0 255.255.255.0 Vlan 100VPN Module Configuration with VRF-Aware IPsec - Example 2
The VPN module with VRF-aware IPsec configuration (Example 2) follows:
Note
7600-IPsec# show runBuilding configuration...Current configuration :11492 bytes!version 12.2service timestamps debug uptimeservice timestamps log uptimeno service password-encryptionservice counters max age 10!hostname 7600-Aswan!boot system flash disk0:s72033-jk9o3sv-mzenable password lab!username lab password 0 labusername sunil@vpn1 password 0 labusername sunil@vpn2 password 0 labaaa new-modelaaa authentication login vpn group radius localaaa authorization network vpn group radius localaaa accounting update periodic 30aaa accounting network vpn start-stop group radius!aaa session-id commonip subnet-zero!!ip ftp username nsiteip ftp password labno ip domain-lookup!ip vrf vpn1rd 100:1route-target export 100:1route-target import 100:1!ip vrf vpn2rd 101:1route-target export 101:1route-target import 101:1!mls ip multicast flow-stat-timer 9no mls flow ipno mls flow ipv6mls qosmls cef error action freezempls label protocol ldpmpls ldp router-id loopback0tag-switching ip default route!!crypto keyring vpn2pre-shared-key address 223.1.1.10 key vpn1123crypto keyring vpn2pre-shared-key address 223.1.1.20 key vpn2123!crypto isakmp policy 1encr 3desauthentication pre-sharegroup 2crypto isakmp keepalive 45 3crypto isakmp profile vpn1vrf vpn1keyring vpn1match identity group address 223.1.1.10 255.255.255.255crypto isakmp profile vpn1-ravrf vpn1match identity group vpn1groupclient authentication list vpnisakmp authorization list vpnaccounting vpncrypto isakmp profile vpn2vrf vpn2keyring vpn2match identity address 223.1.1.20 255.255.255.255!crypto ipsec security-association lifetime seconds 80000!crypto ipsec transform-set VPN esp-3des esp-sha-hmac!crypto dynamic-map vpn1 1set transform-set ipsecset isakmp-profile vpn1-ra!crypto map vpn1 local-address GigabitEthernet 4/1crypto map vpn1 10 ipsec-isakmpset peer 223.1.1.10set transform-set VPNset isakmp-profile vpn1match address ACLreverse-routecrypto map vpn 6000 ipsec-isakmp dynamic vpn1crypto map vpn2 local-address GigabitEthernet4/1crypto map vpn2 10 ipsec-isakmpset peer 223.1.1.20set transform-set VPNset isakmp-profile vpn2match address ACLreverse-route!crypto engine mode vrfspanning-tree mode pvstno spanning-tree optimize bpdu transmissiondiagnostic cns publish cisco.cns.device.diag_resultsdiagnostic cns subscribe cisco.cns.device.diag_commands!redundancymode ssomain-cpuauto-sync running-config!vlan internal allocation policy ascendingvlan access-log ratelimit 2000!!!interface Loopback1description id for ldpip address 101.1.1.1 255.255.255.252!interface FastEthernet3/1description MGMT-TFTP VLANno ip addressspeed 100duplex fullswitchportswitchport access vlan 700switchport mode access!........!interface GigabitEthernet4/1description Internet Linkip address 30.1.1.2 255.255.255.0load-interval 30speed nonegotiatecrypto engine slot 5!interface GigabitEthernet4/2no ip addressshutdown!interface GigabitEthernet4/3no ip addressshutdown!interface GigabitEthernet4/4description To 7200-PE-1 (g0/2)no ip addressload-interval 30speed nonegotiateswitchportswitchport trunk encapsulation dot1qswitchport trunk allowed vlan 201,202switchport mode trunk!interface GigabitEthernet4/5no ip addressshutdown!interface GigabitEthernet4/6no ip addressshutdown!interface GigabitEthernet4/7no ip addressload-interval 30speed nonegotiateswitchportswitchport access vlan 701switchport mode access!!interface GigabitEthernet5/1description VPNSM I-VLAN'sno ip addressflowcontrol receive onflowcontrol send offswitchportswitchport trunk encapsulation dot1qswitchport trunk allowed vlan 1,101-103,1002-1005switchport mode trunkspanning-tree portfast trunk!interface GigabitEthernet5/2description VPNSM P-VLANno ip addressflowcontrol receive onflowcontrolswitchportswitchport trunk encapsulation dot1qswitchport trunk allowed vlan 1,1002-1005switchport mode trunkspanning-tree portfast trunk!interface GigabitEthernet6/1ip address 100.1.1.1 255.255.255.0mpls label protocol ldptag-switching ip!interface GigabitEthernet6/2no ip addressshutdown!!interface Vlan101description Interface-VLAN for VRF vpn1ip vrf forwarding vpn1ip address 10.1.1.1 255.255.255.0load-interval 30crypto map vpn1crypto engine slot 5!interface Vlan102description Interface-VLAN for VRF vpn2ip vrf forwarding vpn2ip address 10.1.1.1 255.255.255.0load-interval 30crypto map vpn2crypto engine slot 5!interface Vlan201description to FWSMip vrf forwarding vpn1ip address 11.1.1.1 255.255.255.0!interface Vlan202description TO FWSMip vrf forwarding vpn2ip address 11.1.1.1 255.255.255.0!interface Vlan700description TFTP-MGMT Interfaceip address 100.1.1.21 255.255.255.0!router ospf 1log-adjacency-changesnetwork 101.1.1.1 0.0.0.0 area 0network 100.1.1.0 0.0.0.255 area 0!router bgp 1001bgp log-neighbor-changesneighbor 151.1.1.1 remote-as 1001neighbor 151.1.1.1 update-source Loopback0neighbor 153.1.1.1 remote-as 1001neighbor 153.1.1.1 update-source Loopback0neighbor 171.1.1.1 remote-as 1001neighbor 171.1.1.1 update-source Loopback0!address-family ipv4redistribute connectedredistribute staticno neighbor 151.1.1.1 activateno neighbor 153.1.1.1 activateno neighbor 171.1.1.1 activateno auto-summaryno synchronizationexit-address-family!address-family vpnv4neighbor 151.1.1.1 activateneighbor 151.1.1.1 send-community extendedneighbor 153.1.1.1 activateneighbor 153.1.1.1 send-community bothneighbor 171.1.1.1 activateneighbor 171.1.1.1 send-community extendedexit-address-family!address-family ipv4 vrf vpn1redistribute connectedredistribute staticredistribute eigrp 1no auto-summaryno synchronizationexit-address-family!address-family ipv4 vrf vpn2redistribute connectedredistribute staticno auto-summaryno synchronizationexit-address-family!!ip local pool vpn1 20.1.0.0 20.1.5.254 group vpn1ip local pool vpn2 20.1.0.0 20.1.5.254 group vpn2ip classlessip route 0.0.0.0 0.0.0.0 GigabitEthernet4/1 30.1.1.10ip route vrf vpn1 0.0.0.0 0.0.0.0 11.1.1.2ip route vrf vpn2 0.0.0.0 0.0.0.0 11.1.1.2no ip http server!!ip access-list extended ACLpermit ip host 192.168.1.1 host 172.10.8.1ip radius source-interface Vlan700!logging 100.1.1.44access-list 10 permit any!snmp-server community public ROsnmp-server community nsite-ro ROsnmp-server community nsite-rw RWsnmp-server trap link ietfsnmp-server enable traps snmp authentication linkdown linkup coldstart warmstartsnmp-server enable traps chassissnmp-server enable traps modulesnmp-server enable traps ttysnmp-server enable traps casasnmp-server enable traps vtpsnmp-server enable traps vlancreatesnmp-server enable traps vlandeletesnmp-server enable traps bgpsnmp-server enable traps syslogsnmp-server enable traps rtrsnmp-server enable traps isakmp policy addsnmp-server enable traps isakmp policy deletesnmp-server enable traps isakmp tunnel startsnmp-server enable traps isakmp tunnel stopsnmp-server enable traps ipsec cryptomap addsnmp-server enable traps ipsec cryptomap deletesnmp-server enable traps ipsec cryptomap attachsnmp-server enable traps ipsec cryptomap detachsnmp-server enable traps ipsec tunnel startsnmp-server enable traps ipsec tunnel stopsnmp-server enable traps ipsec too-many-sassnmp-server enable traps srpsnmp-server enable traps sonetsnmp-server enable traps mpls traffic-engsnmp-server enable traps mpls ldpsnmp-server enable traps voice poor-qovsnmp-server enable traps mpls vpnsnmp-server host 100.1.1.1 version 2c publicsnmp-server host 100.1.1.44 publicsnmp-server host 100.1.1.44 version 2c trap!radius-server host 100.1.1.4 auth-port 1645 acct-port 1646radius-server source-ports 1645-1646radius-server key ciscoradius-server vsa send accounting!dial-peer cor custom!!!!line con 0exec-timeout 0 0line vty 0 4exec-timeout 0 0password labVPN Module PE and CE Configuration Examples
The VPN module PE configuration example follows:
Cat6509# sh runBuilding configuration...Current configuration : 9558 bytes!version 12.2service timestamps debug datetime msecservice timestamps log datetime msecno service password-encryptionservice counters max age 10!hostname Cat6509!boot system flash sup-bootflash:s72033-jk9sv-mz.ROCKIES_SXD_THROTTLE_INTEG_040912logging snmp-authfailenable password cisco!no aaa new-modelclock timezone pst -7ip subnet-zero!!no ip domain-lookup!ip vrf bluerd 300:10route-target export 300:10route-target import 300:10!ip vrf redrd 100:10route-target export 200:10route-target import 200:10!ip multicast-routingip multicast-routing vrf redmpls label protocol ldpmls ip multicast flow-stat-timer 9no mls flow ipno mls flow ipv6mls cef error action freeze!!!!!!!!crypto keyring testpre-shared-key address 10.1.1.2 key cisco!crypto isakmp policy 10encr 3desauthentication pre-sharecrypto isakmp key cisco address 192.168.32.2crypto isakmp key cisco address 11.1.1.2crypto isakmp key cisco address 192.168.31.2crypto isakmp keepalive 10!!crypto ipsec transform-set test esp-3des esp-md5-hmaccrypto ipsec transform-set repro esp-3des esp-sha-hmac!crypto ipsec profile redset transform-set test!crypto ipsec profile testset transform-set test!!crypto map test 10 ipsec-isakmp! Incompleteset peer 10.1.1.2set transform-set testmatch address 101!crypto map repro 10 ipsec-isakmpset peer 192.168.32.2set transform-set repromatch address repro!crypto engine mode vrf!power redundancy-mode combinedspanning-tree mode pvstno spanning-tree optimize bpdu transmissiondiagnostic cns publish cisco.cns.device.diag_resultsdiagnostic cns subscribe cisco.cns.device.diag_commands!redundancymode ssomain-cpuauto-sync running-configauto-sync standard!vlan internal allocation policy ascendingvlan access-log ratelimit 2000!!interface Loopback0ip address 192.168.1.1 255.255.255.255!interface Tunnel0ip vrf forwarding redip address 10.2.1.1 255.255.255.0tunnel source 10.1.1.1tunnel destination 10.1.1.2tunnel protection ipsec profile testcrypto engine slot 4!interface Tunnel1ip vrf forwarding blueip address 11.2.1.1 255.255.255.0tunnel source 11.1.1.1tunnel destination 11.1.1.2tunnel protection ipsec profile testcrypto engine slot 4!interface Tunnel2no ip address!interface Tunnel31ip vrf forwarding redip address 31.1.1.1 255.255.255.0shutdowntunnel source 192.168.31.1tunnel destination 192.168.31.2tunnel protection ipsec profile testcrypto engine slot 4!interface Tunnel32ip vrf forwarding redip address 32.1.1.1 255.255.255.0tunnel source 192.168.32.1tunnel destination 192.168.32.2tunnel protection ipsec profile testcrypto engine slot 4!interface GigabitEthernet2/1ip address 192.168.31.1 255.255.255.0crypto engine slot 4!interface GigabitEthernet2/2no ip addressshutdown!...!interface GigabitEthernet2/16no ip addressshutdown!interface GigabitEthernet3/1no ip addressshutdown!interface GigabitEthernet3/2no ip addressshutdown!interface GigabitEthernet3/3no ip addressshutdown!interface GigabitEthernet3/4no ip addressshutdown!interface POS3/1ip address 192.168.32.1 255.255.255.0mls qos trust dscpclock source internalcrypto engine slot 4!interface POS3/2no ip addressshutdownmls qos trust dscp!interface POS3/3no ip addressshutdownmls qos trust dscp!interface POS3/4no ip addressshutdownmls qos trust dscp!interface GigabitEthernet4/1no ip addressflowcontrol receive onflowcontrol send offswitchportswitchport trunk encapsulation dot1qswitchport trunk allowed vlan 1,1002-1005switchport mode trunkspanning-tree portfast trunk!interface GigabitEthernet4/2no ip addressflowcontrol receive onflowcontrol send offswitchportswitchport trunk encapsulation dot1qswitchport trunk allowed vlan 1,1002-1005switchport mode trunkspanning-tree portfast trunk!interface GigabitEthernet5/1no ip addressshutdown!interface GigabitEthernet5/2no ip addressshutdown!interface GigabitEthernet7/1ip address 17.8.15.1 255.255.0.0!interface GigabitEthernet7/2no ip addressshutdown!interface GigabitEthernet7/3no ip addressshutdown...!interface GigabitEthernet7/9no ip addressshutdown!interface GigabitEthernet7/10ip address 10.1.1.1 255.255.255.0crypto engine slot 4!interface GigabitEthernet7/11ip address 11.1.1.1 255.255.255.0crypto engine slot 4!interface GigabitEthernet7/12no ip addressshutdown...!interface GigabitEthernet7/19no ip addressshutdown!interface GigabitEthernet7/20ip address 192.168.30.1 255.255.255.0mpls label protocol ldptag-switching ip!interface GigabitEthernet7/21no ip addressshutdown...!interface GigabitEthernet7/41ip vrf forwarding redip address 192.168.41.1 255.255.255.0ip pim sparse-dense-mode!interface GigabitEthernet7/42no ip address...!interface GigabitEthernet7/48no ip addressshutdown!interface Vlan1no ip addressshutdown!interface Vlan32no ip addressno mop enabledcrypto map repro!interface Vlan100no ip addressno mop enabled!interface Vlan110no ip addressno mop enabled!router ospf 1log-adjacency-changespassive-interface GigabitEthernet7/10network 10.0.0.0 0.255.255.255 area 0network 192.168.1.0 0.0.0.255 area 0network 192.168.30.0 0.0.0.255 area 0!router ospf 10 vrf redlog-adjacency-changesredistribute bgp 1 subnetsredistribute rip subnetsnetwork 10.2.1.0 0.0.0.255 area 0!router ripversion 2!address-family ipv4 vrf redredistribute ospf 10 metric 10redistribute bgp 1 metric 10network 31.0.0.0network 32.0.0.0network 192.168.41.0no auto-summaryexit-address-family!router bgp 1no synchronizationbgp log-neighbor-changesneighbor 192.168.3.1 remote-as 1neighbor 192.168.3.1 update-source Loopback0no auto-summary!address-family vpnv4neighbor 192.168.3.1 activateneighbor 192.168.3.1 send-community extendedexit-address-family!address-family ipv4 vrf redredistribute ospf 10redistribute ripno auto-summaryno synchronizationexit-address-family!address-family ipv4 vrf blueneighbor 11.2.1.2 remote-as 65001neighbor 11.2.1.2 activateno auto-summaryno synchronizationnetwork 11.2.1.0 mask 255.255.255.0exit-address-family!ip classlessip route 0.0.0.0 0.0.0.0 17.8.0.1ip route 192.168.9.0 255.255.255.0 Tunnel32ip route 192.168.43.0 255.255.255.0 Tunnel32no ip http server!!!ip access-list extended repropermit gre host 192.168.32.1 host 192.168.32.2ip access-list extended to2651ip access-list extended to3745ip access-list extended to7609!access-list 199 permit ip host 10.1.1.2 host 192.168.6.1!!!control-plane!!!dial-peer cor custom!!!!line con 0exec-timeout 0 0line vty 0 4login!!endThe VPN module CE configuration example follows:
Cat7609# sh runBuilding configuration...Current configuration : 7309 bytes!version 12.2service timestamps debug uptimeservice timestamps log uptimeno service password-encryptionservice counters max age 10!hostname 7609!boot system flash disk0:c6k222-jk9o3sv-mz.ROCKIES_SXD_THROTTLE_INTEG_040912boot bootldr bootflash:c6msfc2-boot-mz.121-19.E1.binenable password cisco!no aaa new-modelclock timezone pst -7ip subnet-zero!!!ip multicast-routing!!!crypto isakmp policy 10encr 3desauthentication pre-sharecrypto isakmp key cisco address 192.168.32.1crypto isakmp key cisco address 192.168.31.1!!crypto ipsec transform-set repro esp-3des esp-md5-hmaccrypto ipsec transform-set test esp-3des esp-md5-hmac!crypto ipsec profile testset transform-set test!!crypto map repro 10 ipsec-isakmpset peer 192.168.32.1set transform-set repromatch address repro!crypto map test 10 ipsec-isakmpset peer 192.168.31.1set transform-set testmatch address tope!spanning-tree mode pvstspanning-tree extend system-iddiagnostic cns publish cisco.cns.device.diag_resultsdiagnostic cns subscribe cisco.cns.device.diag_commands!redundancymode ssomain-cpuauto-sync running-config!vlan internal allocation policy ascending!!interface Loopback0ip address 192.168.9.1 255.255.255.0!interface Tunnel31ip address 31.1.1.2 255.255.255.0shutdowntunnel source Vlan31tunnel destination 192.168.31.1crypto engine slot 4!interface Tunnel32ip address 32.1.1.2 255.255.255.0tunnel source Vlan32tunnel destination 192.168.32.1crypto engine slot 4!
Guest
