- Index
- Preface
- Using Cisco IOS Software
- SIP, SSC, and SPA Product Overview
-
- Overview of the IPsec VPN SPA
- Configuring VPNs in Crypto-Connect Mode
- Configuring VPNs in VRF Mode
- Configuring IPsec VPN Fragmentation and MTU
- Configuring IKE Features Using the IPsec VPN SPA
- Configuring Enhanced IPsec Features Using the IPsec VPN SPA
- Configuring PKI Using the IPsec VPN SPA
- Configuring Advanced VPNs Using the IPsec VPN SPA
- Configuring Duplicate Hardware and IPsec Failover Using the IPsec VPN SPA
- Configuring Monitoring and Accounting for the IPsec VPN SPA
- Troubleshooting the IPsec VPN SPA
- Glossary
Preface
This preface describes the objectives and organization of this document and explains how to find additional information on related products and services. This preface contains the following sections:
•Obtaining Documentation and Submitting a Service Request
Objectives
This document describes the configuration and troubleshooting of shared port adapters (SPAs) and SPA interface processors (SIPs) that are supported on a Catalyst 6500 Series switch.
Audience
This publication is for experienced network administrators who configure and maintain VPN systems and the Catalyst 6500 Series switch.
Document Revision History
records technical changes to this document. The table shows the Cisco IOS software release number and document revision number for the change, the date of the change, and a brief summary of the change.
|
|
|
|
12.2(33)SXI2 |
OL-8655-05 |
July 9, 2009 |
•Support was added for the following SPAs on the Cisco 7600 SIP-400: –1-Port 10 Gigabit Ethernet SPA, Version 2 (SPA-1X10GE-L-V2) |
12.2(33)SXI |
OL-8655-04 |
October 31, 2008 |
The following modifications were made: •Support was restored for the Cisco 7600 SIP-600. •Support was restored for the ATM SPAs. •Support was introduced for the following feature on the Cisco 7600 SIP-200: –Asymmetric Carrier Delay •Support was added for the following SPAs on the Cisco 7600 SIP-400: –2-Port and 4-Port Clear Channel T3/E3 SPA –2-Port and 4-Port Channelized T3 SPA –8-Port Channelized T1/E1 SPA –5-Port Gigabit Ethernet SPA (V2) •Support was introduced for the following features on the Cisco 7600 SIP-400: –Asymmetric Carrier Delay –Any Transport over MPLS over GRE (AToMoGRE) •Support was added for the following SPAs on the Cisco 7600 SIP-600: –2-Port OC-48c/STM-16 POS SPA •New features were introduced for the IPsec VPN SPA |
12.2(33)SXH |
OL-8655-03 |
August 20, 2007 |
The following modifications were made: •Support was removed for the Cisco 7600 SIP-600. •Support was removed for the ATM SPAs. •Support was added for the following SPAs on the Cisco 7600 SIP-200: –1-Port Channelized OC-3/STM-1 SPA –4-Port and 8-Port Fast Ethernet SPA •Support for the following features were introduced on the Cisco 7600 SIP-200: –BCP over dMLPPP (Trunk Mode)—Channelized SPAs –MPLS over RBE—ATM SPAs –Multi-VC to VLAN scalability –QoS Support on Bridging Features •Support was added for the following SPA on the Cisco 7600 SIP-400: –2-Port Channelized T3 SPA •Support for the following features were introduced on the Cisco 7600 SIP-400: –Ethernet over MPLS (EoMPLS) VC Scaling—Increase from 4K to 10K VCs –Ingress/Egress COS Classification with Ingress Policing per VLAN or EoMPLS VC –Hierarchical VPLS (H-VPLS) with MPLS Edge –VPLS Multiple VCs per Spoke –Hierarchical QoS Support for EoMPLS VCs –QoS Support on Bridging Features –Lawful Intercept |
12.2(33)SXH |
OL-8655-03 |
August 20, 2007 |
•The following features were introduced for the IPsec VPN SPA: –IPsec Anti-replay Window size –IPsec Preferred Peer –Persistent Self-signed Certificates –Easy VPN Remote RSA Signature Storage •The following feature was removed for the IPsec VPN SPA: –IPsec stateful failover using HSRP and SSP •The single configuration chapter for the IPsec VPN SPA has been restructured into several smaller chapters. |
12.2(18)SXF10 |
OL-5070-05 OL-8655-02 |
July 13, 2007 |
Support was introduced for the 1-Port OC-48c/STM-16 POS SPA on the Cisco 7600 SIP-400. |
12.2(18)SXF2 |
OL-5070-04 OL-8655-01 |
April 25, 2006 |
Modified references to cRTP to include support for the 2-Port and 4-Port Clear Channel T3/E3 SPA. |
12.2(18)SXF2 |
OL-5070-04 OL-8655-01 |
February 28, 2006 |
The following updates were made to the documentation: •Removed the restriction of "Mapping DSCP values to MPLS EXP bits is not supported" from the Cisco 7600 SIP-600 list of restrictions. •Added the following VPLS scalability support information for the Cisco 7600 SIP-600: –Up to 4000 VPLS domains –Up to 60 VPLS peers per domain –Up to 30,000 Pseudo Wires, used in any combination of domains and peers up to the 4000-domain or 60-peer maximums. For example, support of up to 4000 domains with 7 peers or up to 60 peers in 500 domains. •Added H-VPLS with QinQ edge feature support on Cisco 7600 SIP-600—Requires Cisco 7600 SIP-600 in the uplink, and any LAN port or Cisco 7600 SIP-600 on the downlink. •Removed VPLS pseudo-wire redundancy feature support for the Cisco 7600 SIP-600. •Removed the "Cisco 7600 SIP-600 MPLS Marking" section and bullet. •Modified the encapsulations supported in the ATM chapters to "aal5snap" only. •Corrected the note in the "Configuring Compressed Real-Time Protocol" section of Chapter 4, "Configuring the SIPs and SSC" to state: "cRTP is supported only on the Cisco 7600 SIP-200 with the 8-Port Channelized T1/E1 SPA and 2-Port and 4-Port Channelized T3 SPA." |
12.2(18)SXF2 |
OL-5070-04 OL-8655-01 |
January 27, 2006 |
The following update to the hardware-based MLPPP LFI guidelines was made in Chapter 15, "Configuring the 8-Port Channelized T1/E1 SPA," and Chapter 17, "Configuring the 2-Port and 4-Port Channelized T3 SPAs": •When hardware-based LFI is enabled, fragmentation counters are not displayed. |
12.2(18)SXF2 |
OL-5070-04 OL-8655-01 |
January 20, 2006 |
Fourth release. The following modifications were made: •The 1-Port OC-192c/STM-64 POS/RPR VSR Optics SPA was introduced on the Cisco 7600 SIP-600. •Support was introduced for the configuration of IP multicast over a GRE tunnel on the IPsec VPN SPA. •Support for the "Enhancements to RFC 1483 Spanning Tree Interoperability" feature was added for ATM SPAs on the Cisco 7600 SIP-200. •Documentation of a workaround for ATM SPA configuration on the Cisco 7600 SIP-200 has been added in Chapter 7, "Configuring the ATM SPAs" to address a Routed Bridge Encapsulation (RBE) limitation where only one remote MAC address is supported. |
12.2(18)SXF |
OL-5070-03 |
January 12, 2006 |
The following modifications were made: •Adjusted ATM SPA PVC restriction (correctly noted elsewhere in the documentation) from "A maximum number of 400 PVCs or SVCs. . ." to "A maximum number of 1000 PVCs or 400 SVCs configured with MQC policy maps." •Added cross-references throughout the "Overview of the SIPs and SSC" chapter to the Cisco IOS Release SX Supervisor Engine release notes. •Updated the Cisco 7600 SIP-400 restrictions to clarify that the SIP does not work with the Supervisor Engine PFC3A or in PFC3A mode. •Updated the Cisco 7600 SIP-600 restrictions to clarify lack of support for the Supervisor Engine 720 PFC3A or PFC3A mode: "The Cisco 7600 SIP-600 is not supported by the Supervisor Engine 32. The Cisco 7600 SIP-600 is supported by the Supervisor Engine 720 PFC3B and Supervisor Engine 720 PFC3BXL. It is not supported with a Supervisor Engine 720 PFC3A or in PFC3A mode." •Added a cross-reference to the "Overview of the SIPs and SSC" chapter in each of the SPA overview chapters to ease location of additional features/restrictions that are SIP- or SSC-specific. •Removed the list of supported modules from the "Overview of the IPsec VPN SPA" chapter. Any unsupported modules will be documented in the restrictions section. |
|
|
|
|
12.2(18)SXF |
OL-5070-03 |
January 12, 2006 |
•Further qualified Cisco 7600 SIP-200 Any Transport over MPLS (AToM) support for ATM in the "Overview of the SIPs and SSC" chapter to state: "Any Transport over MPLS (AToM) support, including: –ATM over MPLS (ATMoMPLS)—AAL5 VC mode –Ethernet over MPLS (EoMPLS)—(Single cell relay) VC mode" •Removed references to "1-Port 10-Gigabit Ethernet SPA and 10-Port Gigabit Ethernet SPA on a SIP-400" in the "Enabling Autonegotiation" and "Disabling Autonegotiation" sections of the "Configuring Gigabit Ethernet SPAs" chapter. •Qualified AToM core-facing restriction for the Cisco 7600 SIP-200 as follows: –AToM (ATMoMPLS, FRoMPLS, HDLCoMPLS, and PPPoMPLs) on a SPA requires a Cisco 7600 SIP-200, FlexWAN, Enhanced FlexWAN, or OSM PXF interface as the core-facing interface. –AToM (ATMoMPLS, FRoMPLS) on SIP-200 also are supported with a Cisco 7600 SIP-400 as the core-facing interface. •Documentation of the Fast Software Upgrade (FSU) procedure supported by Route Processor Redundancy (RPR) for supervisor engines was added to Chapter 31, "Upgrading Field-Programmable Devices." |
|
|
|
|
12.2(18)SXF |
OL-5070-03 |
September 19, 2005 |
Third release. The following hardware was introduced: •1-Port OC-48c/STM-16 ATM SPA •2-Port Gigabit Ethernet SPA •5-Port Gigabit Ethernet SPA •10-Port Gigabit Ethernet SPA •1-Port 10-Gigabit Ethernet SPA •1-Port OC-192c/STM-64 POS/RPR SPA •1-Port OC-192c/STM-64 POS/RPR XFP SPA For specific feature changes, see the Feature History tables in the "Overview" chapters of this book. |
12.2(18)SXE2 |
OL-5070-02 |
August 17, 2005 |
•The "Configuring the 8-Port Channelized T1/E1 SPA" and "Configuring the 2-Port and 4-Port Channelized T3 SPAs" were modified to clarify support of MLPPP and MLFR for both E1 and T1 links. •Added cRTP to the supported features list for the serial SPAs in the "Overview of the Serial SPAs" chapter. •Document was modified with the following updates in the "Configuring the SIPs and SSC" chapter: –Removed references to support of software-based MLFR. –In the "Assigning an Interface to an MLPPP bundle," moved step order of the ppp multilink command and qualified it as optional. –Under "MLPPP Configuration Guidelines," added guidelines for distributed links on the Cisco 7600 SIP-200 and restrictions. –Under "MLPPP Configuration Tasks" and "MLFR Configuration Tasks, added task to emphasize that distributed CEF is required for these features; however, dCEF is automatically enabled on the Catalyst 6500 Series switch. |
12.2(18)SXE2 |
OL-5070-02 |
July 25, 2005 |
Second release. The Cisco 7600 SSC-400 and IPsec VPN SPA are introduced. |
12.2(18)SXE |
OL-5070-01 |
March 28, 2005 |
First release. |
Organization
This document contains the following chapters:
|
|
|
---|---|---|
Chapter 1 |
Provides an introduction to accessing the command-line interface (CLI) and using the Cisco IOS software and related tools. |
|
Chapter 2 |
Provides a brief introduction to the SIP and SPA products on the Catalyst 6500 Series switch, and information about SIP, SSC, SPA, and optics compatibility. |
|
Chapter 3 |
Describes release history, and feature and Management Information Base (MIB) support for the SIPs and SSCs on the Catalyst 6500 Series switch. |
|
Chapter 4 |
Describes related configuration and verification information for the SIPs and SSCs on the Catalyst 6500 Series switch. |
|
Chapter 5 |
Describes techniques that you can use to troubleshoot the operation of the SIPs and SSCs on the Catalyst 6500 Series switch. |
|
Chapter 6 |
Describes release history, feature and Management Information Base (MIB) support, and an introduction to the ATM SPA architecture on the Catalyst 6500 Series switch. |
|
Chapter 7 |
Describes the configuration and verification information for the ATM SPAs on the Catalyst 6500 Series switch. |
|
Chapter 8 |
Describes techniques that you can use to troubleshoot the operation of the ATM SPAs on the Catalyst 6500 Series switch. |
|
Chapter 9 |
Describes release history, feature and Management Information Base (MIB) support, and an introduction to the Gigabit Ethernet SPA architecture on the Catalyst 6500 Series switch. |
|
Chapter 10 |
Describes the configuration and verification information for the Gigabit Ethernet SPAs on the Catalyst 6500 Series switch. |
|
Chapter 11 |
Describes techniques that you can use to troubleshoot the operation of the Gigabit Ethernet SPAs on the Catalyst 6500 Series switch. |
|
Chapter 12 |
Describes release history, feature and Management Information Base (MIB) support, and an introduction to the POS SPA architecture on the Catalyst 6500 Series switch. |
|
Chapter 13 |
Describes the configuration and verification information for the POS SPAs on the Catalyst 6500 Series switch. |
|
Chapter 14 |
Describes release history, feature and Management Information Base (MIB) support, and an introduction to the serial SPA architecture on the Catalyst 6500 Series switch. |
|
Chapter 15 |
Describes the configuration and verification information for the 8-Port Channelized T1/E1 SPAs on the Catalyst 6500 Series switch. |
|
Chapter 16 |
Describes the configuration and verification information for the 2-Port and 4-Port Clear Channel T3/E3 SPAs on the Catalyst 6500 Series switch. |
|
Chapter 17 |
Describes the configuration and verification information for the 2-Port and 4-Port Channelized T3 SPAs on the Catalyst 6500 Series switch. |
|
Chapter 18 |
Describes the configuration and verification information for the 1-Port Channelized OC-3/STM-1 SPA on the Catalyst 6500 Series switch. |
|
Chapter 19 |
Describes techniques that you can use to troubleshoot the operation of the serial SPAs on the Catalyst 6500 Series switch. |
|
Chapter 20 |
Describes release history, feature and Management Information Base (MIB) support, and an introduction to the IPsec VPN SPA architecture on the Catalyst 6500 Series switch. |
|
Chapter 21 |
Describes the configuration and verification information for IPsec VPNs using Crypto-Connect Mode on the Catalyst 6500 Series switch. |
|
Chapter 22 |
Describes the configuration and verification information for IPsec VPNs using VRF Mode on the Catalyst 6500 Series switch. |
|
Chapter 23 |
Describes the configuration and verification information for IPsec Fragmentation and MTU on the Catalyst 6500 Series switch. |
|
Chapter 24 |
Describes the configuration and verification information for Internet Key Exchange (IKE) features using the IPsec VPN SPA on the Catalyst 6500 Series switch. |
|
Chapter 25 |
Describes the configuration and verification information for enhanced IPsec features using the IPsec VPN SPA on the Catalyst 6500 Series switch. |
|
Chapter 26 |
Describes the configuration and verification information for Public Key Infrastructure (PKI) features using the IPsec VPN SPA on the Catalyst 6500 Series switch. |
|
Chapter 27 |
Describes the configuration and verification information for advanced IPsec VPNs using the IPsec VPN SPA on the Catalyst 6500 Series switch. |
|
Chapter 28 |
Configuring Duplicate Hardware and IPsec Failover Using the IPsec VPN SPA |
Describes the configuration and verification information for duplicate hardware configurations and IPsec failover using the IPsec VPN SPA on the Catalyst 6500 Series switch. |
Chapter 29 |
Describes the configuration and verification information for the IPsec VPN SPA on the Catalyst 6500 Series switch. |
|
Chapter 30 |
Describes techniques that you can use to troubleshoot the operation of the IPsec VPN SPA on the Catalyst 6500 Series switch. |
|
Chapter 31 |
Provides information about upgrading the field-programmable devices on the Catalyst 6500 Series switch. |
Document Conventions
This document uses the following conventions:
Note Means reader take note. Notes contain helpful suggestions or references to material not covered in the manual.
Tip Means the following information will help you solve a problem.
Command descriptions use these conventions:
Screen examples use these conventions:
Related Documentation
This section refers you to other documentation that also might be useful as you configure your Catalyst 6500 Series switch. The documentation listed in this section is available online.
Catalyst 6500 Series Switch Documentation
As you configure SIPs and SPAs on your Catalyst 6500 Series switch, you should also refer to the following companion publication for important hardware installation information:
•Catalyst 6500 Series Switch SIP and SPA Hardware Installation Guide
Some of the following other Catalyst 6500 Series switch publications might be useful to you as you configure your Catalyst 6500 Series switch:
•Cisco IOS Software Configuration Guide, Release 12.2(33)SXH and Later Releases
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/book.html
•Cisco IOS Master Command List, Release 12.2SX
http://www.cisco.com/en/US/docs/ios/mcl/122sxmcl/12_2sx_mcl_book.html
•Cisco IOS Release 12.2SX System Message Guide
http://www.cisco.com/en/US/docs/ios/12_2sx/system/messages/122sxsms.html
•Cisco 7600 Series Internet Router MIB Specifications Guide
Several other publications are also related to the Catalyst 6500 Series switch. For a complete reference of related documentation, refer to the Cisco Catalyst 6500 Series Switch Support Documentation located at the following URL:
http://www.cisco.com/en/US/products/hw/switches/ps708/tsd_products_support_series_home.html
Cisco IOS Release 12.2SX Software Publications
Documentation for Cisco IOS Release 12.2SX, including command reference and system error messages, can be found at the following URL:
http://www.cisco.com/en/US/products/ps6017/tsd_products_support_series_home.html
Obtaining Documentation and Submitting a Service Request
For information on obtaining documentation, submitting a service request, and gathering additional information, see the monthly What's New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at:
http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html
Subscribe to the What's New in Cisco Product Documentation as a Really Simple Syndication (RSS) feed and set content to be delivered directly to your desktop using a reader application. The RSS feeds are a free service and Cisco currently supports RSS Version 2.0.