FeedbackTable Of Contents
Supported Standards, MIBs, and RFCs
Monitoring and Maintaining Multi-ISA
Load-Balancing with Multi-ISA Example
Multi-ISA
This feature module describes the Multi-ISA feature and includes the following sections:
•
Supported Standards, MIBs, and RFCs
•
Feature Overview
The Multi-ISA feature allows a Cisco IOS router to accommodate more than one hardware crypto engine at a time. This feature allows users to increase the capacity of their routers with multiple Integrated Services Adapters (ISAs) and Integrated Services Module (ISMs).
Note
The multi-ISA layer provides a single interface, which Cisco IOS software can use to send commands to different hardware crypto engines. The multi-ISA layer accepts all commands and packets on behalf of all underlying hardware crypto engines; it distributes all commands and packets in a predefined manner. That is, when you request an Internet Key Exchange-security association (IKE-SA) session, the multi-ISA layer determines which of the two hardware crypto engine contains fewer IKE-SAs, and it assigns the next session to the hardware crypto engine that has fewer IKE-SAs.
How Multi-ISA Works
When your router has only one ISA in an active state, all IKE and IP Security-SA sessions go to this one ISA. Once you have inserted the second ISA into your router and it becomes active, subsequent IKE-SAs will flow to the second ISA until the first and second ISAs have an equal number of IKE-SA sessions. For example, if ISA-1 has 10 IKE sessions, and then ISA-2 becomes active, the router will send the following 11 through 20 IKE sessions to ISA-2. Thereafter, the multi-ISA layer will maintain a balance of IKE-SA sessions on both ISAs.
Note
Benefits
The Multi-ISA feature provides the following benefits:
•
•
•
Restrictions
System Requirements
Your system should contain at least 128 megabytes of memory to run a single ISA and 256 megabytes of memory to run two ISAs. You need more than 128 megabytes of memory to cross 2,000 bidirectional IPSec tunnels.
Note
Crypto Capabilities
All ISAs supported by the multi-ISA layer must have the same crypto capabilities. For example, if one ISA supports 3DES, another ISA that does not support 3DES cannot be in the same router under the multi-ISA layer.
Failover Limitations
Keepalives are needed to achieve failover in your router. If you turn on keepalives, you cannot exceed 500 tunnels because of current IKE keepalive limitations in the Cisco IOS software.
Note
MPPE
Multiple Microsoft Point-to-Point Encryption (MPPE) ISA support is not available.
Related Documents
The following documents provide information related to the Multi-ISA feature:
•
•
•
•
•
Supported Platforms
The following platforms support the Multi-ISA feature:
•
•
Determining Platform Support Through Cisco Feature Navigator
Cisco IOS software is packaged in feature sets that are supported on specific platforms. To get updated information regarding platform support for this feature, access Cisco Feature Navigator. Cisco Feature Navigator dynamically updates the list of supported platforms as new platform support is added for the feature.
Cisco Feature Navigator is a web-based tool that enables you to determine which Cisco IOS software images support a specific set of features and which features are supported in a specific Cisco IOS image. You can search by feature or release. Under the release section, you can compare releases side by side to display both the features unique to each software release and the features in common.
To access Cisco Feature Navigator, you must have an account on Cisco.com. If you have forgotten or lost your account information, send a blank e-mail to cco-locksmith@cisco.com. An automatic check will verify that your e-mail address is registered with Cisco.com. If the check is successful, account details with a new random password will be e-mailed to you. Qualified users can establish an account on Cisco.com by following the directions found at this URL:
Cisco Feature Navigator is updated regularly when major Cisco IOS software releases and technology releases occur. For the most current information, go to the Cisco Feature Navigator home page at the following URL:
Availability of Cisco IOS Software Images
Platform support for particular Cisco IOS software releases is dependent on the availability of the software images for those platforms. Software images for some platforms may be deferred, delayed, or changed without prior notice. For updated information about platform support and availability of software images for each Cisco IOS software release, refer to the online release notes or, if supported, Cisco Feature Navigator.
Supported Standards, MIBs, and RFCs
Standards
No new or modified standards are supported by this feature.
MIBs
No new or modified MIBs are supported by this feature.
To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL:
http://tools.cisco.com/ITDIT/MIBS/servlet/index
If Cisco MIB Locator does not support the MIB information that you need, you can also obtain a list of supported MIBs and download MIBs from the Cisco MIBs page at the following URL:
http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml
To access Cisco MIB Locator, you must have an account on Cisco.com. If you have forgotten or lost your account information, send a blank e-mail to cco-locksmith@cisco.com. An automatic check will verify that your e-mail address is registered with Cisco.com. If the check is successful, account details with a new random password will be e-mailed to you. Qualified users can establish an account on Cisco.com by following the directions found at this URL:
RFCs
No new or modified RFCs are supported by this feature.
Prerequisites
IPSec Encryption
To use the Multi-ISA feature, you must configure your ISAs to provide IPSec encryption services by performing the following tasks:
•
•
•
•
For information on completing these tasks, refer to ISA and ISM Installation and Configuration.
Manual Buffer Tunning
In the 7200 platform, it is recommended that you manually finetune packet buffers to establish more IKE-SA or IPSec tunnels.
To manually configure buffer tuning, enter the following global configuration command:
For buffer tuning examples, see the "Configuration Examples" section later in this document.
Configuration Tasks
None
Verifying Multi-ISA
To verify how many active IKE and IPSec sessions are on each hardware crypto engine, how many Diffie-Hellman (DH) keys are in use, and how far your ISA is from reaching its maximum limit, use the show crypto eli command in EXEC mode.
Monitoring and Maintaining Multi-ISA
To obtain a snapshot of how many IKE-SAs and IPSec sessions are active and how many DH keys are in use, use the following command in EXEC mode:
Router# show crypto eli
Displays a snapshot of how many IKE-SAs and IPSec sessions are active and how many DH keys are in use for each hardware crypto engine.
Configuration Examples
This section provides the following configuration examples:
•
•
Single ISA Scenario Example
The following example is sample output from the show crypto eli command. In this example, a router has established 1246 IKE sessions; however, all IKE sessions flow to a single ISA because only one ISA is in an active state.
P0# show crypto eliEncryption Layer : ACTIVENumber of crypto engines = 1 .Slot-3 crypto engine details.Capability-IPSec :No-IPPCP, 3DES, NoRSAIKE-Session : 1246 active, 2029 max, 0 failedDH-Key : 0 active, 1014 max, 0 failedIPSec-Session : 2712 active, 4059 max, 0 failedLoad-Balancing with Multi-ISA Example
The following example is sample output from the show crypto eli command. In this example, a router has established 2492 IKE sessions; the IKE sessions are equally distributed between two ISAs (each ISA contains 1246 IKE sessions), allowing you to increase the capacity of your router.
P0# show crypto eliEncryption Layer : ACTIVENumber of crypto engines = 2 .Slot-3 crypto engine details.Capability-IPSec :No-IPPCP, 3DES, NoRSAIKE-Session : 1246 active, 2029 max, 0 failedDH-Key : 0 active, 1014 max, 0 failedIPSec-Session : 2676 active, 4059 max, 0 failedSlot-5 crypto engine details.Capability-IPSec :No-IPPCP, 3DES, NoRSAIKE-Session : 1246 active, 2029 max, 0 failedDH-Key : 0 active, 1014 max, 0 failedIPSec-Session : 2678 active, 4059 max, 0 failedTable 1 describes significant fields shown in the display.
Manual Buffer Tuning Examples
The following example shows recommended numbers to use, based on available memory, when manually configuring packet buffers on the 7200 platform using the buffers command:
Memory (MB) Non-HUGE BuffersMin-free Permanent Max-free----------- ------- -------- --------32 64 256 128064 128 512 256096 192 768 3840128 256 1024 5120160 320 1280 6400192 384 1536 7680224 448 1792 8960256 512 2048 10240Memory (MB) HUGE BuffersMin-free Permanent Max-free----------- ------- -------- --------32 4 16 6464 8 32 12896 12 48 192128 16 64 256160 20 80 320192 24 96 384224 28 112 448256 32 128 512Table 2 decribes significant fields shown in the display.
The following example shows sample output from the show buffers command:
P0# show buffersBuffer elements:500 in free list (500 max allowed)12666974 hits, 0 misses, 0 createdPublic buffer pools:Small buffers, 104 bytes (total 2048, permanent 2048):2039 in free list (512 min, 10240 max allowed)293 hits, 0 misses, 0 trims, 0 created0 failures (0 no memory)Middle buffers, 600 bytes (total 2048, permanent 2048, peak 5000 @ 16:34:14):2048 in free list (512 min, 10240 max allowed)849 hits, 0 misses, 0 trims, 0 created0 failures (0 no memory)Big buffers, 1524 bytes (total 2048, permanent 2048):2048 in free list (512 min, 10240 max allowed)84 hits, 0 misses, 0 trims, 0 created0 failures (0 no memory)VeryBig buffers, 4520 bytes (total 2048, permanent 2048):2048 in free list (512 min, 10240 max allowed)0 hits, 0 misses, 0 trims, 0 created0 failures (0 no memory)Large buffers, 5024 bytes (total 2048, permanent 2048, peak 5000 @ 16:34:25):2047 in free list (512 min, 10240 max allowed)18 hits, 0 misses, 0 trims, 0 created0 failures (0 no memory)Huge buffers, 18024 bytes (total 128, permanent 128):128 in free list (32 min, 512 max allowed)0 hits, 0 misses, 0 trims, 0 created0 failures (0 no memory)Command Reference
The following commands are introduced or modified in the feature or features
•
For information about these commands, see the Cisco IOS Security Command Reference at
http://www.cisco.com/en/US/docs/ios/security/command/reference/sec_book.html.
For information about all Cisco IOS commands, see the Command Lookup Tool at
http://tools.cisco.com/Support/CLILookup or the Master Command List.
Glossary
crypto map—A Cisco IOS software configuration entity that performs two primary functions: (1) selecting data flows that need security processing and (2) defining the policy for these flows and the crypto peer to which traffic needs to go. A crypto map is applied to an interface. The concept of a crypto map was introduced in classic crypto but was expanded for IPSec.
DH—See Diffie-Hellman.
Diffie-Hellman—A public-key cryptography protocol that allows two parties to establish a shared secret over an insecure communications channel. Diffie-Hellman is used within IKE to establish session keys and is a component of Oakley.
IKE—Internet Key Exchange. A hybrid protocol that implements Oakley key exchange and Skeme key exchange inside the Internet Security Association and Key Management Protocol framework. IKE can be used with other protocols, but its initial implementation is with IPSec. IKE provides authentication of the IPSec peers, negotiates IPSec keys, and negotiates IPSec security associations.
IKE is used to establish a shared security policy and authenticated keys for services (such as IPSec) that require keys. Before any IPSec traffic can be passed, each router, firewall, or host must be able to verify the identity of its peer. This can be done by manually entering preshared keys into both hosts or by a certification authority (CA) service.
Integrated Services Adapter—See ISA.
Internet Key Exchange—See IKE.
IPSec—IP Security. A framework of open standards that provides data confidentiality, data integrity, and data authentication between participating peers. IPSec provides these security services at the IP layer. IPSec uses IKE to handle negotiation of protocols and algorithms based on local policy and to generate the encryption and authentication keys to be used by IPSec. IPSec can be used to protect one or more data flows between a pair of hosts, between a pair of security gateways, or between a security gateway and a host.
IP Security—See IPSec.
ISA—Integrated Services Adapter. Provides high-performance, hardware-assisted tunneling and encryption services suitable for private WAN and virtual private network (VPN) applications. Within this feature module, ISA inlcudes ISM.
ISM—Integrated Services Module.
OIR—online insertion and removal. A feature that allows you to add, replace, or remove a card from your router without interrupting the system power, entering console commands, or causing other software or interfaces to shut down. This feature is sometimes referred to as "hot swapping" or "power-on servicing."
online insertion and removal—See OIR.
Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.
© 2007 Cisco Systems, Inc. All rights reserved.
