[c-nsp] IPSec SPA trunk ports and allowed VLANs

Justin Shore justin at justinshore.com
Wed Aug 22 14:26:35 EDT 2007 

Can anyone with a IPSec SPA (SSC-400 plus 2G IPSec SPA) tell me when I 
should allow a VLAN onto the SPA trunk ports?  For example, should a 
VLAN be allowed onto the trunk if it has an SVI with a crypto map?  What 
about other VLANs in the same VRF?  On both SPA interfaces or just one?

Here's an example of the interface config:

#sh run int gi11/0/1
Building configuration...
Current configuration : 321 bytes
!
interface GigabitEthernet11/0/1
  description VPNSM I-VLAN's
  switchport
  switchport trunk encapsulation dot1q
  switchport trunk allowed vlan 
1,102-105,108,109,111-191,193-198,1002-1005,2201
  switchport mode trunk
  mtu 9216
  flowcontrol receive on
  flowcontrol send off
  no cdp enable
  spanning-tree portfast trunk
end

#sh run int gi11/0/2
Building configuration...
Current configuration : 283 bytes
!
interface GigabitEthernet11/0/2
  switchport
  switchport trunk encapsulation dot1q
  switchport trunk allowed vlan 103-105,111-191,193-198,1002-1005,2201
  switchport mode trunk
  mtu 9216
  flowcontrol receive on
  flowcontrol send off
  no cdp enable
  spanning-tree portfast trunk
end


I'm reading through the "7600 Series Router SIP, SSC, and SPA Software 
Configuration Guide" right now (page 668) but I'm not quite sure I'm 
understanding it correctly.  The doc is helpful but it doesn't do a good 
job of explaining the configuration of the SPA ports.  For the record we 
are operating in VRF Mode on Sub720-3BXLs running SRB1.

The way I see it I allow the VLANs that have crypto maps  assigned to 
them (with the 'crypto engine slot inside' command) to Gi11/0/1.  Then 
the 'crypto engine slot outside' statement will force incoming IPSec 
packets to be directed to the SPA so that the vrf statement in the 
ISAKMP profile will be able to match traffic to individual VRFs.  So I 
think I may have a grasp of what needs to be permitted on Gi11/0/1 but I 
don't know what's needing on Gi11/0/2.  What exactly does the second 
interface do?  Is there a better way to look at this?

Thanks
  Justin

More information about the cisco-nsp mailing list