[c-nsp] Can you apply crypto map to SVI

Andy Saykao andy.saykao at staff.netspace.net.au
Wed Jun 17 00:17:45 EDT 2009


Hi Ge,

This is being implemented on a Cisco 7606 (SUP720) running
12.2(18)SXF16.

Thanks.

Andy 

-----Original Message-----
From: Ge Moua [mailto:moua0100 at umn.edu] 
Sent: Wednesday, 17 June 2009 2:15 PM
To: Andy Saykao
Cc: cisco-nsp at puck.nether.net
Subject: Re: Can you apply crypto map to SVI

Maybe; I've seen a situation with the me-6524 with the crypto commands
available but functionality disabled.  What hardware platform are you
running?

Regards,
Ge Moua | Email: moua0100 at umn.edu

Network Design Engineer
University of Minnesota | Networking & Telecommunications Services



Andy Saykao wrote:
> Hi Ge,
>
> Yes I see an active crypto engine in "software". 
>
> core1#sh cry engine configuration
>
>         crypto engine name:  unknown
>         crypto engine type:  software
>              serial number:  00016956
>        crypto engine state:  installed
>      crypto engine in slot:  N/A
>                   platform:  Cisco Software Crypto Engine
>
>    Encryption Process Info:
>           input queue size:  500
>            input queue top:  0
>            input queue bot:  0
>          input queue count:  0
>
>    Crypto Adjacency Counts:
>                 Lock Count:  0
>               Unlock Count:  0
>         crypto lib version:  17.0.0
>          ipsec lib version:  2.0.0
>
> Does this mean that if the crypto map is applied to the SVI that the 
> IPSEC tunnel should be working (considering my IPSEC config is all 
> good).
>
> Thanks.
>
> Andy
>
> -----Original Message-----
> From: Ge Moua [mailto:moua0100 at umn.edu]
> Sent: Tuesday, 16 June 2009 7:03 PM
> To: Andy Saykao
> Cc: cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] Can you apply crypto map to SVI
>
> Yes, this should work contigent on hw plaform.  If you do a "sh cry 
> engine" do you see an active crypto engine in sw or hw?  If not then 
> the crypto commands will never be invoked even though legal.
>
> Regards,
> Ge Moua | Email: moua0100 at umn.edu
>
> Network Design Engineer
> University of Minnesota | Networking & Telecommunications Services
>
>
>
> Andy Saykao wrote:
>   
>> Hi All,
>>  
>> Got a problem with a site-to-site IPSEC vpn implementation where one 
>> end is using SVI.
>>  
>> Does any body know if a crypto map can be applied to a SVI to bring 
>> up
>>     
>
>   
>> the IPSEC tunnel? It accepts the command but I can't pass any traffic

>> to/from it.
>>  
>> interface vlan 10
>>  crypto map MY-MAP
>>  
>> Or do you need to apply the crypto map to a physical interface? 
>>  
>> I've gotten it working on a sub-interface (eg: interface
>> GigabitEthernet0/0.11) but can't find any documentation that talks 
>> about applying it to a SVI and whether this will work.
>>  
>> Thanks.
>>  
>> Andy
>>
>> This email and any files transmitted with it are confidential and 
>> intended  solely for the use of the individual or entity to whom they
>>     
> are addressed.
>   
>> Please notify the sender immediately by email if you have received 
>> this email by mistake and delete this email from your system. Please 
>> note that  any views or opinions presented in this email are solely 
>> those of the  author and do not necessarily represent those of the
>>     
> organisation.
>   
>> Finally, the recipient should check this email and any attachments 
>> for
>>     
>
>   
>> the presence of viruses. The organisation accepts no liability for 
>> any
>>     
>
>   
>> damage caused by any virus transmitted by this email.
>>
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net 
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>   
>>     
>
> ______________________________________________________________________
> This email has been scanned by the MessageLabs Email Security System.
> For more information please visit http://www.messagelabs.com/email 
> ______________________________________________________________________
>   

______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email
______________________________________________________________________


More information about the cisco-nsp mailing list