[c-nsp] Can you apply crypto map to SVI

Ge Moua moua0100 at umn.edu
Wed Jun 17 00:43:45 EDT 2009 

I think on the 6500 with Sup720 you may need a IPSec VAM or SPA card for 
IPSec functionality to be active; I wonder if this is the same on the 
7606; you should open a case with Cisco and ask the quesiton.

Regards,
Ge Moua | Email: moua0100 at umn.edu

Network Design Engineer
University of Minnesota | Networking & Telecommunications Services



Andy Saykao wrote:
> Hi Ge,
>
> This is being implemented on a Cisco 7606 (SUP720) running
> 12.2(18)SXF16.
>
> Thanks.
>
> Andy 
>
> -----Original Message-----
> From: Ge Moua [mailto:moua0100 at umn.edu] 
> Sent: Wednesday, 17 June 2009 2:15 PM
> To: Andy Saykao
> Cc: cisco-nsp at puck.nether.net
> Subject: Re: Can you apply crypto map to SVI
>
> Maybe; I've seen a situation with the me-6524 with the crypto commands
> available but functionality disabled.  What hardware platform are you
> running?
>
> Regards,
> Ge Moua | Email: moua0100 at umn.edu
>
> Network Design Engineer
> University of Minnesota | Networking & Telecommunications Services
>
>
>
> Andy Saykao wrote:
>   
>> Hi Ge,
>>
>> Yes I see an active crypto engine in "software". 
>>
>> core1#sh cry engine configuration
>>
>>         crypto engine name:  unknown
>>         crypto engine type:  software
>>              serial number:  00016956
>>        crypto engine state:  installed
>>      crypto engine in slot:  N/A
>>                   platform:  Cisco Software Crypto Engine
>>
>>    Encryption Process Info:
>>           input queue size:  500
>>            input queue top:  0
>>            input queue bot:  0
>>          input queue count:  0
>>
>>    Crypto Adjacency Counts:
>>                 Lock Count:  0
>>               Unlock Count:  0
>>         crypto lib version:  17.0.0
>>          ipsec lib version:  2.0.0
>>
>> Does this mean that if the crypto map is applied to the SVI that the 
>> IPSEC tunnel should be working (considering my IPSEC config is all 
>> good).
>>
>> Thanks.
>>
>> Andy
>>
>> -----Original Message-----
>> From: Ge Moua [mailto:moua0100 at umn.edu]
>> Sent: Tuesday, 16 June 2009 7:03 PM
>> To: Andy Saykao
>> Cc: cisco-nsp at puck.nether.net
>> Subject: Re: [c-nsp] Can you apply crypto map to SVI
>>
>> Yes, this should work contigent on hw plaform.  If you do a "sh cry 
>> engine" do you see an active crypto engine in sw or hw?  If not then 
>> the crypto commands will never be invoked even though legal.
>>
>> Regards,
>> Ge Moua | Email: moua0100 at umn.edu
>>
>> Network Design Engineer
>> University of Minnesota | Networking & Telecommunications Services
>>
>>
>>
>> Andy Saykao wrote:
>>   
>>     
>>> Hi All,
>>>  
>>> Got a problem with a site-to-site IPSEC vpn implementation where one 
>>> end is using SVI.
>>>  
>>> Does any body know if a crypto map can be applied to a SVI to bring 
>>> up
>>>     
>>>       
>>   
>>     
>>> the IPSEC tunnel? It accepts the command but I can't pass any traffic
>>>       
>
>   
>>> to/from it.
>>>  
>>> interface vlan 10
>>>  crypto map MY-MAP
>>>  
>>> Or do you need to apply the crypto map to a physical interface? 
>>>  
>>> I've gotten it working on a sub-interface (eg: interface
>>> GigabitEthernet0/0.11) but can't find any documentation that talks 
>>> about applying it to a SVI and whether this will work.
>>>  
>>> Thanks.
>>>  
>>> Andy
>>>
>>> This email and any files transmitted with it are confidential and 
>>> intended  solely for the use of the individual or entity to whom they
>>>     
>>>       
>> are addressed.
>>   
>>     
>>> Please notify the sender immediately by email if you have received 
>>> this email by mistake and delete this email from your system. Please 
>>> note that  any views or opinions presented in this email are solely 
>>> those of the  author and do not necessarily represent those of the
>>>     
>>>       
>> organisation.
>>   
>>     
>>> Finally, the recipient should check this email and any attachments 
>>> for
>>>     
>>>       
>>   
>>     
>>> the presence of viruses. The organisation accepts no liability for 
>>> any
>>>     
>>>       
>>   
>>     
>>> damage caused by any virus transmitted by this email.
>>>
>>> _______________________________________________
>>> cisco-nsp mailing list  cisco-nsp at puck.nether.net 
>>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>>   
>>>     
>>>       
>> ______________________________________________________________________
>> This email has been scanned by the MessageLabs Email Security System.
>> For more information please visit http://www.messagelabs.com/email 
>> ______________________________________________________________________
>>   
>>     
>
> ______________________________________________________________________
> This email has been scanned by the MessageLabs Email Security System.
> For more information please visit http://www.messagelabs.com/email
> ______________________________________________________________________
>

More information about the cisco-nsp mailing list