-
7600 SPA-IPSEC-2G和SPA-5xGE-V2配合之小问题
Posted on 11月 13th, 2008 1 comment========phanx.com=========
Author: phanx
Updated: 2008-11-132009-03-08
=========================某用户需要用SPA-IPSEC-2G在7600上实现到n多节点的IPSec Site-to-Site VPN, 由于7600引擎上的以太口做子接口配合IPSEC SPA不支持CBWFQ,故又弄了块SPA-5xGE-V2.说起SPA-5xGE-V2这卡也怪,在6500机框上要用7600-SIP-600来装,在7600上就非得用7600-SIP-400来装. 当然SPA-IPSEC-2G只能装在7600-SSC-400 上
弄得之复杂.SPA-IPSEC-2G是采用的Vlan Connect方式,即一个在传统直连链路上将IPSEC加速模块嵌入进去.以前是用一个以太口的子接口连接对方.现在则将以太口子接口上的地址移到inside interface vlan上. 然后再用 outside vlan或者一个子接口去连接对方,最后通过connect方式将inside vlan和outside vlan/sub-interface桥接起来.
以前是 sub-interface ——> 对端 或者 interface vlan & switchport trunk ——-> 对端
interface Vlan2
ip address 1.1.1.1 255.255.255.252
interface G1/1
switchport trunk encapsulation dot1q
switchport mode trunk
或者
interface G4/0/0.2
encapsulation dot1q 2
ip address 1.1.1.1 255.255.255.252
现在是 interface Vlan.inside —[connect engine]— [SPA-IPSEC-2G] — [connect vlan.inside] — vlan outside in switchoport trunk ——>对端
或者是 interface Vlan.inside —[connect engine]— [SPA-IPSEC-2G] — [connect vlan.inside] — sub-interface.outside ——>对端
interface Vlan102
ip address 1.1.1.1 255.255.255.252
crypto engine slot 2/0
interface Vlan2
crypto connect vlan 102
interface G1/1
switchport trunk encapsulation dot1q
switchport mode trunk或者
interface Vlan102
ip address 1.1.1.1 255.255.255.252
crypto engine slot 2/0
interface G4/0/0.2
encapsulation dot1q 2
crypto connect vlan 102配置方式就说到这里. Guide上写的很明确,but 遇到一个Bug..
CSCsg49757 Bug Details
Combining Gig-Sub-intf & crypto connect & vlan with crypto engine Symptom:Unable to get the VPN configuration working with a GigabitEthernet SPA module. In addition, clear text connectivity outside the 7600/6500 does not workConditions: This problem only occurs if sub-interfaces are used on the GigabiotEthernet SPA module
Workaround:
Configure ‘cdp enable’ on the sub-interface
什么意思呢,简单说就是用子接口方式做就ping不通对端,IPSec也不行…. 解决方法是在子接口下多配一个 cdp enable…. //寒…
仿佛SPA的GE卡默认就没有开起cdp. 查了Bug Toolkit,发现还没有版本修复这个BUG的(到12.2(33)SRC1为止). 就用Workaround凑合吧.
又遇到另外一个不知道是不是Bug的问题. 由于对端节点较多,所以子接口数目较多, 别人贴配置的时候一不留神把某几个子接口的配置多贴了一次.
贴完发现crypto connect语句重复的地方有提示 xxxx already connect to vlan xxx, 然后发现重复的子接口下的OSPF neighber就起不来了.ping也能ping通对端,就是OSPF无法建立邻接关系. Debug看本端有OSPF的Hello出去,但是在对端Debug却没有收到. 无奈之下,no掉子接口下crypto connect语句重新配上,好了.
依此办法对其他贴重复的子端口重配crypto connect语句, OSPF Neighbor就全部正常了.
看来SIP/SPA的bug还真不少….!
再补充一个SPA-IPSEC-2G的BUG,在Catalyst 6500 Series Switches Release Notes for Cisco IOS Release 12.2(33)SXH and Later Releases中提到:Note
SPA-IPSEC-2G does not support TACACS+ authentication for IPsec. (CSCee33200)也就是说用SPA-IPSEC-2G来做Remote Access VPN的时侯没法用TACACS来做XAuth。我同事就很走运的遇到这个BUG了。
回复一个~
最新评论