Re: Crypto Across two catalyst 6509s

Hello Dale,

Find below the relevant portion of configs and hardware as requested:

crypto isakmp policy 100
 hash md5
 authentication pre-share
crypto isakmp key ABCBCC02TUNNEL address 192.x.y.74
!

crypto ipsec transform-set BDQ1 esp-des esp-md5-hmac
!
crypto map ABC_IPsec 1 ipsec-isakmp
 set peer 192.x.y.74
 set security-association lifetime seconds 86400
 set transform-set BDQ1
 set pfs group1
 match address BHQ-IPSec

ip access-list extended BHQ-IPSec
 permit gre host 192.x.y.73 host 192.x.y.74

interface Tunnel1
 description TUNNEL CONNECTION TO BCC_IKEJA
 bandwidth 100000
 ip address 192.x.y.77 255.255.255.252
 ip mtu 1400
 load-interval 30
 tunnel source 192.x.y.73
 tunnel destination 192.x.y.74
 crypto map HQBCC_IPsec

interface GigabitEthernet4/22
 ip address 192.x.y.73 255.255.255.252
 crypto map ABC_IPsec

router eigrp 200
net 192.x.0.0
no auto-summary

===========================================================

CAT6509_EVEN#sh ver
Cisco Internetwork Operating System Software
IOS (tm) s72033_rp Software (s72033_rp-PK9SV-M), Version 12.2(18)SXD7b,
RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2006 by cisco Systems, Inc.
Compiled Fri 08-Dec-06 12:51 by ccai
Image text-base: 0x4002100C, data-base: 0x42320000

ROM: System Bootstrap, Version 12.2(17r)S4, RELEASE SOFTWARE (fc1)
BOOTLDR: s72033_rp Software (s72033_rp-PK9SV-M), Version 12.2(18)SXD7b,
RELEASE SOFTWARE (fc1)

CAT6509_EVEN uptime is 15 weeks, 3 days, 20 hours, 38 minutes
Time since CAT6509_EVEN switched to active is 15 weeks, 3 days, 20 hours, 37
minutes
System returned to ROM by reload at 04:52:28 PDT Mon Oct 22 2007 (SP by
power-on)
System restarted at 16:18:16 gmt Sun Aug 16 2009
System image file is "sup-bootflash:s72033-pk9sv-mz.122-18.SXD7b.bin"

This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found
at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to
export_at_cisco.com.

cisco WS-C6509-E (R7000) processor (revision 1.3) with 458720K/65536K bytes
of memory.
Processor board ID SMG1119N2JD
SR71000 CPU at 600Mhz, Implementation 0x504, Rev 1.2, 512KB L2 Cache
Last reset from s/w reset
X.25 software, Version 3.0.0.
Bridging software.
6 Virtual Ethernet/IEEE 802.3 interface(s)
90 Gigabit Ethernet/IEEE 802.3 interface(s)
1917K bytes of non-volatile configuration memory.
8192K bytes of packet buffer memory.

65536K bytes of Flash internal SIMM (Sector size 512K).
Configuration register is 0x2102

===========================================================

CAT6509_EVEN#sh modul
Mod Ports Card Type Model Serial
No.
--- ----- -------------------------------------- ------------------
-----------
  1 24 CEF720 24 port 1000mb SFP WS-X6724-SFP
SAD111505YB
  3 6 Firewall Module WS-SVC-FWM-1
SAD1118039C
  4 48 CEF720 48 port 10/100/1000mb Ethernet WS-X6748-GE-TX
SAL1117MD4K
  5 2 Supervisor Engine 720 (Active) WS-SUP720-3B
SAL1020NNHA
  6 2 Supervisor Engine 720 (Hot) WS-SUP720-3B
SAD111701C1
  8 8 Intrusion Detection System WS-SVC-IDSM-2
SAD111403HD

Mod MAC addresses Hw Fw Sw
Status
--- ---------------------------------- ------ ------------ ------------
-------
  1 001b.53bc.976c to 001b.53bc.9783 2.5 12.2(14r)S5 12.2(18)SXD7 Ok
  3 001a.a148.b9d2 to 001a.a148.b9d9 4.1 7.2(1) 2.3(4) Ok
  4 001b.2a8d.73c0 to 001b.2a8d.73ef 2.5 12.2(14r)S5 12.2(18)SXD7 Ok
  5 0013.c43a.fb48 to 0013.c43a.fb4b 5.2 8.4(2) 12.2(18)SXD7 Ok
  6 000a.b818.bd50 to 000a.b818.bd53 5.3 8.4(2) 12.2(18)SXD7 Ok
  8 001b.539c.7850 to 001b.539c.7857 6.3 7.2(1) 5.0(2) Ok

Mod Sub-Module Model Serial Hw
Status
--- --------------------------- ------------------ ------------ -------
-------
  1 Centralized Forwarding Card WS-F6700-CFC SAD111803XG 3.1 Ok
  4 Centralized Forwarding Card WS-F6700-CFC SAD1118077G 3.1 Ok
  5 Policy Feature Card 3 WS-F6K-PFC3B SAL1020NHC9 2.3 Ok
  5 MSFC3 Daughterboard WS-SUP720 SAL1021NQN1 2.5 Ok
  6 Policy Feature Card 3 WS-F6K-PFC3B SAD1116028L 2.3 Ok
  6 MSFC3 Daughterboard WS-SUP720 SAD111705WV 2.6 Ok
  8 IDS 2 accelerator board WS-SVC-IDSUPG ADBG70701445 2.5 Ok

Mod Online Diag Status
--- -------------------
  1 Pass
  3 Pass
  4 Pass
  5 Pass
  6 Pass
  8 Pass

On Thu, Dec 3, 2009 at 12:02 PM, Dale Shaw <dale.shaw_at_gmail.com> wrote:

> Hi,
>
> On Thu, Dec 3, 2009 at 7:20 PM, olumayokun fowowe <olumayokun_at_gmail.com>
> wrote:
> >
> > I noticed something strange recently. I don't know if anybody can help me
> > with an explanation. the connection between the two catalyst 6509
> switches
> > are routed and I have a number of SVIs on both switches (the SVIs serves
> as
> > gateway for a number of vlans). i have a GRE over IPSEC tunnel across the
> > routed interfaces of the catalyst switches. Everything works fine if
> traffic
> > is passing over the routed interfaces and not the tunnels. However, if I
> > force the traffic to pass across the tunnel, the SVIs become unreachable
> > from both sides but the end devices are reachable. A show command
> confirms
> > that the traffic is being encrypted.
>
> Could it just be that the crypto processing is being performed by the
> RP, instead of in hardware (as it will be for forwarding of plain text
> traffic), and it's crippling the systems? It doesn't exactly match
> your symptoms, but it's one possible theory. You're not doing any
> bridging over the SVIs, are you?
>
> 1. post hardware configuration ("sh module")
> 2. post relevant portions of IOS configuration, and IOS version information
> 3. do what you can help us to help you. we're not magicians.
>
> cheers,
> Dale

Blogs and organic groups at http://www.ccie.net
Received on Thu Dec 03 2009 - 13:24:21 ART