Cisco 7100 Series Spezifikationen PDF herunterladen (Seite 93)

Extranet VPN Business Scenario 4-21

Configuring Crypto Maps

For redundancy, you could apply the same crypto map set to more than one interface. The

default behavior is as follows:

• Each interface will have its own piece of the SA database.

• The IP address of the local interface will be used as the local address for IPSec trafﬁc

originating from or destined to that interface.

If you apply the same crypto map set to multiple interfaces for redundancy purposes, you

need to specify an identifying interface. This has the following effects:

• The per-interface portion of the IPSec SA database will be established one time and

shared for trafﬁc through all the interfaces that share the same crypto map.

• The IP address of the identifying interface will be used as the local address for IPSec

trafﬁc originating from or destined to those interfaces sharing the same crypto map set.

One suggestion is to use a loopback interface as the identifying interface.

Use the crypto map map-name local-address interface-id command in global

conﬁguration mode tospecify redundantinterfaces and name an identifyinginterface. This

command permits redundant interfaces to share the same crypto map, using the same local

identity.

Verifying Crypto Map Interface Associations

To verify the conﬁguration:

• Enter the show crypto map interface serial 2/0 EXEC command to see the crypto

maps applied to a speciﬁc interface.

hq-sanjose# show crypto map interface serial 2/0

Crypto Map "s4second" 2 ipsec-isakmp

Peer = 172.16.2.7

Extended IP access list 111

access-list 111 permit ip host 10.2.2.2 host 10.1.5.3

Current peer:172.16.2.7

Security association lifetime:4608000 kilobytes/1000 seconds

PFS (Y/N):N

Transform sets={ proposal4, }

1 2 ... 88 89 90 91 92 93 94 95 96 97 98 ... 111 112

Keine Kommentare

Cisco 7100 Series Spezifikationen Seite 93