06-22-2011 05:54 AM - edited 03-04-2019 12:47 PM
To configure the GRE tunnel over IPSEC with OSFT via Encryption module from Cisco Router 3845, I have few queries:
1. Does the router 3845 support hot swap for encryption module?
2. Does the router require to be rebooted after plug in encryption module?
3. Any samples configuration for GRE tunnel over IPSEC?
Solved! Go to Solution.
06-22-2011 06:30 AM
Hi,
The Cisco 3845 and 3845-NOVPN router supports online insertion and removal (OIR, or hot swap) of network modules. Remember these 3845 and 3845-NOVPN router supports OIR with similar modules only. If you remove a network module, along with any installed WAN or voice interface cards, install another module and card combination exactly like it.
See the below link may help you for sample config for GRE over IPSec with OSPF.
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00800a43f6.shtml
Please rate the helpfull posts.
Regards,
Naidu.
06-22-2011 06:24 AM
1 no
2 yes
3 plenty on cisco.com, just use search box.
Note, adding encryption module is not needed. The 3845 already has one embedded on motherboard.
06-22-2011 06:30 AM
Hi,
The Cisco 3845 and 3845-NOVPN router supports online insertion and removal (OIR, or hot swap) of network modules. Remember these 3845 and 3845-NOVPN router supports OIR with similar modules only. If you remove a network module, along with any installed WAN or voice interface cards, install another module and card combination exactly like it.
See the below link may help you for sample config for GRE over IPSec with OSPF.
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00800a43f6.shtml
Please rate the helpfull posts.
Regards,
Naidu.
06-22-2011 06:56 AM
The Cisco 3845 and 3845-NOVPN router supports online insertion and removal (OIR, or hot swap) of network modules. Remember these 3845 and 3845-NOVPN router supports OIR with similar modules only. If you remove a network module, along with any installed WAN or voice interface cards, install another module and card combination exactly like it.
Correct, however OP has specifically asked about OIR for encryption modules, since optional encryption modules are AIM and not NM, the answers is NO.
06-22-2011 06:50 AM
Want to reduce the CPU utilization so adding in the encryption module..
06-22-2011 06:52 AM
As mentioned above already: ISR routers have an embedded encryption module and do not use CPU for the task.
Please remember to rate useful posts clicking on the stars below.
06-22-2011 10:26 AM
Disclaimer
The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
Liability Disclaimer
In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.
Posting
The 3845's base crypto module, if I recall correctly, doesn't offer quite as much performance as the optional crypto module, but would be surprised if you're doing that much crypto that you need the extra capacity.
You may want to post your processor utilization (sorted).
As to reducing CPU load, have you used ip tcp mss-adjust to help your router avoid needing to deal with fragmented packets for TCP?
06-22-2011 11:37 AM
Hi,
The whole idea behind having additional VPN encryption module is that to not effect the actual CPU load.
Like above these routers have an seperated embedded encryption module and do not use the actual device CPU for the task.
Please rate the helpfull posts.
Regards,
Naidu.
06-23-2011 10:00 PM
Hi, Thank you for all the replies.
For the commnad as show below, is the address Peer_address same as tunnel destination Peer_Physical_Interface_IP_Address?
crypto isakmp key 6 PresharedKey address Peer_address
crypto IPsec profile toRemote
interface Tunnel0
tunnel source Physical_Interface_IP_address
tunnel destination Peer_Physical_Interface_IP_Address
tunnel mode ipsec ipv4
tunnel protection ipsec profile toRemote
06-23-2011 10:11 PM
Hi,
Yes, it's a peer physical internet ip address that is routeable but not routed out of the tunnel interface itself.
HTH,
Toshi
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: