11-19-2009 11:48 PM - edited 03-04-2019 06:45 AM
Hi
Show version on router shows this output, but we didnt purchase VPN Encryption Module.
Why it shows 2 VPN Module,If I get VPN module how to move the encryption from software to hardware.
Are there any tools to check difference between software and hardware encryption for Cisco 2851Box
Cisco 2851 (revision 22.50) with 249856K/12288K bytes of memory.
Processor board ID FCZ3313122Y
2 Gigabit Ethernet interfaces
2 Virtual Private Network (VPN) Modules
DRAM configuration is 64 bits wide with parity enabled.
239K bytes of non-volatile configuration memory.
62720K bytes of ATA CompactFlash (Read/Write)
Configuration register is 0x2102
Solved! Go to Solution.
11-23-2009 12:36 PM
I believe that the most clear way to understand precisely what is in the router for encryption modules is to use the command show crypto engine brief. The output here clearly shows both the optional VPN module AIM-VPN/SSL1 in slot0 and the built in module Onboard-VPN (in location onboard 0).
sh crypto eng brief
crypto engine name: Virtual Private Network (VPN) Module
crypto engine type: hardware
State: Enabled
Location: aim 0
VPN Module in slot: 0
Product Name: AIM-VPN/SSL-1
Software Serial #: 55AA
Device ID: 001F - revision 0000
Vendor ID: 0000
Revision No: 0x001F0000
VSK revision: 0
Boot version: 255
DPU version: 0
HSP version: 3.4(1) (PRODUCTION)
Time running: 1w5d
Compression: Yes
DES: Yes
3 DES: Yes
AES CBC: Yes (128,192,256)
AES CNTR: No
Maximum buffer length: 4096
Maximum DH index: 1000
Maximum SA index: 1000
Maximum Flow index: 2000
Maximum RSA key size: 2048
crypto engine name: Virtual Private Network (VPN) Module
crypto engine type: hardware
State: Disabled
Location: onboard 0
Product Name: Onboard-VPN
HW Version: 1.0
Compression: Yes
DES: Yes
3 DES: Yes
AES CBC: Yes (128,192,256)
AES CNTR: No
Maximum buffer length: 4096
Maximum DH index: 0000
Maximum SA index: 0000
Maximum Flow index: 0300
Maximum RSA key size: 0000
crypto engine name: Cisco VPN Software Implementation
crypto engine type: software
serial number: 35C2FA40
crypto engine state: installed
crypto engine in slot: N/A
HTH
Rick
11-20-2009 01:54 AM
The 2800 series router comes with a VPN module built in and your show version is pretty clear that this router has the second optional module. You could use the show diag command to see more details about the VPN module.
When the VPN module is present the OS automatically move the encryption from software to hardware. There is not a need for specific commands to activate it.
HTH
Rick
11-20-2009 11:17 AM
I was curious about this issue, so I looked at one of our 2821's with the security bundle in it. Sure enough, it shows in the output of SHOW VERSION that there are two VPN modules. However, in the output of SHOW DIAG I only see one VPN module in slot 0.
I then checked this document. https://www.cisco.com/en/US/docs/routers/access/2800/hardware/installation/guide/10_hw.html#wp1109723
In the section on verifying the AIM installation, the output of SHOW VERSION shows that there is only one VPN module.
11-20-2009 12:14 PM
Post the full "show diag" here.
You can edit SN # if worried about that.
There are "show crypto" commnds that tell you which HW is being used.
11-20-2009 12:25 PM
#sh ver
Cisco IOS Software, 2800 Software (C2800NM-ADVIPSERVICESK9-M), Version 12.4(9)T3, RELEASE SOFTWARE (fc3)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2007 by Cisco Systems, Inc.
Compiled Fri 23-Mar-07 18:35 by prod_rel_team
ROM: System Bootstrap, Version 12.4(13r)T, RELEASE SOFTWARE (fc1)
xxxxx uptime is x weeks, x days, x hours, x minutes
System returned to ROM by power-on
System restarted at 12:55:27 CDT Wed Jun 17 2009
System image file is "flash:c2800nm-advipservicesk9-mz.124-9.T3.bin"
This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to
export@cisco.com.
Cisco 2821 (revision 53.51) with 249856K/12288K bytes of memory.
Processor board ID xxxxxxx
2 Gigabit Ethernet interfaces
2 Serial interfaces
2 Channelized T1/PRI ports
2 Virtual Private Network (VPN) Modules
DRAM configuration is 64 bits wide with parity enabled.
239K bytes of non-volatile configuration memory.
250880K bytes of ATA CompactFlash (Read/Write)
Configuration register is 0x2102
sh diag
Slot 0:
C2821 Motherboard with 2GE and integrated VPN Port adapter, 2 ports
Port adapter is analyzed
Port adapter insertion time unknown
Onboard VPN : v2.2.0
EEPROM contents at hardware discovery:
PCB Serial Number : xxxxxxxxxxx
Hardware Revision : 1.0
Top Assy. Part Number : 800-26921-02
Board Revision : A0
Deviation Number : 0
Fab Version : 03
RMA Test History : 00
RMA Number : 0-0-0-0
RMA History : 00
Processor type : 87
Hardware date code : 20070329
Chassis Serial Number : xxxxxxxxxx
Chassis MAC Address : xxxxxxxxxx
MAC Address block size : 32
CLEI Code : COM3D00BRA
Product (FRU) Number : CISCO2821
Part Number : 73-8853-04
Version Identifier : V03
EEPROM format version 4
EEPROM contents (hex):
0x00: 04 FF C1 8B 46 4F 43 31 31 31 31 32 48 4B 34 40
0x10: 03 E8 41 01 00 C0 46 03 20 00 69 29 02 42 41 30
0x20: 88 00 00 00 00 02 03 03 00 81 00 00 00 00 04 00
0x30: 09 87 83 01 32 3F B9 C2 8B 46 54 58 31 31 31 37
0x40: 41 33 53 46 C3 06 00 1B 54 44 77 B0 43 00 20 C6
0x50: 8A 43 4F 4D 33 44 30 30 42 52 41 CB 8F 43 49 53
0x60: 43 4F 32 38 32 31 20 20 20 20 20 20 82 49 22 95
0x70: 04 89 56 30 33 20 D9 02 40 C1 FF FF FF FF FF FF
WIC Slot 0:
VWIC2-2MFT-T1/E1 - 2-Port RJ-48 Multiflex Trunk - T1/E1
Hardware Revision : 0.0
Top Assy. Part Number : 800-22629-05
Board Revision : B0
Deviation Number : 0
Fab Version : 04
PCB Serial Number : xxxxxxxxxxxxx
RMA Test History : 00
RMA Number : 0-0-0-0
RMA History : 00
Product (FRU) Number : VWIC2-2MFT-T1/E1
Version Identifier : V01
EEPROM format version 4
EEPROM contents (hex):
0x00: 04 FF 40 03 FC 41 00 00 C0 46 03 20 00 58 65 05
0x10: 42 42 30 88 00 00 00 00 02 04 C1 8B 46 4F 43 31
0x20: 31 31 36 34 4D 41 41 03 00 81 00 00 00 00 04 00
0x30: CB 90 56 57 49 43 32 2D 32 4D 46 54 2D 54 31 2F
0x40: 45 31 89 56 30 31 20 D9 02 40 C1 FF FF FF FF FF
0x50: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
0x60: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
0x70: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
AIM Module in slot: 0
Hardware Revision : 1.0
Top Assy. Part Number : 800-27059-01
Board Revision : A0
Deviation Number : 0-0
Fab Version : 02
PCB Serial Number : xxxxxxxxxxx
RMA Test History : 00
RMA Number : 0-0-0-0
RMA History : 00
Product (FRU) Number : AIM-VPN/SSL-2
Version Identifier : V01
EEPROM format version 4
EEPROM contents (hex):
0x00: 04 FF 40 04 F4 41 01 00 C0 46 03 20 00 69 B3 01
0x10: 42 41 30 80 00 00 00 00 02 02 C1 8B 46 4F 43 31
0x20: 31 31 32 33 56 52 37 03 00 81 00 00 00 00 04 00
0x30: CB 8D 41 49 4D 2D 56 50 4E 2F 53 53 4C 2D 32 89
0x40: 56 30 31 00 D9 02 40 C1 FF FF FF FF FF FF FF FF
0x50: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
0x60: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
0x70: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
11-20-2009 01:28 PM
You have an optional VPN module installed:
AIM Module in slot: 0
Hardware Revision : 1.0
Top Assy. Part Number : 800-27059-01
Board Revision : A0
Deviation Number : 0-0
Fab Version : 02
PCB Serial Number : xxxxxxxxxxx
RMA Test History : 00
RMA Number : 0-0-0-0
RMA History : 00
Product (FRU) Number : AIM-VPN/SSL-2
Please remember to rate useful posts with the scrollbox below.
11-21-2009 02:59 PM
Can you please post the result of sh inventory and sh crypto engine acc? Thanks.
11-21-2009 05:40 PM
What for? Show diag above is clear enough.
11-22-2009 01:26 PM
Hi Paolo,
If I read this correctly, the router has TWO (2) AIM-VPN, is this correct?
11-22-2009 01:37 PM
No, it has one.
11-23-2009 12:36 PM
I believe that the most clear way to understand precisely what is in the router for encryption modules is to use the command show crypto engine brief. The output here clearly shows both the optional VPN module AIM-VPN/SSL1 in slot0 and the built in module Onboard-VPN (in location onboard 0).
sh crypto eng brief
crypto engine name: Virtual Private Network (VPN) Module
crypto engine type: hardware
State: Enabled
Location: aim 0
VPN Module in slot: 0
Product Name: AIM-VPN/SSL-1
Software Serial #: 55AA
Device ID: 001F - revision 0000
Vendor ID: 0000
Revision No: 0x001F0000
VSK revision: 0
Boot version: 255
DPU version: 0
HSP version: 3.4(1) (PRODUCTION)
Time running: 1w5d
Compression: Yes
DES: Yes
3 DES: Yes
AES CBC: Yes (128,192,256)
AES CNTR: No
Maximum buffer length: 4096
Maximum DH index: 1000
Maximum SA index: 1000
Maximum Flow index: 2000
Maximum RSA key size: 2048
crypto engine name: Virtual Private Network (VPN) Module
crypto engine type: hardware
State: Disabled
Location: onboard 0
Product Name: Onboard-VPN
HW Version: 1.0
Compression: Yes
DES: Yes
3 DES: Yes
AES CBC: Yes (128,192,256)
AES CNTR: No
Maximum buffer length: 4096
Maximum DH index: 0000
Maximum SA index: 0000
Maximum Flow index: 0300
Maximum RSA key size: 0000
crypto engine name: Cisco VPN Software Implementation
crypto engine type: software
serial number: 35C2FA40
crypto engine state: installed
crypto engine in slot: N/A
HTH
Rick
11-23-2009 01:48 PM
Thank U Sir
11-24-2009 02:50 AM
You are welcome.
Please remember to rate useful posts with the scrollbox below.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide