Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
759
Views
0
Helpful
8
Replies

VPN Tunneling on L3 Switches

NorthParkDrunky
Level 1
Level 1

‎12-20-2023 01:52 PM

I recently discovered that L3 switches (C3560s, 9500s, 3850s, etc.) are unable to do VPN tunneling due to their hardware. Interestingly, all of the previously mentioned devices have the commands to put a VPN tunnel in place, as well as "show" commands to view IKEV2 stats, sessions, SAs, etc. The tunnel will actually come up/up and look as if it will work. The issue is they won't pass any routing traffic and you will be unable to get EIGRP neighbors. Does anyone know where I can find more in-depth info on this subject? Also, is anyone tracking that Cisco will try to implement this feature on future devices? Any info will be much appreciated.

Cheers!

Labels:
0 Helpful
8 Replies 8

Rob Ingram
VIP
VIP

‎12-20-2023 02:05 PM

@NorthParkDrunky actually IPSec VPNs are supported on the catalyst 9300X, 9400X, 9500X and 9600X model switches, with the correct license and software version.

https://blogs.cisco.com/networking/finally-ipsec-on-a-catalyst-switch

 

0 Helpful

NorthParkDrunky
Level 1
Level 1
In response to Rob Ingram

‎12-20-2023 09:15 PM

Thanks for the info. I wasn't tracking the C9000Xs having this feature. 

0 Helpful

Rob Ingram
VIP
VIP
In response to NorthParkDrunky

‎12-21-2023 12:24 AM

@NorthParkDrunky the crypto commands were present on older firmware versions, even though it would not work.

0 Helpful

MHM Cisco World
VIP
VIP

‎12-20-2023 02:08 PM

If I am right you need to add multicast of eigrp in your acl of ipsec' try and check eigrp neighbor 

MHM

0 Helpful

NorthParkDrunky
Level 1
Level 1
In response to MHM Cisco World

‎12-20-2023 09:20 PM

I'm unsure what you're referring to specifically. However, most L3 switches lack the required hardware to perform IPSEC tunnels. 3560s and 3850s do have the CLI commands for the config, but won't actually work once they are configured. My post wasn't so much a question as to what config I should use. It was more of an outreach to anyone with more knowledge on VPN tunnels with L3 switches, though I do appreciate the support.

 

Cheers!

0 Helpful

MHM Cisco World
VIP
VIP
In response to NorthParkDrunky

‎12-21-2023 12:37 AM

You want l3 tunnel for security or only for overlay l3?

If for overlay l3 use vti, you can config it in c9k. 

For IPsec I will check. 

MHM

0 Helpful

Ruben Cocheno
Spotlight
Spotlight

‎12-22-2023 02:31 AM

@NorthParkDrunky  I would be curious about performance-wise despite the sales pitch on the datasheets.

Keep us posted

Tag me to follow up.
Please mark it as Helpful and/or Solution Accepted if that is the case. Thanks for making Engineering easy again.
Connect with me for more on Linkedin https://www.linkedin.com/in/rubencocheno/
0 Helpful

NorthParkDrunky
Level 1
Level 1
In response to Ruben Cocheno

‎12-22-2023 02:44 AM

I'm not sure that my organization will purchase them, though I requested them to purchase a 9300x and 9500x for testing. If I get lucky with their spending, I will let you all know.

0 Helpful
Customers Also Viewed These Support Documents