Implementing IPSec Network Security on Cisco IOS XR Software
Information About an IPSec Network with a Cisco IPSec VPN SPA on Cisco IOS XR Software
SC-103
Cisco IOS XR System Security Configuration Guide
Generic Routing Encapsulation (GRE) is a tunneling protocol that can encapsulate a wide variety of
protocol packet types inside IP tunnels, creating a virtual point-to-point link to routers at remote points
over an IP network.
When you configure an IPSec virtual interface, you must associate the service entity by using the
service-location command. The association is done statically. The service-location command is
mandatory. A virtual interface configuration is not fully verified until the service location is specified.
The following IPSec virtual interfaces are supported:
• Static IPSec service virtual interface (SVI)—Use the interface service-ipsec command to create a
static IPSec SVI.
The tunnel endpoints are defined by the tunnel source command and tunnel destination command.
The tunnel source can be shared between interfaces. Although the address is internal to the router,
the address is used only as a tunnel source. Unlike other internal router IP addresses, the tunnel
source is not used to serve routing protocols, or other applications that are terminated on the router.
The sole purpose for a tunnel source is tunneling.
If a dynamic IPSec profile is attached to a static IPSec SVI, tunnel destination should not be
configured and is negotiated when a new tunnel is created. In this case, it is possible that multiple
IPSec tunnels can terminate on the same IPSec SVI and contain a different tunnel destination.
A virtual interface must be associated with an IPSec service SPA. The service-location command
specifies both active and standby locations for the interface. All interfaces that share the same tunnel
source and tunnel VRF (FVRF) must be associated to the same location. The only event in which
virtual interfaces share the same source address, destination address, and FVRF, is when NAT
traversal is in effect.
• Static IPSec-protected GRE virtual interface—Use the interface service-gre command to create a
static IPSec-protected GRE interface. When GRE is used with IPSec, only transport mode is
supported. Only one IPSec profile can be attached to a GRE interface in which case one IPSec SA
is created. Only point-to-point GRE interfaces are supported.
IPSec Load Balancing and High Availability
Load balancing and high availability are the mechanism in which IPSec handling is distributed between
Cisco IPSec VPN SPAs, and the traffic diversion policy is used automatic switchover is required. You
are able to configure the preferred active SPA (primary SPA) and preferred standby SPA (secondary
SPA). If the active location is not functional, the standby location takes the active role. When both active
and standby locations are functional, in the case of a failure in the active SPA, the secondary SPA serves
as the primary location and traffic is diverted to that SPA. In addition, you have the option of configuring
the auto-revert.
When the active location is functional (for example, after a failure), traffic is diverted back to the active
location.
When auto-revert is not configured, if there is a failure in location A, location B (which was configured
as standby) takes over and location A becomes the standby.
The preferred-active and preferred-standby SPAs cannot reside on the same line card.
Reverse Route Injection (RRI) is designed to simplify network design for Virtual Private Networks
(VPNs) in which there is a requirement for redundancy or load balancing. For more information about
RRI, see “Reverse-Route Injection” section on page SC-100.
To Next Page
Loading...
Need help?
General
