Cisco Cisco Catalyst 6500 Series 7600 Series Wireless Services Module (WiSM) Referencia técnica
48
Configuring a Cisco Wireless Services Module and Wireless Control System
OL-8981-01
•
Increased up time for IPSec tunnels
•
Key management using Internet Key Exchange (IKE)
•
Certificate Authority support
•
Enhanced resilience by utilizing existing Catalyst 6500 routing protocols and resilience features
such as HSRP, along with inbuilt resilience features such as Internet Key Exchange (IKE) keepalives
such as HSRP, along with inbuilt resilience features such as Internet Key Exchange (IKE) keepalives
•
Embedded web-based VPN Device Manager (VDM) for single device management
•
Integration with VPN Solution Center (VPNSC) management solution for large enterprise or service
provider management
provider management
•
Built-in web-based device management using CiscoView Device Manager
How VPNSM Works
Unlike some of the other Catalyst 6500 services modules, the VPNSM does not rely on either the SPAN
facility or VACL capture facility to process VPN traffic. The VPNSM must be placed in the path of
traffic so that it can apply VPN processing to any traffic matching the configured ACL criteria; therefore,
you should carefully consider design and implementation of the VPNSM.
facility or VACL capture facility to process VPN traffic. The VPNSM must be placed in the path of
traffic so that it can apply VPN processing to any traffic matching the configured ACL criteria; therefore,
you should carefully consider design and implementation of the VPNSM.
Physical modifications to the network may be required in order to place the VPNSM in the path of the
necessary traffic. Also, unlike many of the other service modules, the VPNSM is configured directly
from the Cisco IOS CLI. There is no need to access (or Telnet) into the module to configure it.
necessary traffic. Also, unlike many of the other service modules, the VPNSM is configured directly
from the Cisco IOS CLI. There is no need to access (or Telnet) into the module to configure it.
When a VPN module is installed into a Catalyst 6500/7600 chassis, it determines whether Catalyst 6500
interfaces and ports in that chassis belong to the inside network (local LAN) or the outside network
(outside world). The determination of whether ports are inside or outside impacts the way VLANs are
set up and how they interact with VPNSM. All ports that connect to the outside world (external
networks) are referred to as Catalyst outside ports, and those within the local LAN network are referred
to Catalyst inside ports. If an Ethernet 10/100 port (for example, port 5) on module 3 (port 3/5) was
connected to an inside server, then that port is designated as a Catalyst inside port. If the same port were
connected to the WAN router, then that port is designated as a Catalyst outside port.
interfaces and ports in that chassis belong to the inside network (local LAN) or the outside network
(outside world). The determination of whether ports are inside or outside impacts the way VLANs are
set up and how they interact with VPNSM. All ports that connect to the outside world (external
networks) are referred to as Catalyst outside ports, and those within the local LAN network are referred
to Catalyst inside ports. If an Ethernet 10/100 port (for example, port 5) on module 3 (port 3/5) was
connected to an inside server, then that port is designated as a Catalyst inside port. If the same port were
connected to the WAN router, then that port is designated as a Catalyst outside port.
While the VPN module has no external (physical) ports, it has two logical ports that connect the VPN
module to the backplane of the Catalyst 6500/7600. These two logical ports are configured as Gigabit
Ethernet (GE) ports from the command line interface (CLI). The VPN ports can be seen from the
following show module command from the supervisor CLI:
module to the backplane of the Catalyst 6500/7600. These two logical ports are configured as Gigabit
Ethernet (GE) ports from the command line interface (CLI). The VPN ports can be seen from the
following show module command from the supervisor CLI:
c6506# sh mod
Mod Ports Card Type Model Serial No.
--- ----- -------------------------------------- ------------------ -----------
2 2 IPSec VPN Accelerator WS-SVC-IPSEC-1 SAD0837063H
3 10 WiSM WLAN Service Module=
WS-SVC-WiSM-1-K9 SAD092504J8
4 48 48-port 10/100 mb RJ45 WS-X6148-45AF SAL08154UT3
5 2 Supervisor Engine 720 (Active) WS-SUP720-3BXL SAL0913827E
6 6 Firewall Module WS-SVC-FWM-1 SAD090100D9
Mod MAC addresses Hw Fw Sw Status
--- ---------------------------------- ------ ------------ ------------ -------
2 0003.e470.05cc to 0003.e470.05cf 1.3 7.2(1) 8.5(0.46)RFW Ok
3 0001.0002.0003 to 0001.0002.0012 0.1 12.2(14r)S5 12.2(PP_R31_ Ok
4 0011.206d.7ef0 to 0011.206d.7f1f 1.0 5.4(2) 8.5(0.46)RFW Ok
5 0013.7f0d.114c to 0013.7f0d.114f 4.3 8.1(3) 12.2(PP_R31_ Ok
6 0012.8005.d418 to 0012.8005.d41f 3.0 7.2(1) 2.3(2) Ok