The following table defines parameters to configure Fabric Extend (FE) over IPsec on a device.

Configure Fabric Extend Over IPsec

Note

Note

This procedure only applies to XA1400 Series.

Use the following procedure to configure Fabric Extend (FE) over IPsec.

Before you begin

The tunnel source IP address can be a brouter port IP, a CLIP IP, or a VLAN IP.

About this task

Configuring Fabric Extend over IPsec consists of two primary tasks: configuring the tunnel source address and configuring the logical interface. These tasks must be completed on both ends of the tunnel.

For information about how to configure an IPsec NAT-T Responder, see IPsec configuration using CLI.

Procedure

Switch A Steps

  1. Enter IS-IS Router Configuration mode:

    enable

    configure terminal

    router isis

  2. Configure the IP tunnel source address:

    ip-tunnel-source-address <A.B.C.D> [vrf WORD<1–16>]

  3. Enter Global Configuration mode:

    exit

  4. Use one of the following commands to create a logical IS-IS interface:

    • In a network with a Layer 3 Core, enter logical-intf isis <1–255> dest-ip <A.B.C.D> [name WORD<1–64>] [mtu <750-9000>]

  5. Configure an IS-IS interface on the selected ports or MLTs:
    1. Create an IS-IS circuit and interface on the selected ports or MLTs:

      isis

    2. Enable the SPBM instance on the IS-IS interfaces:

      isis spbm <1–100>

    3. Enable the IS-IS circuit/interface on the selected ports or MLTs:

      isis enable

  6. Configure the IPsec authentication method:

    ipsec auth-method <pre-share |rsa-sig>

  7. Create the authentication key, if using a pre-shared key:

    auth-key WORD<1-32>

  8. Configure IPsec encryption key length for FE tunnel.

    ipsec encryption-key-length <128 | 256>

    Note

    Note

    • You cannot change the encryption key length when IPsec is enabled on the FE tunnel.

  9. Optional: Enable IPsec compression on the logical interface:

    ipsec compression

    By default, IPsec compression is disabled. If you enable it, you must enable it on both ends of the adjacency.

  10. Enable IPsec on the logical interface:

    ipsec

  11. Exit interface configuration mode:

    exit

Switch B Steps

  1. Enter IS-IS Router Configuration mode:

    enable

    configure terminal

    router isis

  2. Configure the IP tunnel source address:

    ip-tunnel-source-address <A.B.C.D> [vrf WORD<1–16>]

  3. Enter Global Configuration mode:

    exit

  4. Use one of the following commands to create a logical IS-IS interface:

    • In a network with a Layer 3 Core, enter logical-intf isis <1–255> dest-ip <A.B.C.D> [name WORD<1–64>] [mtu <750-9000>]

  5. Configure an IS-IS interface on the selected ports or MLTs:
    1. Create an IS-IS circuit and interface on the selected ports or MLTs:

      isis

    2. Enable the SPBM instance on the IS-IS interfaces:

      isis spbm <1–100>

    3. Enable the IS-IS circuit/interface on the selected ports or MLTs:

      isis enable

  6. Configure the IPsec authentication method:

    ipsec auth-method <pre-share |rsa-sig>

  7. Create the authentication key, if using a pre-shared key:

    auth-key WORD<1-32>

  8. Configure IPsec encryption key length for FE tunnel.

    ipsec encryption-key-length <128 | 256>

    Note

    Note

    • You cannot change the encryption key length when IPsec is enabled on the FE tunnel.

  9. Optional: Enable IPsec compression on the logical interface:

    ipsec compression

    By default, IPsec compression is disabled. If you enable it, you must enable it on both ends of the adjacency.

  10. Enable IPsec on the logical interface:

    ipsec

  11. Exit interface configuration mode:

    exit

Variable Definitions

The following table defines parameters to configure Fabric Extend (FE) over IPsec on a device.

The following table defines parameters for the ip-tunnel-source-address command.

Variable

Value

<A.B.C.D>

Specifies the IS-IS IPv4 tunnel source address, which can be a brouter IP, a CLIP IP, or a VLAN IP.

vrf WORD<1–16>

Specifies the VRF name associated with the IP tunnel.
Table 1. Layer 3 core
Variable Value

<1–255>

Specifies the index number that uniquely identifies this logical interface.
<A.B.C.D>

Specifies the IS-IS IPv4 tunnel source address, which can be either a brouter interface IP or a CLIP IP.

name WORD<1–64>

Specifies the administratively-assigned name of this logical interface, which can be up to 64 characters.
mtu <750–9000> Specifies the Maximum Transmission Unit (MTU) size of each packet. The default MTU value is 1950.

The following table defines parameters for the isis command.

Variable

Value

enable

Enables or disables the IS-IS circuit/interface on the specified port or MLT.

The default is disabled. Use the no option to disable IS-IS on the specified interface.

spbm <1–100>

Enable the SPBM instance on the IS-IS interfaces.

The following table defines parameters for the auth-key command.

Variable

Value

WORD<1–32>

Specifies the authentication key on the assigned logical interface if using a pre-shared key.

Use the no option to disable the authentication key on the specified interface.

The following table defines parameters for the ipsec command.

Variable

Value

auth-method <pre-share | rsa-sig>

Configures the authentication method for IPsec. The default is a pre-shared key. Use rsa-sig to use an installed digital certificate instead.

encryption-key-length <128 | 256>

Specifies the IPsec encryption key length for FE tunnel, which is 128 bit or 256 bit.

The default IPsec encryption key length value is 128 bit.
9037602-00 Rev AB