Cisco SSL Services Module (on 6500)

Hi all,
A customer has asked me a few questions on an SSL Services Module they have (that we haven't sold and have little experience with). I've been reading the documents, but I have some questions and things to verify...
As I can understand, they already have services and trustpoints configured on the module, but with certificates created with a previously-existing internal AD-integrated CA. Now, they want to switch their services to run a certificate they've obtained from a legitimate CA.
1) They are trying to import the new certificate with copy-paste method, through the terminal. As far as I can see, both the server certificate and the CA certificate issuing the server cert. should be in base64 encoded for this to work, right? Or, can we import somehow PKCS or PEM certs thorough the terminal?
2) They would like to use a wildcard certificate for a few of their servers/services they publish. (Like, instead of getting 3 different certificates for service1.domain.com, service2.domain.com and service3.domain.com, they'd like a certificate for *.domain.com which would work for all of the 3 services.) Is this possible? Should they need to change their configuration? (Now I understand that they have different trustpoints, certificates and service configurations for each of the servers...)
I'd really like if some good soul with experience could shed a little light on this...
Or, any leads on documentation (that I may have missed) would also be appreciated.
Thanks in advance,
Emre

Good day Emre-
For question 1 - You can import PEM base64 certificates via the terminal only, all other types need to be loaded over tftp/sftp/ftp.
For question 2 - There is nothing special about how the SSLM handles the Issed To field in a certificate, it doesn't matter if it is specifc or wildcard. Multi domain certificates are also ok (using a Subject Alternative Name field.) The only thing I can think of here in terms of a difference is you might have less trustpoints and configuration on you SSLM since you no longer require multiple server certificates.
Outiside of your direct questions, make sure you upload the root and intermediate(s) into the SSLM. It has to be able to complete the SSL chain from server to root in order to operate.
Regards,
Chris Higgins

Similar Messages

Upgrading SSL Service Module in Cat6500

Hi,
I'm trying to upgrade a SSL Service Module in one of our 6500.
Following the guide at
http://www.cisco.com/en/US/products/hw/switches/ps708/products_configuration_guide_chapter09186a00805e34ed.html
After booting on the maintenance partition and trying to copy the image I get
(Not enough space on device), looking at the filesystem of pclc# shows a Unix filesystem, I'm not sure what to free up on it.
Any ideas?
Thanks in advance
Mathias Kanstrup

I am seeing the exact same problem. I have a TAC in currently on this issue. The SSL module that we are trying to upgrade is not in production yet. We do have an SSL module which is in production and the partition pclc#x-fs: is 260MB vs. the one that we are trying to upgrade with is only 30MB. Seems to me that the partition was actually incorrectly built, but I am not an expert with the 6509 chassis/Sup Engine. My main responsibility is Content Switching/SSL termination. I will post back if we find solution today.

ASA Service Module on 6500 montoring console session

We have 6500 with ASA Service Module
On 6500 how can we configure so that if someone logs in to the ASA Service Module and reboots the firewall we can have logs of it in syslog of switch .
Thanks for help

I hate to answer my own posts, but here it is. TAC tells us that there are 2 choices to make this work. Apparently the way that worked on an ISR and ISRG2 does not work on the 4000 series routers. I guess that's progress.
Option 1. Use a physical cable to connect one of the router's interfaces to one of the etherswitches interfaces and treat it just like the etherswitch is a seperate physical switch. I'm sure there is a use case for that but I'll not cover that here.
Option 2. Use the "service instance" feature on the router's internal interface to bind it to a new "BDI" virtual interface on the router. This is what we'll do.
On our router ethernet-internal 1/0/0 maps to Gi0/18 on the etherswitch, all internal to the box. The router will be10.0.0.1 and the switch will be 10.0.0.2.
Router:
interface Ethernet-Internal 1/0/0
service instance 1 ethernet
encapsulation dot1q 50
rewrite ingress tag pop 1
interface BDI 1
mtu 9216
ip address 10.0.0.1 255.255.255.0
Switch:
interface Gi0/18
switchport trunk vlan allowed 50
switchport mode trunk
vlan 50
name Egress vlan
interface vlan 50
ip address 10.0.0.2 255.255.255.0
ip route 0.0.0.0 0.0.0.0 10.0.0.1
Then there are a million ways to design and configure the switch as a normal 3560X switch but that's beyond the scope of my question.

Service Modules in 6500s, IPS/IDS and Stand-alone options.

Hi,
My first post here and it's a question regarding knowledge that I can't seem to find via CCW and through people I know.
Does the Service Module in the 6500 i.e. WS-SVC-ASASM1B-K9 come with or support an IPS/IDS option?
Does a stand-alone ASA5500 come with an installed IPS/IDS option.
Thanks.

> Does the Service Module in the 6500 i.e. WS-SVC-ASASM1B-K9 come with or support an IPS/IDS option?
On the Cat6k5 is the IDSM2. Thats a completely outdated module with 500 MBit/s of throuput. For the Datacenter designs Cisco recommends the standalone IPS 4500 instead a module if you need good IPS throughput.
> Does a stand-alone ASA5500 come with an installed IPS/IDS option.
The ASA has build-in IPS with a fixed signature-set that is not such rerlevant. The better way of doing IPS on the ASa is to have an optional IPS-module. These modules are didicated hardware on the legacy ASAs (the ones without -X) and pure software-modules on the new ASAs. The 5585 is an exception where IPS is also a dedicated hardware-module.
Sent from Cisco Technical Support iPad App

Cisco 3560 service module failed state

Hi Expert,
My office has a Cisco 2911 ISR router, we installed a 3560 service module 16P on it.
But I use command "sh ip int bri" in 2911 router when we finished installation.
The result shows that the interface Gi 1/1 doesn't work, I have try to re-install SM 16P twice, the result is the same.
The normal 2911 ISR + 3560 SM 16P show as below,
2911#sh ip int brief
Interface IP-Address OK? Method Status Protocol
Embedded-Service-Engine0/0 unassigned YES NVRAM administrativelwy down down
GigabitEthernet0/0 xxx.xxx.xxx.xxx YES manual up up
GigabitEthernet0/1 xxx.xxx.xxx.xxx YES NVRAM up up
GigabitEthernet0/2 unassigned YES NVRAM down down
GigabitEthernet1/0 xxx.xxx.xxx.xxx YES NVRAM up up
GigabitEthernet1/1 unassigned YES unset up up
The BAD 2911 ISR + 3560 SM 16P show as below,
2911#sh ip int brief
Interface IP-Address OK? Method Status Protocol
GigabitEthernet0/0 xxx.xxx.xxx.xxx YES NVRAM up up
GigabitEthernet0/1 unassigned YES NVRAM administratively down down
GigabitEthernet0/2 unassigned YES NVRAM administratively down down
GigabitEthernet1/0 unassigned YES NVRAM administratively down down

Hi Krishnendu,
I understand what you mean, I have done this work for assign Gi 1/0 an IP address, and then using command "service-module gi 1/0 session" to enter the service-module to configure it at all.
But I just want to know what is the Gi1/1 interface used for?
I use command "sh cdp nei" on others 2911 ISR + 3560 service module, all of the has the Gi 1/1 interface, and 2911 router using Gi 1/1 interface connected service module Gi 0/17. And Gi 1/1, Gi 0/17 is configured with "trunk interface".
I'm wondering whether my 2911 router Gi 1/1 has some physics error? or maybe it has another command to to "OPEN" the Gi 1/1 on 2911?
The "normal" switch display as below,
rtr001#sh cdp neighbors
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone,
D - Remote, C - CVTA, M - Two-port Mac Relay
Device ID Local Intrfce Holdtme Capability Platform Port ID
swt000.nneas.net
Gig 1/0 129 R S I SM-ES3G-1 Gig 0/18
swt000.nneas.net
Gig 1/1 129 R S I SM-ES3G-1 Gig 0/17
Thanks in advance,
BR Frank

SSL Services Module Password Reset

I tried installing AAA statements on my SSL module and am now locked out. I can't even access the module via the console port (No prompt). Any ideas how I can recover?

you have to install the password recovery image that you can download from the same page as the binary code itself.
http://www.cisco.com/cgi-bin/tablebuild.pl/cat6000-ssl
The procedure is explained here :
http://www.cisco.com/en/US/products/hw/modules/ps2706/products_password_recovery09186a00802b2139.shtml
Gilles.

Firewall service module vs ASA

Hi
Someone told me that the cisco firewall service module of 6500 has poor performances compared to ASA
What do you recommend as a core firewall (to protect internal servers): ASA or firewall service module ?
thanks

Hi,
We are using 5 FWSMs at the moment but are moving away from them to ASA5585-X models.
I wouldnt suggest going to FWSMs anymore at this point if you have any plan on having support for new features.
End Of Life and End of Sale Notice
http://www.cisco.com/en/US/prod/collateral/modules/ps2706/eol_c51-699134.html
The follower for the FWSM is the ASA Service Module which supports the newer softwares (while the FWSM doesnt). Heres a link to a document about the ASASM
http://www.cisco.com/en/US/prod/collateral/modules/ps2706/ps11621/data_sheet_c78-672507.html
Also you could always consider a separate ASA models. Here are links to both the orignal ASA 5500 series and new ASA 5500-X series
ASA 5500 Series
http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/prod_brochure0900aecd80285492.pdf
ASA 5500-X Series
http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/at_a_glance_c45-701635.pdf
I guess the question for you is what are the requirements for the device regarding performance. All of the above documentation should give you a clue about which model might be the best for you.
- Jouni

Service-module g2/0 session access fails

I did not add a vty/telnet password when I initially configured my NME-X-23ES-1G switch in my 3825 router. Now, of course I can not telnet to the switch, but the session access fails as well. How do I recover this?
Config in 3825:
interface GigabitEthernet2/0
ip address 106.40.x.x.255.255.0
Attempt to access switch module:
3825_Router2#service-module g2/0 sess
Trying 106.40.77.254, 2130 ...
% Connection refused by remote host

The default configuration for Cisco EtherSwitch service modules allows an end user to recover from a lost password. The password recovery disable feature allows the system administrator to protect access to the switch password by disabling part of this functionality and allowing the user to interrupt the boot process only by agreeing to set the system back to the default configuration. With password recovery disabled, the user can still interrupt the boot process and change the password, but the configuration file (config.text) and the VLAN database file (vlan.dat) are deleted.
The following document shows how to recover from a lost or forgotten password.
http://www.cisco.com/en/US/products/hw/modules/ps2797/products_feature_guide09186a0080415bae.html#wp1776357

CSS - 11506 - Adding New SSL Services on Single SSL Modules

Hi,
We are having one pair of CCS 11506 currently SSL services are running on slot4 with single SSL module.Now we are planning to add one more SSL application with different certificates & keys on different VIP.
Can we use the same slot4 for new application & using different certicates & keys on same SSL modules.Your reponse is appriecated

Hi Sean,
Thanks for replying back just want few clarifcations in configuration part.
1. If new vlan is given for new application then how to point routes to the new vlan as default routes to exisitng vlan is already present.
2. I've prepare sample config template with details steps & let us know will it work & if changes is required kindly let us know.
1.# ftp-record ssl_record 192.168.19.21 johndoe "abc123"
/home/johndoe
2.# copy ssl sftp ssl_record import rsacert.pem PEM "passwd123"
Connecting
Completed successfully
3.# copy ssl sftp ssl_record import rsakey.pem PEM "passwd123"
Connecting
Completed successfully
4.Enter configuration mode.
# config
(config) #
4. To use RSA public key exchange and authentication:
a. Associate the imported RSA certificate with a file.
(config) # ssl associate cert myrsacert1 rsacert.pem
b. Associate the imported RSA key pair with a file.
(config) # ssl associate rsakey myrsakey1 rsakey.pem
5. Compare the public key in the associated certificate with the public key
stored with the associated private key and verify that they are identical.
(config) # ssl verify myrsacert1 myrsakey1
Certificate mycert1 matches key mykey1
ssl associate rsakey NEWKEY newkey.pem
ssl associate cert NEWCERT newcert.pem
!************************* INTERFACE *************************
interface 3/3
description "****WEB SIDE****"
bridge vlan _ID_X.X.X.X
bridge port-fast enable
interface 3/4
bridge vlan_ID_Y.Y.Y.Y
bridge port-fast enable
description "****PIX SIDE****"
!************************** CIRCUIT **************************
circuit VLAN_ID_X
ip address A.A.A.A B.B.B.0
ip virtual-router 2 priority 101 preempt
ip redundant-interface 3 C.C.C.C
ip critical-service 3 chk-con-pix_Y.Y.Y.Y
ip critical-service 3 chk-con-web_X.X.X.X
circuit VLAN_ID_Y
ip address D.D.D.D E.E.E.0
ip virtual-router 4 priority 101 preempt
ip redundant-vip 4 F.F.F.F
ip critical-service 4 chk-con-pix_Y.Y.Y.Y
ip critical-service 4 chk-con-web_X.X.X.X
!*********************** SSL PROXY LIST ***********************
ssl-proxy-list NEW
ssl-server 20
ssl-server 20 vip address F.F.F.F
ssl-server 20 cipher rsa-with-rc4-128-sha F.F.F.F 81
ssl-server 20 cipher rsa-with-rc4-128-md5 F.F.F.F 81
ssl-server 20 rsacert NEWCERT
ssl-server 20 rsakey NEWKEY
active
!************************** SERVICE **************************
service FRONT_SSL
type ssl-accel
slot 4
keepalive type none
add ssl-proxy-list NEW
active
service WEBSERVER-03
ip address G.G.G.G
redundant-index 3
protocol tcp
port 80
active
service WEBSERVER-04
ip address H.H.H.H
redundant-index 4
protocol tcp
port 80
active
service chk-con-pix_Y.Y.Y.Y
keepalive type script ap-kal-pinglist "N.N.N.N"
ip address J.J.J.J
keepalive frequency 2
keepalive maxfailure 2
keepalive retryperiod 2
active
service chk-con-web_X
ip address K.K.K.K
keepalive type script ap-kal-pinglist "P.P.P.P"
keepalive frequency 2
keepalive maxfailure 2
keepalive retryperiod 2
active
!*************************** OWNER ***************************
owner NEW
content BACKNEW_HTTP
vip address F.F.F.F
add service WEBSERVER-03
add service WEBSERVER-04
protocol tcp
port 81
url "/*"
redundant-index 5
no persistent
active
content FRONTENDNEW_SSL
vip address F.F.F.F
protocol tcp
port 443
application ssl
add service FRONT_SSL
active
content NEW
url "//www.ABC.com/*"
vip address F.F.F.F
protocol tcp
port 80
redundant-index 4
redirect "https://ABC.com"
active
your reply on this would be highly appericated.

Cisco 3925 Enhanced EtherSwitch Service Module

Hello all,
I have a Cisco 3925 router with a SM-ES3G-16-P Etherswitch module. In order for me to access it, I need to put an IP address on the phyiscal interface its attached to. Then I can access it via the service-module command.
My question is -- does it matter what address I give it? Does it need to be a legitimate management address on my network so that I can access it directly from another switch? Or do I always need to go through the router and issue the service-module command? If I do need to always go through the router, I should just be able to give it a 10.10.10.1 address and that should be enough, right?
Thanks for your help in advance,
Bobby Grewal

Thanks Reza...one more question. how does the switch module actually talk to the 3925 router? Through port 17 or 18? If so, do I need to configure those interfaces as routed ports within the same subnet? Or are they just trunks? All connections within the switching module would need to talk to outside devices.

Does ASA Service Module on 6509-E support Remote Access VPN ?

I'm having a problem configuring Remote Access VPN (SSL, Anyconnect ect.) on ASA Service Module on 6509-E. Is this even supported or am i wasting my time trying to make something work which will not work in a first place :) ? Site-to-Site works without any problems.
Tech Info:
6509-E running SUP 2T 15.1(2)SY
ASA Module - WS-SVC-ASA-SM1 running image - asa912-smp-k8 & asdm-712
Licenses on ASA:
Encryption-DES - Enabled
Encryption-3DES-AES -Enabled
Thanks in Advance for support.

Are you running multiple context mode?
If you are, remote access VPN is not supported in that case:
"Note Multiple context mode only applies to IKEv2 and IKEv1 site to site and does not apply to AnyConnect, clientless SSL VPN, the legacy Cisco VPN client, the Apple native VPN client, the Microsoft native VPN client, or cTCP for IKEv1 IPsec."
Reference.

IP sec VPN service module

Hi All,
we have a VPN service module that doesn't support AES 256 bits. is there a way to overcome this limitation by uploading a key? how can we do it if feasible?
thanks
Jean

if you require aes you need the newer VPN SPA.
http://www.cisco.com/en/US/prod/collateral/routers/ps368/product_data_sheet0900aecd8027c9ee_ps8768_Products_Data_Sheet.html
(assuming you have a 6500/7600...but you didn't state exactly what you have)

Migrating from FWSM to ASA Service Module (ASASM)

I'm migrating from a failover pair of FWSM modules across to a failover pair of ASA Service Modules. In order to avoid a "big bang" switchover I intend to migrate subnets from one to the other over a protracted period.
With that in mind, can anyone confirm whether there is any restriction on having FWSM and ASASM modules in the same chassis? A trawl of the relevant documentation hasn't revealed anything.
In this specific case it is Catalyst 6509E VSS chassis pairs with Sup-2T.
Thanks in advance.

So long as the chassis has enough power to power these modules you are good.
Upto 4 FWSMs can be installed in a chassis.
Upto 4 ASA-SM modules can be installed in a chassis.
FWSM:
http://www.cisco.com/en/US/prod/collateral/modules/ps2706/ps4452/product_data_sheet0900aecd803e69c3.html
• Up to 4 FWSMs (20 Gbps) per Catalyst 6500 chassis
ASA-SM
http://www.cisco.com/en/US/prod/collateral/modules/ps2706/ps11621/qa_c67-662207.html
Q. How many ASA Services Modules can I place in a Cisco Catalyst 6500 Series chassis?
A. Up to four independent ASA Services Modules can simultaneously run in a Cisco Catalyst 6500-E Series chassis.
-Kureli
Checkout my breakout session at Cisco Live 2013, Orlando, Florida.
BRKSEC-2024 Deploying Next-Generation Firewall Services on the ASA
Room 314A Tuesday, June 25 3:00 PM - 4:30 PM

How to configure link between 2921 and SM-D-ES3G-48-P EtherSwitch Service Module

hi,
I can't do that like the procedure given by Cisco.
http://www.cisco.com/en/US/partner/docs/routers/access/interfaces/software/feature/guide/eesm_sw.html#wp1942894
Cisco Procedure :
interface gi10/0
ip address x.x.x.x x.x.x.x
service-module gigabitethernet 1/0 session
My result :
R2921-8CPITR-1(config)#int gi 1/1
R2921-8CPITR-1(config-if)#ip address 2.2.2.2 255.255.255.192
% IP addresses may not be configured on L2 links.
R2921-8CPITR-1(config-if)
R2921-8CPITR-1(config)#interface gigabitEthernet 1/1.1 ?
% Unrecognized command
R2921-8CPITR-1(config)#interface gigabitEthernet 1/1 ?
<cr>
R2921-8CPITR-1(config)#
the session is not possible also ?
R2921-8CPITR-1#service-module gigabitEthernet 1/1 sess
                                                  ^
% Invalid input detected at '^' marker.
R2921-8CPITR-1#
The routeur said that it's not a L3 port, so how to configure it to allow communication between the 2921 and the card ?
Is there a bug with that version I'm in 15.1(4)M4 ????
R2921-8CPITR-1#sh ver
Cisco IOS Software, C2900 Software (C2900-UNIVERSALK9-M), Version 15.1(4)M4, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2012 by Cisco Systems, Inc.
Compiled Tue 20-Mar-12 18:57 by prod_rel_team
ROM: System Bootstrap, Version 15.0(1r)M15, RELEASE SOFTWARE (fc1)
R2921-8CPITR-1 uptime is 19 hours, 21 minutes
System returned to ROM by power-on
System restarted at 16:00:45 GAB Fri Sep 14 2012
System image file is "flash0:c2900-universalk9-mz.SPA.151-4.M4.bin"
Last reload type: Normal Reload
This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to
[email protected].
Cisco CISCO2921/K9 (revision 1.0) with 479232K/45056K bytes of memory.
Processor board ID FGL1618119E
6 Gigabit Ethernet interfaces
2 terminal lines
DRAM configuration is 64 bits wide with parity enabled.
255K bytes of non-volatile configuration memory.
250880K bytes of ATA System CompactFlash 0 (Read/Write)
License Info:
License UDI:
Device#   PID                   SN
*0        CISCO2921/K9          FGL1618119E
Technology Package License Information for Module:'c2900'
Technology    Technology-package           Technology-package
              Current       Type           Next reboot
ipbase        ipbasek9      Permanent      ipbasek9
security      None          None           None
uc            None          None           None
data          None          None           None
Configuration register is 0x2102
R2921-8CPITR-1#

Same issue here.
I just waited a few minutes and the interface went down and back up, this time it was a L3 interface.
My guess is that it was booting the switch module IOS, and it detected it until it was fully booted:
Apr 11 05:26:52.091: %LINK-3-UPDOWN: Interface GigabitEthernet0/0, changed state to down
Apr 11 05:26:52.091: %LINK-3-UPDOWN: Interface GigabitEthernet0/1, changed state to down
Apr 11 05:26:52.091: %LINK-3-UPDOWN: Interface GigabitEthernet0/2, changed state to down
Apr 11 05:26:52.091: %LINK-3-UPDOWN: Interface GigabitEthernet1/0, changed state to up
Apr 11 05:26:52.795: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to down
Apr 11 05:26:53.091: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/0, changed state to down
Apr 11 05:26:53.091: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/1, changed state to down
Apr 11 05:26:53.091: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/2, changed state to down
Apr 11 05:26:53.091: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0, changed state to up
Apr 11 05:27:46.895: %LINK-5-CHANGED: Interface Embedded-Service-Engine0/0, changed state to administratively down
Apr 11 05:27:46.895: %LINK-5-CHANGED: Interface GigabitEthernet0/0, changed state to administratively down
Apr 11 05:27:46.947: %LINK-5-CHANGED: Interface GigabitEthernet0/1, changed state to administratively down
Apr 11 05:27:47.031: %LINK-5-CHANGED: Interface GigabitEthernet0/2, changed state to administratively down
Apr 11 05:27:47.083: %LINK-5-CHANGED: Interface GigabitEthernet1/0, changed state to administratively down
Apr 11 05:27:47.895: %LINEPROTO-5-UPDOWN: Line protocol on Interface Embedded-Service-Engine0/0, changed state to down
Apr 11 05:27:48.083: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0, changed state to down
Apr 11 05:27:49.283: %IP-5-WEBINST_KILL: Terminating DNS process
Apr 11 05:27:52.499: %LINK-3-UPDOWN: Interface GigabitEthernet1/1, changed state to up
Apr 11 05:27:53.087: %SYS-5-RESTART: System restarted --
Cisco IOS Software, C2951 Software (C2951-UNIVERSALK9-M), Version 15.1(4)M5, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2012 by Cisco Systems, Inc.
Compiled Tue 04-Sep-12 16:50 by prod_rel_team
Apr 11 05:27:53.255: %SNMP-5-COLDSTART: SNMP agent on host Router is undergoing a cold start
Apr 11 05:27:53.499: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/1, changed state to up
Apr 11 05:28:21.435: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to up
Apr 11 05:29:22.091: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/1, changed state to down
Apr 11 05:29:22.095: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to down
Router>en
Router#sh ip int brief
Interface IP-Address OK? Method Status Protocol
Embedded-Service-Engine0/0 unassigned YES unset administratively down down
GigabitEthernet0/0 unassigned YES unset administratively down down
GigabitEthernet0/1 unassigned YES unset administratively down down
GigabitEthernet0/2 unassigned YES unset administratively down down
GigabitEthernet1/0 unassigned YES unset administratively down down
GigabitEthernet1/1 unassigned YES unset up down
Vlan1 unassigned YES unset down down
Router#
Apr 11 05:29:46.106: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/1, changed state to upconf t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#int g1/0
Router(config-if)#ip add 1.1.1.1 255.255.255.0
Router(config-if)#no shut
Router(config-if)#
Apr 11 05:30:09.046: %LINK-3-UPDOWN: Interface GigabitEthernet1/0, changed state to up
Apr 11 05:30:10.046: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0, changed state to up
Router(config-if)#end

VPN service module choice 7600-SSC-400 vs. SPA-IPSEC-2G

Need to decide between the two VPN service module: 7600-SSC-400 and SPA-IPSEC-2G for a 6509 sup 720 3bxl. Not sure what is the difference and couldnt find too much info just searching the internet. What would be the benefits of one or another?

Hello,
You will need both. The 7600-SSC-400 is the carrier module of the SPA-IPSec-2G.
There is more information on this via the following link:
http://www.cisco.com/en/US/docs/interfaces_modules/shared_port_adapters/configuration/6500series/76ovwvpn.html
Warm Regards,
Rose

Cisco SSL Services Module (on 6500)

Similar Messages

Maybe you are looking for