cc/td/doc/product/software
hometocprevnextglossaryfeedbacksearchhelp
PDF

Table of Contents

Data Encryption Service Adapter

Description

Platforms

Prerequisites

Configuration Tasks

Configuration Example

Command Reference

What to Do Next

Data Encryption Service Adapter

Description

The data encryption service adapter (ESA) is available on Cisco 7200 series routers, on the second-generation Versatile Interface Processors (VIP2-40 specifically) in Cisco 7500 series routers, and on the VIP2-40 in Cisco 7000 series routers with the 7000 Series Route Switch Processor (RSP7000) and 7000 Series Chassis Interface (RSP7000CI). (ESAs require VIP2 model VIP2-40.)

The ESA provides encryption processing to offload some of the encryption processing from the router's main processor and to improve performance. Encryption and authentication are provided by a software service called a crypto engine. The ESA provides the encryption mechanisms required to perform data encryption using a 40-bit or 56-bit Data Encryption Standard (DES) configured through the crypto engine. The ESA uses Public Key (PK) technology based on the concept of the Protected Entity (PE) and employs the DES and the Digital Signature Standard (DSS) to ensure secure data and information can be transferred between similarly equipped hosts on your network.

For detailed information on encryption, refer to the "Configuring Network Data Encryption with Router Authentication" chapter in the Security Configuration Guide.

Platforms

This feature is supported on these platforms:

Prerequisites

Following are specific hardware and software prerequisites to ensure proper operation of the ESA:

Note If distributed switching is on, every IP packet on the VIP2-40 goes through a crypto map check. If Netflow switching is on, the flow cache is used, and the only packets affected by the crypto map check are those for which no flow cache entry exists.

For information on enabling and configuring the NetFlow switching feature, refer to the Network Protocols Configuration Guide, Part 1 (in the "Configuring IP" chapter) and in the Network Protocols Command Reference (in the "IP Commands" chapter). These publications are available on the Documentation CD-ROM and as printed copies.
There are no chassis slot restrictions on where the ESA can be installed; however, we recommend that you fully understand online insertion and removal functionality in the Cisco 7200 series routers before ESA installation.

For additional hardware, software, and compliance prerequisites, refer to the Data Encryption Service Adapter (ESA) Installation and Configuration publication.

Compliance with U.S. Export Laws and Regulations Regarding Encryption

This product performs encryption and is regulated for export by the U.S. Government. Following is specific information regarding compliance with U.S. export laws and regulations for encryption products:

Configuration Tasks

Encryption and authentication are provided by a software service called a crypto engine. You must configure each crypto engine on the router. After you configure the crypto engine, you can configure any port governed by that crypto engine to perform encryption and authentication.

For information on how to configure the crypto engine on the ESA, refer to the "Configuring Network Data Encryption with Router Authentication" chapter of the Security Configuration Guide.

In addition to the commands in the "Configuring Network Data Encryption with Router Authentication" chapter, online insertion and removal (OIR) of the ESA on Cisco 7200 series routers requires the crypto esa enable and crypto esa shutdown global configuration commands. Refer to the "Cisco 7200 Series Crypto Engine" section for information.

Note For more information on OIR for the ESA, refer to the Data Encryption Service Adapter (ESA) Installation and Configuration publication.

Cisco 7000 Series and Cisco 7500 Series Crypto Engine

If you have a Cisco 7000 series or Cisco 7500 series router with an ESA, your router has an additional crypto engine associated with the ESA (referred to as a hardware crypto engine).

In Cisco 7000 series and Cisco 7500 series routers, the ESA and a compatible port adapter are attached to a VIP2-40, and the ESA's hardware crypto engine provides encryption and authentication services only for ports on the adjoining VIP2-40 port adapter.

The Cisco IOS crypto engine on the RSP provides encryption and authentication for all remaining ports of your router. In other words, the ESA's hardware crypto engine can govern the adjoining VIP2-40 port adapter's ports, and the Cisco IOS crypto engine governs all remaining ports in the router. This is also true if distributed switching is not enabled. (During configuration, you must specify which ports participate in encryption and authentication.)

Cisco 7200 Series Crypto Engine

If you have a Cisco 7200 series router, your router has either the Cisco IOS crypto engine, or the hardware crypto engine associated with the ESA.

For Cisco 7200 series routers without an ESA installed, the Cisco IOS crypto engine governs any port adapter's ports. For Cisco 7200 series routers with an ESA installed, the ESA's hardware crypto engine governs any port adapter's ports.

Note For Cisco 7200 series routers with an ESA, the tasks in the following sections must be used to enable or shut down an ESA. For more information on OIR for the ESA, refer to the Data Encryption Service Adapter (ESA) Installation and Configuration publication.

Enabling the ESA

If the Cisco 7200 series router is booted with an ESA installed in it, or if you install the ESA after the router is operational, the ESA will not be put into service (that is, the router will not switch to the hardware crypto engine) until the extraction latch has been cleared, there are DSS keys stored on the ESA card, and the card is enabled.

The extraction latch is a hardware latch that is set when an ESA is removed and reinstalled in the chassis. When the extraction latch is set, the Tampered LED is on. You can clear the extraction latch on the ESA by using the crypto clear-latch global configuration command.

If the extraction latch is set or there are no DDS keys stored on the ESA, the router displays a message similar to the one below which shows that it switched to the software crypto engine. 

SETUP: new interface ESA-Key2/1 placed in "shutdown" state
There are no keys on the ESA in slot 2- ESA not enabled
...switching to SW crypto engine

To determine if there are DDS keys stored on the ESA card, use the show crypto card command and look at the "DDS Key set" field in the output. If the field contains "Yes," the keys are stored.

If the crypto system on the Cisco 7200 series router is a software crypto engine and you install an ESA, the extraction latch is set, and the ESA enters a "pending" state. After the extraction latch is cleared, the crypto system checks to see if there are any keys on the ESA card. If there are no keys, the ESA card remains in a pending state. While the ESA is in a pending state, attempts to generate keys apply to the ESA and not the existing software crypto engine. However, the crypto system is still a fully functional software crypto engine and can sustain crypto connections in this state. To determine the ESA state, use the show crypto engine brief command and look at the "crypto engine state" field in the output.

To change the ESA's pending state, you must perform one of the following actions:

As mentioned above, after installing an ESA in a Cisco 7200 series router, you must enable the ESA before the hardware crypto engine becomes available. Until the ESA is enabled, the software crypto engine functions as the crypto engine. While the ESA hardware crypto engine is being enabled, crypto traffic will not pass through the hardware crypto engine. After the ESA is enabled, crypto traffic will pass through the hardware crypto engine and all preexisting software connections are closed and reestablished on the hardware crypto engine.

When an ESA is installed in a Cisco 7200 series router and the router already has crypto connections, the keys to maintain these connections do not disappear, but the keys on the ESA are used instead. However, the ESA cannot be used until, at a minimum, the extraction latch has been cleared. Keys might also need to be generated and if so, they keys must be exchanged between the peer routers before crypto connections can be established using the ESA. These tasks involving the ESA can take an indeterminate amount of time.

To enable the ESA on a Cisco 7200 series router when the ESA does not have keys, perform the following tasks beginning in global configuration mode:

Task Command
Step 1 Clear the extraction latch on the ESA. crypto clear-latch slot
Step 2 When prompted, enter the crypto card password. password
Step 3 Generate and exchange software keys between peer routers. crypto gen-signature-keys key-name [slot]1
Step 4 When prompted, enter the crypto card password. password
Step 5 When prompted, reenter the crypto card password. password
Step 6 Specify the ESA to enable on the Cisco 7200 series router. crypto esa enable slot
Step 7 Exit global configuration mode. exit

1 For more information, refer to the "Generate DDS Public/Private Keys" and the "Exchange DSS Public Keys" sections in the "Configuring Network Data Encryption with Router Authentication" chapter of the Security Configuration Guide.

To enable the ESA on a Cisco 7200 series router when the ESA already has keys, perform the following tasks beginning in global configuration mode:

Task Command
Step 1 Clear the extraction latch on the ESA. crypto clear-latch slot
Step 2 When prompted, enter the crypto card password. password
Step 3 When prompted, enter yes. If existing keys were found on the ESA, you are prompted to enable the ESA. yes
Step 4 Exit global configuration mode. exit

To enable the ESA on a Cisco 7200 series router when the ESA already has keys but you want to generate new keys, perform the following tasks beginning in global configuration mode:

Task Command
Step 1 Clear the extraction latch on the ESA. crypto clear-latch slot
Step 2 When prompted, enter the crypto card password. password
Step 3 When prompted, enter no. If existing keys were found on the ESA, you are prompted to enable the ESA. no
Step 4 Generate and exchange software keys between peer routers. crypto gen-signature-keys key-name [slot]1
Step 5 When prompted, enter yes to generate new DSS keys. yes
Step 6 When prompted, enter the crypto card password. password
Step 7 When prompted, reenter the crypto card password. password
Step 8 Specify the ESA to enable on the Cisco 7200 series router. crypto esa enable slot
Step 9 Exit global configuration mode. exit

1 For more information, refer to the "Generate DDS Public/Private Keys" and the "Exchange DSS Public Keys" sections in the "Configuring Network Data Encryption with Router Authentication" chapter of the Security Configuration Guide.
Note With the crypto esa enable command, there is minimal crypto downtime when an ESA is installed in a Cisco 7200 series router and there are already software crypto connections. This is because the crypto subsystem can continue to function as a software crypto engine while the hardware keys are being created and exchanged, or at least until the extraction latch has been cleared (if the ESA already had previously exchanged keys in its NVRAM).

For an example of enabling the ESA, refer to the "Configuration Example" section.

Shutting Down the ESA

On Cisco 7200 series routers, you can switch from the hardware crypto engine to the software crypto engine without manually removing the ESA from the slot by using the crypto esa shutdown global command. When an ESA is shut down, there is crypto downtime if there are no preexisting software keys that were exchanged before the ESA was shut down. The crypto connections that existed before the extraction are closed--they cannot continue because their session keys were in the removed ESA's NVRAM.

The crypto esa shutdown global command allows you to minimize crypto engine unavailability and to generate and exchange software session keys.

To switch from the hardware crypto engine to the software crypto engine by shutting down the ESA (as if it were extracted), perform the following task in global configuration mode:

Task Command
Specify the ESA to shut down on the Cisco 7200 series router. crypto esa shutdown slot

To reinstall the ESA using the crypto esa enable command, refer to the "Enabling the ESA" section earlier in this chapter.

Removing Keys

On Cisco 7200 series routers it is possible to have two sets of keys associated with one crypto engine slot (that is, keys can be exchanged with peers when there is a software crypto engine and also a hardware crypto engine). If there are two sets of keys, they will not be the same. Each set of keys has a serial number that is associated with the crypto engine. The crypto zeroize global configuration command only deletes keys that match the serial number of the current crypto engine. It is not possible to delete the ESA's keys until the crypto system switches to the hardware crypto engine. When using the hardware crypto engine, the slot of the ESA must be supplied in the crypto zeroize command.

To remove keys from the crypto engine on Cisco 7200 series routers when there are two sets of keys, perform the following tasks beginning in EXEC mode:

Task Command
Step 1 Determine if there are two sets of keys. show crypto mypubkey
Step 2 Determine the current crypto engine, and do one of the following:
  • If the current crypto engine is the one you want to remove the keys from, go to Step 3.
  • If the current crypto engine is not the one you want to remove keys from, go to Step 4 to switch to the hardware crypto engine, or go to Step 5 to remove the software crypto engine.

show crypto engine configuration

Step 3 Delete the keys, and go to Step 6. crypto zeroize (for the software crypto engine)

crypto zeroize slot (for the hardware crypto engine)

Step 4 Switch to the hardware crypto engine, and go to Step 6. crypto esa enable slot
Step 5 Switch to the software crypto engine, and go to Step 6. crypto esa shutdown slot
Step 6 Verify that the crypto engine you want is now the current crypto engine. show crypto engine configuration
Step 7 Delete the keys from the current crypto engine. crypto zeroize (for the software crypto engine)

crypto zeroize slot (for the hardware crypto engine)

Configuration Example

The following example shows how to enable the ESA in slot 2 when there are no keys on the ESA card. This example shows that you must clear the extraction latch before the ESA can be enabled.

Apricot# config terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Apricot(config)# crypto esa enable 2
The extraction latch is set on the ESA in slot 2- ESA not enabled
Apricot(config)# crypto clear-latch 2
% Enter the crypto card password.
Password: 
ESA in slot 2 not enabled
[OK]
Apricot(config)# crypto gen-signature-keys apricot
% Initialize the crypto card password. You will need
   this password in order to generate new signature
   keys or clear the crypto card extraction latch.
Password: 
Re-enter password: 
Generating DSS keys....
 [OK]
Apricot(config)# crypto esa enable 2
...switching to HW crypto engine
Apricot(config)# exit

The following example shows how to enable the ESA when keys already exist on the ESA card:

Apricot# config terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Apricot(config)# crypto clear-latch 2
% Enter the crypto card password.
Password: 
Keys were found for this ESA- enable ESA now? [yes/no]: yes
...switching to HW crypto engine
[OK]
Apricot(config)# exit

The following example shows how to enable the ESA when keys already exist on the ESA card but you want to generate new keys:

Apricot# config terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Apricot(config)# crypto clear-latch 2
% Enter the crypto card password.
Password: 
Keys were found for this ESA- enable ESA now? [yes/no]: no
ESA in slot 2 not enabled
[OK]
Apricot(config)# crypto gen-signature-keys newkeys
% Generating new DSS keys will require re-exchanging
   public keys with peers who already have the public key
   named apricot!
Generate new DSS keys? [yes/no]: yes
% Initialize the crypto card password. You will need
   this password in order to generate new signature
   keys or clear the crypto card extraction latch.
Password: 
Re-enter password: 
Generating DSS keys....
[OK]
Apricot(config)#
... Exchange new keys here...
Apricot(config)# crypto esa enable 2
...switching to HW crypto engine
Apricot(config)# exit
Note For additional examples of configuring the crypto engine on the ESA, refer to the "Configuring Network Data Encryption with Router Authentication" chapter of the Security Configuration Guide.

Command Reference

This section documents new and modified commands. All other commands used with this feature are documented in the Cisco IOS Release 11.2 command references.

crypto clear-latch

To clear the extraction latch on the Encryption Service Adapter (ESA) in Cisco 7500 series or Cisco 7200 series routers, use the crypto clear-latch global configuration command. The extraction latch is a hardware latch that is set when an ESA is removed and reinstalled in the chassis. When the extraction latch is set, the Tampered LED is on.

crypto clear-latch [slot] (Cisco 7500 series and Cisco 7200 series with an ESA)
Syntax Description
slot Identifies the slot number of the ESA to clear. On Cisco 7500 series routers, this is the slot number of the second-generation Versatile Interface Processor (VIP2) that contains the ESA.
Default

The ESA latch is not cleared.

Command Mode

Global configuration

Usage Guidelines

This command first appeared in Cisco IOS Release 11.2.

This command was modified in Cisco IOS Release 11.2 P to include information on the Cisco 7200 series router.

If an ESA is ever removed and reinstalled, the ESA will not function unless you clear it by using this command. To complete this command, you must enter the password that was created when the crypto gen-signature-keys command was first performed for the ESA crypto engine.

If you need the password but have forgotten it, you have to use the crypto zeroize command. After issuing the crypto zeroize command, you must regenerate and re-exchange DSS keys. When you regenerate DSS keys, you will be prompted to create a new password.

Example

The following example clears the extraction latch on an ESA card. The ESA card is housed in a VIP2 that is in slot 1.

Apricot(config)# crypto clear-latch 1
% Enter the crypto card password.
Password: <passwd>
Apricot(config)#
Related Commands

crypto gen-signature-keys
crypto zeroize

crypto esa

To enable the hardware crypto engine on an ESA in Cisco 7200 series routers after the ESA is installed, or to shut down the ESA hardware crypto engine, use the crypto esa global configuration command.

crypto esa {enable | shutdown} slot
Syntax Description
enable Specifies that the hardware crypto engine on the specified ESA be enabled.
shutdown Specifies that the hardware crypto engine on the specified ESA be shut down.
slot Backplane slot number of the ESA.
Default

The hardware crypto engine is not enabled.

Command Mode

Global configuration

Usage Guidelines

This command first appeared in Cisco IOS Release 11.2 P.

This command only applies to Cisco 7200 series routers.

Use the crypto esa enable command after you install the ESA in the Cisco 7200 series router. Until the ESA is enabled, the software crypto engine will function as the crypto engine. While the ESA hardware crypto engine is being enabled, crypto traffic will not pass through the hardware crypto engine. After the ESA is enabled, crypto traffic will pass through the hardware crypto engine and all preexisting software connections are closed and reestablished on the hardware crypto engine.

When an ESA is installed into the Cisco 7200 series router and the router already has crypto connections, the keys to maintain these connections do not disappear, but the keys on the ESA are used instead. However, the ESA cannot be used until, at a minimum, the extraction latch has been cleared with the crypto clear-latch command. Keys might also need to be generated and if so, exchanged between the peer routers before crypto connections can be established using the ESA.

Note With the crypto esa enable command, there is minimal crypto downtime when an ESA is installed into the Cisco 7200 series router and there are already software crypto connections. This is because the crypto subsystem can continue to function as a software crypto engine while the hardware keys are being created and exchanged, or at least until the extraction latch has been cleared (if the ESA already had previously exchanged keys in its NVRAM).

To switch from the hardware crypto engine to the software crypto engine without physically removing the ESA from the slot, use the crypto esa shutdown command. When an ESA is shut down, there is crypto downtime if there are no pre-existing software keys that were exchanged before the ESA was shut down. The crypto connections that existed before the extraction are closed--they cannot continue because their session keys were in the removed ESA's NVRAM.

Examples

The following example shows how to shut down the ESA in slot 1 on a Cisco 7200 series router:

Apricot# config terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Apricot(config)# crypto esa shutdown 1
...switching to SW crypto engine
Apricot(config)# exit

The following example shows how to enable the ESA in slot 2 on a Cisco 7200 series router when there are no keys on the ESA:

Apricot# config terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Apricot(config)# crypto clear-latch 2
% Enter the crypto card password.
Password: 
ESA in slot 2 not enabled
[OK]
Apricot(config)# crypto gen-signature-keys apricot
% Initialize the crypto card password. You will need
   this password in order to generate new signature
   keys or clear the crypto card extraction latch.
Password: 
Re-enter password: 
Generating DSS keys....
 [OK]
Apricot(config)# crypto esa enable 2
...switching to HW crypto engine
Apricot(config)# exit
Related Commands

crypto clear-latch
crypto gen-signature-keys

crypto zeroize

To delete the Digital Signature Standard (DSS) public/private key pair of a crypto engine, use the crypto zeroize global configuration command.

crypto zeroize [slot]
Caution  DSS keys cannot be recovered after they have been removed. Use this command only after careful consideration.
Syntax Description
slot (Optional) Used to identify the crypto engine. Use the chassis slot number of the crypto engine location. This argument is available only on Cisco 7200 series and Cisco 7500 series routers. This will be either the chassis slot number of the Route Switch Processor (RSP) for the Cisco IOS crypto engine, or the chassis slot number of a second-generation Versatile Interface Processor (VIP2) for a VIP2 or ESA crypto engine. The value is a positive integer. If no slot is specified, the RSP slot will be assigned as the default (selecting the Cisco IOS crypto engine).

On the Cisco 7200 series router with an ESA, you must provide the slot of the ESA.

Default

DSS public and private keys will remain valid indefinitely.

Command Mode

Global configuration

Usage Guidelines

This command first appeared in Cisco IOS Release 11.2.

This command was modified in Cisco IOS Release 11.2 P to include information on Cisco 7200 series routers.

If you choose to stop using encryption on a router, completely or for a specific crypto engine only, you can delete the public/private DSS key pair(s) for your router's crypto engine(s). However, after you delete DSS key pairs for a specified crypto engine, you will no longer be able to use that crypto engine to have any encrypted sessions with peer routers unless you regenerate and re-exchange new DSS keys. If you are using only one crypto engine at your router, issuing this command will prevent you from performing any encryption at the router.

This command can be used if you lose the password required to complete the crypto clear-latch or crypto gen-signature-keys commands. After using the crypto zeroize command, you will need to regenerate and re-exchange new DSS keys. You will be prompted to supply a new password when you regenerate new DSS keys with the crypto gen-signature-keys command.

On the Cisco 7200 series routers it is possible to have two sets of keys associated with one crypto engine slot (that is, keys are exchanged with peers when there is a software crypto engine and also a hardware crypto engine). If there are two sets of keys, they will not be the same. Each set of keys has a serial number that is associated with the crypto engine. The crypto zeroize global configuration command only deletes keys that match the serial number of the current crypto engine. It is not possible to delete the ESA's keys until the crypto system switches to the hardware crypto engine. When using the hardware crypto engine, the slot of the ESA must be supplied to the crypto zeroize command. For more information, refer to the "Removing Keys" section earlier in this chapter.

Example

The following example deletes the DSS public/private key of a router named Apricot, which is a Cisco 7500 series router with an RSP in slot 4:

Apricot(config)# crypto zeroize 4
Warning! Zeroize will remove your DSS signature keys.
Do you want to continue? [yes/no]: y
Keys to be removed are named ApricotIOS.
Do you really want to remove these keys? [yes/no]: y
[OK]
Apricot(config)#
Related Command

crypto gen-signature-keys

show crypto card

To view the operational status of an Encryption Service Adapter (ESA), use the show crypto card privileged EXEC command. This command is valid only for routers with an installed ESA.

show crypto card [slot] (routers with an installed ESA only)
Syntax Description
slot (Optional) Identifies the ESA to show, by naming the slot in which the ESA resides. For Cisco 7500 series routers, this is the slot of the second-generation Versatile Interface Processor (VIP2) that contains the ESA. For Cisco 7200 series routers, the slot is not used.
Command Mode

Privileged EXEC

Usage Guidelines

This command first appeared in Cisco IOS Release 11.2.

This command was modified in Cisco IOS Release 11.2 P to update the sample display.

Sample Display

The following is sample output from the show crypto card command:

Apricot# show crypto card 0
Crypto card in slot: 0
Tampered:        No
Xtracted:        No
Password set:    Yes
DSS Key set:     Yes
FW version:      5049702

Table 52 describes the show crypto card display fields.


Table 52: Show Crypto Card Field Descriptions (Continued)
Field Description
Tampered "Yes" indicates that somebody attempted to physically remove the tamper shield cover from the ESA card. Such an action causes the ESA card to clear its memory, similar to if a crypto zeroize command had been issued for the ESA.
Xtracted "Yes" indicates that the ESA card had been extracted (removed) from the router.
Password set "Yes" indicates that the ESA card password has already been set. This password is set with the crypto gen-signature-keys command, and is required for the crypto clear-latch command or subsequent issues of the crypto gen-signature-keys command.
DSS Key set "Yes" indicates that DSS keys are generated and ready for use. DSS keys are generated using the crypto gen-signature-keys command.
FW version Version number of the firmware running on the ESA card.

show crypto engine brief

To view all crypto engines within Cisco 7200 series, Cisco 7500 series, and Cisco 7000 series routers with the RSP7000 and RSP7000CI, use the show crypto engine brief privileged EXEC command.

show crypto engine brief
Syntax Description

This command has no arguments or keywords.

Command Mode

Privileged EXEC

Usage Guidelines

This command first appeared in Cisco IOS Release 11.2.

This command was modified in Cisco IOS Release 11.2 P to update the sample display.

Sample Display

The following is sample output from the show crypto engine brief command. In this example, the router has three crypto engines: a Cisco IOS crypto engine and two Encryption Service Adapter (ESA) crypto engines. The ESA crypto engine in slot 1 has Digital Signature Standard (DSS) keys generated.

Apricot# show crypto engine brief
crypto engine name:   Apricot-vip1
crypto engine type:   ESA
crypto engine state:  dss key generated
crypto firmware version:  5049702
crypto engine in slot: 1
 
crypto engine name:   Apricot-vip
crypto engine type:   ESA
crypto engine state:  installed
crypto firmware version:  5049702
crypto engine in slot: 2
 
crypto engine name:   Apricot
crypto engine type:   software
crypto engine state:  installed
crypto lib version:   2.0.0
crypto engine in slot: 4

Table 53 describes the show crypto engine brief display fields.


Table 53: Show Crypto Engine Brief Field Descriptions
Field Description
crypto engine name Name of the crypto engine as assigned with the key-name argument in the crypto gen-signature-keys command.
crypto engine type If "software" is listed, the crypto engine resides in either the Route Switch Processor (RSP) (the Cisco IOS crypto engine) or in a second-generation Versatile Interface Processor (VIP2).

If "ESA" is listed, the crypto engine is associated with an Encryption Service Adapter (ESA).

crypto engine state If "installed" is listed, it indicates that a crypto engine is located in the given slot, but is not configured for encryption/authentication.

If "dss key generated" is listed, it indicates the crypto engine found in that slot has DSS keys already generated.

On Cisco 7200 series routers, the state "installed (ESA pending)" indicates that the software crypto engine will be replaced with the hardware crypto engine as soon as it becomes available.

crypto firmware version Version number of the crypto firmware running on the ESA.
crypto lib version Version number of the crypto library running on the router.
crypto engine slot Chassis slot number of the crypto engine. Either the slot number of the RSP for the Cisco IOS crypto engine, or the slot number of a VIP2 for a VIP2 or Encryption Service Adapter (ESA) crypto engine.
Related Command

show crypto engine configuration

show crypto map

To view all created crypto maps of the router, use the show crypto map privileged EXEC command.

show crypto map
Syntax Description

This command has no arguments or keywords.

Command Mode

Privileged EXEC

Usage Guidelines

This command first appeared in Cisco IOS Release 11.2.

This command was modified in Cisco IOS Release 11.2 P to update the sample display.

Sample Display

The following is sample output from the show crypto map command when access lists are associated with a map. 

Pear# show crypto map
Crypto Map "Canada" 10
        Connection Id = 1        (1 established,    0 failed)
        Crypto Engine = Pear (2)    
        Algorithm = 40-bit-des cfb-64
        Peer = Banana
        PE = 11.0.0.1
        UPE = 10.0.0.1
        Extended IP access list 101
                access-list 101 permit ip host 12.120.0.1 host 12.120.0.2
                access-list 101 permit ip host 11.0.0.1 host 10.0.0.1

The following is sample output from the show crypto map command performed at a Cisco 7500 series router. Two crypto maps are shown: a crypto map named ResearchSite with sub-definitions 10 and 20, and another crypto map named HQ. 

Banana# show crypto map
Crypto Map "ResearchSite" 10
        Connection Id = 6        (6 established,    0 failed)
        Crypto Engine = Banana (2)    
        Algorithm = 40-bit-des cfb-64
        Peer = Apricot
        PE = 12.120.0.1
        UPE = 12.120.0.2
        Extended IP access list 102
                access-list 102 permit ip host 12.120.0.1 host 12.120.0.2
Crypto Map "ResearchSite" 20
        Connection Id = UNSET        (0 established,    0 failed)
        Crypto Engine = Banana (2)    
        Algorithm = 40-bit-des cfb-64
        Peer = Apricot
        PE = 172.21.114.165
        UPE = 172.21.114.196
        Extended IP access list 102
                access-list 102 permit ip host 172.21.114.165 host 172.21.114.196
Crypto Map "HQ" 10
        Connection Id = UNSET        (3 established,    0 failed)
        Crypto Engine = Banana (2)    
        Algorithm = 40-bit-des cfb-64
        Peer = Apricot
        PE = 172.21.114.11
        UPE = 192.168.129.33
        Extended IP access list 102
                access-list 102 permit ip host 172.21.114.11 host 192.168.129.33

The command output separately lists each crypto map sub-definition.

If more than one sub-definition exists for a crypto map, each sub-definition is listed separately by sequence number (per the seq-num argument of the crypto map global configuration command). The sequence number is shown following the crypto map name.

Table 54 describes the show crypto map display fields.


Table 54: Show Crypto Map Field Descriptions (Continued)
Field Description
Connection Id Identifies the connection by its number. Each active encrypted session connection is identified by a positive number from 1 to 299. A value of UNSET indicates that no connection currently exists and is using the crypto map.
Crypto Engine Indicates the name and slot number that the governing crypto engine is located in. This slot number could be the Route Switch Processor (RSP) slot number, indicating a Cisco IOS crypto engine, or a second-generation Versatile Interface Processor (VIP2) slot number, indicating a VIP2 or an ESA crypto engine. On Cisco 7200 series routers, this is the slot number of the ESA.

(Not displayed on routers other than Cisco 7000 series, Cisco 7200 series, and Cisco 7500 series routers.)

established Indicates the total number of encrypted connections that have been successfully established using the crypto map.
failed Indicates the total number of attempted encrypted connections that failed to be established while using the crypto map.
PE "Protected Entity." This shows a representative source IP address as specified in the crypto map's encryption access list. This IP address can be any host that matches a source in the encryption access list that is being used in the connection.
UPE "Unprotected Entity." This shows a representative destination IP address as specified in the crypto map's encryption access list. This IP address can be any host that matches a destination in the encryption access list that is being used in the connection.
Algorithm Indicates the type of algorithm used by the crypto map.
Peer Indicates the host name of the peer router used by the crypto map.
Extended IP access list Indicates the access lists associated with the crypto map. If no access list is associated, the message "No matching address list set" is displayed.
Related Commands

crypto map (global configuration)
crypto map (interface configuration)
show crypto map interface
show crypto map tag

show crypto map interface

To view the crypto map applied to a specific interface, use the show crypto map interface privileged EXEC command.

show crypto map interface interface
Syntax Description
interface Designates the interface type and slot number.
Command Mode

Privileged EXEC

Usage Guidelines

This command first appeared in Cisco IOS Release 11.2.

This command was modified in Cisco IOS Release 11.2 P to update the sample display.

Sample Display

The following is sample output from the show crypto map interface command:

Apricot# show crypto map interface e0
Crypto Map "SiteB" 11
        Connection Id = 6        (6 established,    0 failed)
        Crypto Engine = Apricot (2)    
        Algorithm = 40-bit-des cfb-64
        Peer = Banana
        PE = 172.21.114.165
        UPE = 172.21.114.162
        Extended IP access list 101
                access-list 101 permit ip host 172.21.114.165 host 172.21.114.162

Table 55 describes the show crypto map interface display fields.


Table 55: Show Crypto Map Interface Field Descriptions (Continued)
Field Description
Connection Id Identifies the connection by its number. Each active encrypted session connection is identified by a positive number from 1 to 299. A value of UNSET indicates that no connection currently exists and is using the crypto map.
Crypto Engine Indicates the name and slot number that the governing crypto engine is located in. This slot number could be the Route Switch Processor (RSP) slot number, indicating a Cisco IOS crypto engine, or a second-generation Versatile Interface Processor (VIP2) slot number, indicating a VIP2 or an ESA crypto engine. On Cisco 7200 series routers, this is the slot number of the ESA.

(Not displayed on routers other than Cisco 7000 series, Cisco 7200 series, and Cisco 7500 series routers.)

established Indicates the total number of encrypted connections that have been successfully established using the crypto map.
failed Indicates the total number of attempted encrypted connections that failed to be established while using the crypto map.
PE "Protected Entity." This shows a representative source IP address as specified in the crypto map's encryption access list. This IP address can be any host that matches a source in the encryption access list that is being used in the connection.
UPE "Unprotected Entity." This shows a representative destination IP address as specified in the crypto map's encryption access list. This IP address can be any host that matches a destination in the encryption access list that is being used in the connection.
Algorithm Indicates the type of algorithm used by the crypto map.
Peer Indicates the host name of the peer router used by the crypto map.
Extended IP access list Indicates the access lists associated with the crypto map. If no access list is associated, the message "No matching address list set" is displayed.
Related Commands

crypto map (global configuration)
crypto map (interface configuration)
show crypto map
show crypto map tag

show crypto map tag

To view a specific crypto map, use the show crypto map tag privileged EXEC command.

show crypto map tag map-name
Syntax Description
map-name Identifies the crypto map by its name. This should match the map-name argument assigned during crypto map creation.
Command Mode

Privileged EXEC

Usage Guidelines

This command first appeared in Cisco IOS Release 11.2.

This command was modified in Cisco IOS Release 11.2 P to update the sample display.

Sample Display

The following is sample output from the show crypto map tag command:

Apricot# show crypto map tag HQ
Crypto Map "HQ" 10
        Connection Id = UNSET    (3 established,    0 failed)
        Crypto Engine = Apricot (2)    
        Algorithm = 40-bit-des cfb-64
        Peer = Banana
        PE = 12.120.0.1
        UPE = 12.120.0.2
        Extended IP access list 101
                access-list 101 permit ip host 12.120.0.1 host 12.120.0.2

Table 56 describes the show crypto map tag display fields.


Table 56: Show Crypto Map Tag Field Descriptions (Continued)
Field Description
Connection Id Identifies the connection by its number. Each active encrypted session connection is identified by a positive number from 1 to 299. A value of UNSET indicates that no connection currently exists and is using the crypto map.
Crypto Engine Indicates the name and slot number that the governing crypto engine is located in. This slot number could be the Route Switch Processor (RSP) slot number, indicating a Cisco IOS crypto engine, or a second-generation Versatile Interface Processor (VIP2) slot number, indicating a VIP2 or an ESA crypto engine. On Cisco 7200 series routers, this is the slot number of the ESA.

(Not displayed on routers other than Cisco 7000 series, Cisco 7200 series, and Cisco 7500 series routers.)

established Indicates the total number of encrypted connections that have been successfully established using the crypto map.
failed Indicates the total number of attempted encrypted connections that failed to be established while using the crypto map.
PE "Protected Entity." This shows a representative source IP address as specified in the crypto map's encryption access list. This IP address can be any host that matches a source in the encryption access list that is being used in the connection.
UPE "Unprotected Entity." This shows a representative destination IP address as specified in the crypto map's encryption access list. This IP address can be any host that matches a destination in the encryption access list that is being used in the connection.
Algorithm Indicates the type of algorithm used by the crypto map.
Peer Indicates the host name of the peer router used by the crypto map.
Extended IP access list Indicates the access lists associated with the crypto map. If no access list is associated, the message "No matching address list set" is displayed.
Related Commands

crypto map (global configuration)
crypto map (interface configuration)
show crypto map
show crypto map interface

What to Do Next

For more information on the ESA, refer to the Data Encryption Service Adapter (ESA) Installation and Configuration publication.


hometocprevnextglossaryfeedbacksearchhelp
Copyright 1989-1997 © Cisco Systems Inc.