tag:blogger.com,1999:blog-65358505632987131992024-03-12T21:12:29.993-07:00PathToIEThis blog is just my notes.Anonymoushttp://www.blogger.com/profile/16547104544524126934noreply@blogger.comBlogger9125tag:blogger.com,1999:blog-6535850563298713199.post-3753793533364196902016-08-17T17:52:00.002-07:002016-08-17T17:52:43.612-07:00Spanning tree features<div dir="ltr" style="text-align: left;" trbidi="on">
<div class="MsoListParagraphCxSpFirst" style="margin-bottom: 0.0001pt;">
<b><span style="color: #ed7d31; font-size: 16.0pt; mso-ascii-font-family: Calibri; mso-bidi-font-family: "Times New Roman"; mso-fareast-font-family: "Times New Roman"; mso-hansi-font-family: Calibri; mso-themecolor: accent2;">Root guard:<o:p></o:p></span></b></div>
<div class="MsoListParagraphCxSpMiddle" style="margin-bottom: 0.0001pt;">
<br /></div>
<div class="MsoListParagraphCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-size: 12pt;">Enabling root guard provides protection to the root bridge.<o:p></o:p></span></div>
<div class="MsoListParagraphCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-size: 12pt;">Once root guard is enabled, the port will not entertain any BPDUs
that are superior to the existing root bridge BPDUs. If a better BPDU is received,
the port will be placed into root-inconsistent state.<o:p></o:p></span></div>
<div class="MsoListParagraphCxSpMiddle" style="margin-bottom: 0.0001pt;">
<br /></div>
<div class="MsoListParagraphCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-size: 12pt;">The port will be moved out of root-inconsistent state once the
port stops seeing superior BPDUs .The recovery is automatic.<o:p></o:p></span></div>
<div class="MsoListParagraphCxSpMiddle" style="margin-bottom: 0.0001pt;">
<br /></div>
<div class="MsoListParagraphCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-size: 12pt;">In the standard core-distribution-access layers of network model,
the root bridge is always positioned in the core layer. If an attacker
connecting to the access layer generates better BPDU (with priority zero), then
the access layer switch can become root causing inefficient traffic paths, attacker
sniffing all the traffic, etc.<o:p></o:p></span></div>
<div class="MsoListParagraphCxSpMiddle" style="margin-bottom: 0.0001pt;">
<br /></div>
<div class="MsoListParagraphCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-size: 12pt;">Root guard should be enabled to avoid these kind of situations, to
enforce the core switch to be the root,<o:p></o:p></span></div>
<div class="MsoListParagraphCxSpMiddle" style="margin-bottom: 0.0001pt;">
<br /></div>
<div class="MsoListParagraphCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-size: 12pt;">Where to enabled root guard?<o:p></o:p></span></div>
<div class="MsoListParagraphCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-size: 12pt;">On all the ports where root bridge should not appear.<o:p></o:p></span></div>
<div class="MsoListParagraphCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-size: 12pt;">In the standard network model, access layer switches should not
see any BPDUs from end hosts, so BPDU guard should be enabled.<o:p></o:p></span></div>
<div class="MsoListParagraphCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-size: 12pt;">The distribution layer switches should not receive any better
BPDUs from access layer switches, so enable root guard on all the ports in the
distribution switches that are connecting to the access layer switches.<o:p></o:p></span></div>
<div class="MsoListParagraphCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-size: 12pt;">The core layer switches should not receive any better BPDUs from
distribution switches, so enable root guard on all the ports connecting to the
distribution switches.<o:p></o:p></span></div>
<div class="MsoListParagraphCxSpMiddle" style="margin-bottom: 0.0001pt;">
<br /></div>
<div class="MsoListParagraphCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-size: 12pt;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://1.bp.blogspot.com/-nB7Z3k7NQyw/V7UGQRrCp3I/AAAAAAAAAGo/wukszZa3UtgpU31EFNhXU3KxMWODsF95wCLcB/s1600/rootgaurd_1.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="400" src="https://1.bp.blogspot.com/-nB7Z3k7NQyw/V7UGQRrCp3I/AAAAAAAAAGo/wukszZa3UtgpU31EFNhXU3KxMWODsF95wCLcB/s400/rootgaurd_1.png" width="336" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="MsoListParagraphCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-size: 12pt;"><br /></span></div>
<div class="MsoListParagraphCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-size: 12pt;"><br /></span></div>
<div class="MsoListParagraphCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-size: 12pt;">Here root guard should be enabled on</span></div>
<div class="MsoListParagraphCxSpMiddle" style="margin-bottom: 0.0001pt;">
Cat
A <span style="font-family: Wingdings;">--- </span>fa1/1 and fa1/2<span style="font-size: 12.0pt; mso-ascii-font-family: Calibri; mso-bidi-font-family: "Times New Roman"; mso-bidi-font-size: 11.0pt; mso-fareast-font-family: "Times New Roman"; mso-hansi-font-family: Calibri;"><o:p></o:p></span></div>
<div class="MsoListParagraphCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-size: 12.0pt; mso-ascii-font-family: Calibri; mso-bidi-font-family: "Times New Roman"; mso-bidi-font-size: 11.0pt; mso-fareast-font-family: "Times New Roman"; mso-hansi-font-family: Calibri;">Cat
B <span style="font-family: Wingdings;">--- </span></span><span style="font-size: 12.0pt; mso-ascii-font-family: Calibri; mso-bidi-font-family: "Times New Roman"; mso-bidi-font-size: 11.0pt; mso-fareast-font-family: "Times New Roman"; mso-hansi-font-family: Calibri;">fa2/3<o:p></o:p></span></div>
<div class="MsoListParagraphCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-size: 12.0pt; mso-ascii-font-family: Calibri; mso-bidi-font-family: "Times New Roman"; mso-bidi-font-size: 11.0pt; mso-fareast-font-family: "Times New Roman"; mso-hansi-font-family: Calibri;">Cat
C<span style="font-family: Wingdings;"> --- </span></span><span style="font-size: 12.0pt; mso-ascii-font-family: Calibri; mso-bidi-font-family: "Times New Roman"; mso-bidi-font-size: 11.0pt; mso-fareast-font-family: "Times New Roman"; mso-hansi-font-family: Calibri;">fa3/3
and fa3/1<o:p></o:p></span></div>
<div class="MsoListParagraphCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-size: 12.0pt; mso-ascii-font-family: Calibri; mso-bidi-font-family: "Times New Roman"; mso-bidi-font-size: 11.0pt; mso-fareast-font-family: "Times New Roman"; mso-hansi-font-family: Calibri;">Cat
D<span style="font-family: Wingdings;"> --- </span></span><span style="font-size: 12.0pt; mso-ascii-font-family: Calibri; mso-bidi-font-family: "Times New Roman"; mso-bidi-font-size: 11.0pt; mso-fareast-font-family: "Times New Roman"; mso-hansi-font-family: Calibri;">None.
BPDU guard is enabled on fa4/3.<o:p></o:p></span></div>
<div class="MsoListParagraphCxSpMiddle" style="margin-bottom: 0.0001pt;">
<br /></div>
<div class="MsoListParagraphCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-size: 12.0pt; mso-ascii-font-family: Calibri; mso-bidi-font-family: "Times New Roman"; mso-bidi-font-size: 11.0pt; mso-fareast-font-family: "Times New Roman"; mso-hansi-font-family: Calibri;">Root
guard can only be enabled per port level.<o:p></o:p></span></div>
<div class="MsoListParagraphCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-size: 12.0pt; mso-ascii-font-family: Calibri; mso-bidi-font-family: "Times New Roman"; mso-bidi-font-size: 11.0pt; mso-fareast-font-family: "Times New Roman"; mso-hansi-font-family: Calibri;">It
might be tempting to say root guard must be enabled on all designated ports or
why not a single command to enable root guard at global level which in turn can
activate the feature on all designated ports<o:p></o:p></span></div>
<div class="MsoListParagraphCxSpMiddle" style="margin-bottom: 0.0001pt;">
<v:shape id="Picture_x0020_7" o:spid="_x0000_i1025" style="height: 354.75pt; mso-wrap-style: square; visibility: visible; width: 468pt;" type="#_x0000_t75">
<v:imagedata o:title="" src="file:///C:\Users\BADHA01\AppData\Local\Temp\msohtmlclip1\01\clip_image002.png">
</v:imagedata></v:shape><span style="font-size: 12pt;"><o:p></o:p></span></div>
<div class="MsoListParagraphCxSpMiddle" style="margin-bottom: 0.0001pt;">
<br /></div>
<div class="MsoListParagraphCxSpMiddle" style="margin-bottom: 0.0001pt;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://3.bp.blogspot.com/-RekxF9Um310/V7UGStksFZI/AAAAAAAAAGs/w9tnKApDPCQyuLzmE2hzyQuu13wHP3LdgCEw/s1600/root_gaurd_2.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="302" src="https://3.bp.blogspot.com/-RekxF9Um310/V7UGStksFZI/AAAAAAAAAGs/w9tnKApDPCQyuLzmE2hzyQuu13wHP3LdgCEw/s400/root_gaurd_2.png" width="400" /></a></div>
<div class="MsoListParagraphCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-size: 12pt;"><br /></span></div>
<div class="MsoListParagraphCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-size: 12pt;"><br /></span></div>
<div class="MsoListParagraphCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-size: 12pt;"><br /></span></div>
<div class="MsoListParagraphCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-size: 12pt;"><br /></span></div>
<div class="MsoListParagraphCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-size: 12pt;"><br /></span></div>
<div class="MsoListParagraphCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-size: 12pt;"><br /></span></div>
<div class="MsoListParagraphCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-size: 12pt;"><br /></span></div>
<div class="MsoListParagraphCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-size: 12pt;"><br /></span></div>
<div class="MsoListParagraphCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-size: 12pt;"><br /></span></div>
<div class="MsoListParagraphCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-size: 12pt;"><br /></span></div>
<div class="MsoListParagraphCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-size: 12pt;"><br /></span></div>
<div class="MsoListParagraphCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-size: 12pt;"><br /></span></div>
<div class="MsoListParagraphCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-size: 12pt;"><br /></span></div>
<div class="MsoListParagraphCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-size: 12pt;"><br /></span></div>
<div class="MsoListParagraphCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-size: 12pt;"><br /></span></div>
<div class="MsoListParagraphCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-size: 12pt;"><br /></span></div>
<div class="MsoListParagraphCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-size: 12pt;"><br /></span></div>
<div class="MsoListParagraphCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-size: 12pt;"><br /></span></div>
<div class="MsoListParagraphCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-size: 12pt;"><br /></span></div>
<div class="MsoListParagraphCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-size: 12pt;"><br /></span></div>
<div class="MsoListParagraphCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-size: 12pt;">Consider this topology,</span></div>
<div class="MsoListParagraphCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-size: 12pt;">Say primary core switch Cat A went down and Cat E will become the
root bridge.<o:p></o:p></span></div>
<div class="MsoListParagraphCxSpMiddle" style="margin-bottom: 0.0001pt;">
<br /></div>
<div class="MsoListParagraphCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-size: 12pt;">In this situation, Cat B fa2/1 will be the designated port for
that segment and when Cat A comes up, Cat B will not accept Cat A as the root
bridge if root guard is configured on fa2/1. So root guard need not always be
enabled on all designated ports, the topology should be considered and should
be enabled wherever required. So a single command at global level is not possible.<o:p></o:p></span></div>
<div class="MsoListParagraphCxSpMiddle" style="margin-bottom: 0.0001pt;">
<br /></div>
<div class="MsoListParagraphCxSpLast" style="margin-bottom: 0.0001pt;">
<span style="font-size: 12pt;">Configuration:</span></div>
<div class="MsoListParagraphCxSpLast" style="margin-bottom: 0.0001pt;">
<i style="text-indent: 0.5in;"><span style="background: silver; font-family: Consolas; font-size: 11.5pt; mso-highlight: silver;">SwitchA(config)#interface
fa0/1</span></i></div>
<div class="MsoListParagraphCxSpFirst" style="margin-bottom: 0.0001pt;">
<i><span style="background: silver; font-family: Consolas; font-size: 11.5pt; mso-highlight: silver;">SwitchA(config‐if)#spanning‐tree guard root</span></i><i><span style="font-family: Consolas; font-size: 11.5pt;"><o:p></o:p></span></i></div>
<div class="MsoListParagraphCxSpMiddle" style="margin-bottom: 0.0001pt;">
<br /></div>
<div class="MsoListParagraphCxSpMiddle" style="margin-bottom: 0.0001pt;">
<i><span style="background: silver; font-family: Consolas; font-size: 11.5pt; mso-highlight: silver;">SwitchA#show spanning‐tree inconsistentports</span></i><i><span style="font-family: Consolas; font-size: 11.5pt;"><o:p></o:p></span></i></div>
<br />
<div class="MsoListParagraphCxSpLast" style="margin-bottom: 0.0001pt;">
<br /></div>
</div>
Anonymoushttp://www.blogger.com/profile/16547104544524126934noreply@blogger.com0tag:blogger.com,1999:blog-6535850563298713199.post-21298746441802952282015-12-08T16:25:00.001-08:002016-01-25T02:49:45.294-08:00Multicast Part 2<div dir="ltr" style="text-align: left;" trbidi="on">
<div class="MsoNoSpacing" style="margin-left: .5in;">
<br /></div>
<div class="MsoNoSpacing" style="margin-left: .5in;">
<b>RP Configuration:<o:p></o:p></b></div>
<div class="MsoNoSpacing" style="margin-left: .5in;">
<br /></div>
<div class="MsoNoSpacing" style="margin-left: .5in;">
<b><span style="color: red;">Static:</span><o:p></o:p></b></div>
<div class="MsoNoSpacing" style="margin-left: .5in;">
The following command is used to
configure rp in the router,<o:p></o:p></div>
<div class="MsoNoSpacing" style="margin-left: .5in;">
Ip pim rp-address
<IP_Of_Router> <access-listNo><o:p></o:p></div>
<div class="MsoNoSpacing" style="margin-left: .5in;">
<br /></div>
<div class="MsoNoSpacing" style="margin-left: .5in;">
If multiple rp’s are
configured,the one with higher ip will be selected by the router.<o:p></o:p></div>
<div class="MsoNoSpacing" style="margin-left: .5in;">
<br /></div>
<div class="MsoNoSpacing" style="margin-left: .5in;">
<b><span style="color: red;">Auto RP:</span><o:p></o:p></b></div>
<div class="MsoNoSpacing" style="margin-left: .5in;">
Cisco proprietary tool for
advertising RP info for multicast groups.<o:p></o:p></div>
<div class="MsoNoSpacing" style="margin-left: .5in;">
It uses multicast to distribute
group to RP mapping info.<o:p></o:p></div>
<div class="MsoNoSpacing" style="margin-left: .5in;">
<br /></div>
<div class="MsoNoSpacing" style="margin-left: .5in;">
Cisco PIM routers learn about
the group to RP mapping by joining the group Cisco-RP-discovery 224.0.1.40, the
mapping agent will advertise the mapping info to this group.<o:p></o:p></div>
<div class="MsoNoSpacing" style="margin-left: .5in;">
The mapping agent will learn of
the possible RP candidates by joining to group Cisco-RP-announce 224.0.1.39.<o:p></o:p></div>
<div class="MsoNoSpacing" style="margin-left: .5in;">
Candidate RPs announce their
intention to be RP for a group or group range by multicasting RP announce
messages to the group 224.0.1.39.<o:p></o:p></div>
<div class="MsoNoSpacing" style="margin-left: .5in;">
<br /></div>
<div class="MsoNoSpacing" style="margin-left: .5in;">
Configuring mapping agent:<o:p></o:p></div>
<div class="MsoNoSpacing" style="margin-left: .5in;">
ip pim send-rp-discovery scope
ttl<o:p></o:p></div>
<div class="MsoNoSpacing" style="margin-left: .5in;">
<br /></div>
<div class="MsoNoSpacing" style="margin-left: .5in;">
Configuring candidate RPs:<o:p></o:p></div>
<div class="MsoNoSpacing" style="margin-left: .5in;">
ip pim send-rp-announce
interface scope ttl [group-list acl]<o:p></o:p></div>
<div class="MsoNoSpacing" style="margin-left: .5in;">
If group-list is not specified,
the router will announce as candidate for 224.0.0.0/4<o:p></o:p></div>
<div class="MsoNoSpacing" style="margin-left: .5in;">
<br /></div>
<div class="MsoNoSpacing" style="margin-left: .5in;">
If the mapping agents receive
multiple rp announcements, all of them will cache the group to RP announcements
and select RP with higher IP address.<o:p></o:p></div>
<div class="MsoNoSpacing" style="margin-left: .5in;">
<br /></div>
<div class="MsoNoSpacing" style="margin-left: .5in;">
Multiple mapping agents can be
configured in a network, all mapping agents will select the same RP for a given
group and routers will have the same set of rp mappings. Only ‘the source info’
of the mapping will be toggling in the routers.<o:p></o:p></div>
<div class="MsoNoSpacing" style="margin-left: .5in;">
Can tweak the
RP-announce-interval to have short failover times, however with the default SPT
threshold of zero, all the routers would have switched to SPT and the failure
of a RP will have little effect.<o:p></o:p></div>
<div class="MsoNoSpacing" style="margin-left: .5in;">
<br /></div>
<div class="MsoNoSpacing" style="margin-left: .5in;">
RP-announce and RP-discovery are
always operated as dense mode groups. If the RP info is not found for a group,
the group will be operated in dense mode.<o:p></o:p></div>
<div class="MsoNoSpacing" style="margin-left: .5in;">
<br /></div>
<div class="MsoNoSpacing" style="margin-left: .5in;">
Security:<o:p></o:p></div>
<div class="MsoNoSpacing" style="margin-left: .5in;">
To stop sending rp discovery messages,
configure the following on the interface<o:p></o:p></div>
<div class="MsoNoSpacing" style="margin-left: .5in;">
‘ip multicast boundary
<access-list>’<o:p></o:p></div>
<div class="MsoNoSpacing" style="margin-left: .5in;">
<i>access-list 10 deny 224.0.1.39<o:p></o:p></i></div>
<div class="MsoNoSpacing" style="margin-left: .5in;">
<i>access-list 10 deny 224.0.1.40<o:p></o:p></i></div>
<div class="MsoNoSpacing" style="margin-left: .5in;">
<i>access-list 10 deny 239.0.0.0 0.255.255.255<o:p></o:p></i></div>
<div class="MsoNoSpacing" style="margin-left: .5in;">
<i>access-list 10 permit 224.0.0.0 15.255.255.255<o:p></o:p></i></div>
<div class="MsoNoSpacing" style="margin-left: .5in;">
<br /></div>
<div class="MsoNoSpacing" style="margin-left: .5in;">
<br /></div>
<div class="MsoNoSpacing" style="margin-left: .5in;">
We can configure the following
on the mapping agent to prevent candidate RP spoofing,<o:p></o:p></div>
<div class="MsoNoSpacing" style="margin-left: .5in;">
ip pim rp-announce-filter
rp-list acl [group-list acl]<o:p></o:p></div>
<div class="MsoNoSpacing" style="margin-left: .5in;">
eg:<o:p></o:p></div>
<div class="MsoNoSpacing" style="margin-left: .5in;">
<i>access-list 1 permit host 1.1.1.2<o:p></o:p></i></div>
<div class="MsoNoSpacing" style="margin-left: .5in;">
<i>access-list 2 deny any<o:p></o:p></i></div>
<div class="MsoNoSpacing" style="margin-left: .5in;">
<i>ip pim rp-announce-filter rp-list 1 group-list 2<o:p></o:p></i></div>
<div class="MsoNoSpacing" style="margin-left: .5in;">
<br /></div>
<div class="MsoNoSpacing" style="margin-left: .5in;">
<i>With the above configuration, the filtering is performed on the IP
addresses permitted by the rp-list i.e. 1.<o:p></o:p></i></div>
<div class="MsoNoSpacing" style="margin-left: .5in;">
<i>Here, the RP permitted in ACL 1 denied to be the RP for groups
referenced in ACL2.<o:p></o:p></i></div>
<div class="MsoNoSpacing" style="margin-left: .5in;">
<i>1.1.1.2 is denied to be the RP for all multicast groups.<o:p></o:p></i></div>
<div class="MsoNoSpacing" style="margin-left: .5in;">
<br /></div>
<div class="MsoNoSpacing" style="margin-left: .5in;">
All the interfaces must be
configured to operate in ‘sparse-dense’ mode.<o:p></o:p></div>
<div class="MsoNoSpacing" style="margin-left: .5in;">
<br /></div>
<div class="MsoNoSpacing" style="margin-left: .5in;">
When the interfaces are configured
to operate in sparse mode,<o:p></o:p></div>
<div class="MsoNoSpacing" style="margin-left: .5in;">
‘ip pim autorp listener’ <span style="font-family: "wingdings"; mso-ascii-font-family: Calibri; mso-ascii-theme-font: minor-latin; mso-char-type: symbol; mso-hansi-font-family: Calibri; mso-hansi-theme-font: minor-latin; mso-symbol-font-family: Wingdings;">à</span>Allows the two group
addresses 224.0.1.39 and 224.0.1.40 to operate in dense mode and other groups
in sparse mode.<o:p></o:p></div>
<div class="MsoNoSpacing" style="margin-left: .5in;">
<br />
<b>Misc</b>:<br />
<br />
<ul style="text-align: left;">
<li><img alt="" border="0" src="http://www.cisco.com/c/dam/en/us/td/i/templates/blank.gif" height="2" style="background-color: white; border: 0px; font-family: Verdana, sans-serif; font-size: small; text-indent: -28.8px;" width="1" /><span style="background-color: white; font-family: "verdana" , sans-serif; font-size: x-small; text-indent: -28.8px;">If router interfaces are configured in sparse mode, Auto-RP can still be used if all routers are configured with a static RP address for the Auto-RP groups.</span></li>
<li><span style="background-color: white; font-family: "verdana" , sans-serif; font-size: 12.236px;">RPs discovered dynamically through Auto-RP take precedence over statically configured RPs</span></li>
<li><span style="background-color: white; font-size: 12.236px;"><span style="font-family: "verdana" , sans-serif;"><span style="font-size: 12.236px;">To accept all RPs advertised with Auto-RP and reject all other RPs by default, use the </span><b class="cBold" style="font-size: 12.236px;">ip pim accept-rp auto-rp</b><span style="font-size: 12.236px;"> command.</span></span></span></li>
</ul>
</div>
<div class="MsoNoSpacing" style="margin-left: .5in;">
<br /></div>
<div class="MsoNoSpacing" style="margin-left: .5in;">
<b><span style="color: red;">PIM V2 Bootstrap Mechanism:</span><o:p></o:p></b></div>
<div class="MsoNoSpacing" style="margin-left: .5in;">
BSR uses hop by hop flooding of
special bootstrap messages to distribute all group to RP mapping info.<o:p></o:p></div>
<div class="MsoNoSpacing" style="margin-left: .5in;">
<br /></div>
<div class="MsoNoSpacing" style="margin-left: .5in;">
The combination of hop-by-hop
flooding of BSR messages and unicasting C-RP advertisements to the<o:p></o:p></div>
<div class="MsoNoSpacing" style="margin-left: .5in;">
BSR completely eliminates the
need for multicast in order for the BSR mechanism to function.<o:p></o:p></div>
<div class="MsoNoSpacing" style="margin-left: .5in;">
<br /></div>
<div class="MsoNoSpacing" style="margin-left: .5in;">
ip pim rp-candidate interface
[group-list acl]<o:p></o:p></div>
<div class="MsoNoSpacing" style="margin-left: .5in;">
When this global configuration
command is added to a router's configuration, the router begins to<o:p></o:p></div>
<div class="MsoNoSpacing" style="margin-left: .5in;">
unicast PIMv2 C-RP
advertisements to the currently elected BSR. <o:p></o:p></div>
<div class="MsoNoSpacing" style="margin-left: .5in;">
<br /></div>
<div class="MsoNoSpacing" style="margin-left: .5in;">
<br /></div>
<div class="MsoNoSpacing" style="margin-left: .5in;">
ip pim bsr-candidate interface
hash-mask-length [priority]<o:p></o:p></div>
<div class="MsoNoSpacing" style="margin-left: .5in;">
After configuring, the router
sets its Bootstrap timer to the bootstrap timeout value (150 sec) and enters<o:p></o:p></div>
<div class="MsoNoSpacing" style="margin-left: .5in;">
the C-BSR state ,waiting to
receive BSR messages from current BSR.<o:p></o:p></div>
<div class="MsoNoSpacing" style="margin-left: .5in;">
<br /></div>
<div class="MsoNoSpacing" style="margin-left: .5in;">
If the router receives a BSR
messages with higher priority, it accepts the message, the timer is reset and
forwards out all the other interfaces.<o:p></o:p></div>
<div class="MsoNoSpacing" style="margin-left: .5in;">
Low priority messages will be
discarded.<o:p></o:p></div>
<div class="MsoNoSpacing" style="margin-left: .5in;">
<br /></div>
<div class="MsoNoSpacing" style="margin-left: .5in;">
If the bootstrap timer expires,
the C-BSR will start sending BSR messages every 60 sec.<o:p></o:p></div>
<div class="MsoNoSpacing" style="margin-left: .5in;">
If a high priority BSR message
is received, it will transition back to C-BSR state.<o:p></o:p></div>
<div class="MsoNoSpacing" style="margin-left: .5in;">
<br /></div>
<div class="MsoNoSpacing" style="margin-left: .5in;">
In this way, the candidate RP
router will come to know of the BSR and starts unicasting its RP intention to
BSR.<o:p></o:p></div>
<div class="MsoNoSpacing" style="margin-left: .5in;">
The BSR will cache all such
mappings and send them in BSR messages.<o:p></o:p></div>
<div class="MsoNoSpacing" style="margin-left: .5in;">
Each router now receives all the
RP to group mapping info through hop by hop flooding mechanism and run some
hashing algorithm to identify the RP for a group.<o:p></o:p></div>
<div class="MsoNoSpacing" style="margin-left: .5in;">
<br /></div>
<div class="MsoNoSpacing" style="margin-left: .5in;">
If two routers announce to be
the RP candidates for entire multicast range, in BSR, the routers will share
the RP workload for multicast range.<o:p></o:p></div>
<div class="MsoNoSpacing" style="margin-left: .5in;">
By changing the hash mask length
value, it is possible to control the no. of consecutive group addresses that
map to the same candidate RP.<o:p></o:p></div>
<div class="MsoNoSpacing" style="margin-left: .5in;">
<br /></div>
<div class="MsoNoSpacing" style="margin-left: .5in;">
BSR messages are flooded to all
PIM routers 224.0.0.13 with a TTL of 1.They contain the following info<o:p></o:p></div>
<div class="MsoNoSpacing" style="margin-left: .5in; mso-list: l0 level1 lfo1; text-indent: -.25in;">
<!--[if !supportLists]--><span style="font-family: "symbol"; mso-bidi-font-family: Symbol; mso-fareast-font-family: Symbol;">·<span style="font-family: "times new roman"; font-size: 7pt; font-stretch: normal;">
</span></span><!--[endif]-->Ip address of current BSR<o:p></o:p></div>
<div class="MsoNoSpacing" style="margin-left: .5in; mso-list: l0 level1 lfo1; text-indent: -.25in;">
<!--[if !supportLists]--><span style="font-family: "symbol"; mso-bidi-font-family: Symbol; mso-fareast-font-family: Symbol;">·<span style="font-family: "times new roman"; font-size: 7pt; font-stretch: normal;">
</span></span><!--[endif]-->Group tot RP mapping cache<o:p></o:p></div>
<div class="MsoNoSpacing" style="margin-left: .5in; mso-list: l0 level1 lfo1; text-indent: -.25in;">
<!--[if !supportLists]--><span style="font-family: "symbol"; mso-bidi-font-family: Symbol; mso-fareast-font-family: Symbol;">·<span style="font-family: "times new roman"; font-size: 7pt; font-stretch: normal;">
</span></span><!--[endif]-->Priority<o:p></o:p></div>
<div class="MsoNoSpacing" style="margin-left: .5in; mso-list: l0 level1 lfo1; text-indent: -.25in;">
<!--[if !supportLists]--><span style="font-family: "symbol"; mso-bidi-font-family: Symbol; mso-fareast-font-family: Symbol;">·<span style="font-family: "times new roman"; font-size: 7pt; font-stretch: normal;">
</span></span><!--[endif]-->Hash mask length value<o:p></o:p></div>
<div class="MsoNoSpacing" style="margin-left: .5in;">
<br /></div>
<div class="MsoNoSpacing" style="margin-left: .5in;">
‘Ip pim border’ command to
constrain BSR messages. This command will not affect the flow of other PIM
messages join, prune,etc<o:p></o:p></div>
<div class="MsoNoSpacing" style="margin-left: .5in;">
<br /></div>
<div class="MsoNoSpacing" style="margin-left: .5in;">
<br /></div>
<div class="MsoNoSpacing" style="margin-left: .5in;">
Forcing groups to remain in
Dense mode:<o:p></o:p></div>
<div class="MsoNoSpacing" style="margin-left: .5in;">
<br /></div>
<div class="MsoNoSpacing" style="margin-left: .5in;">
The following command can be
used to force certain groups to operate in dense mode<o:p></o:p></div>
<div class="MsoNoSpacing" style="margin-left: .5in;">
<b><span style="font-family: "calibri light" , sans-serif; font-size: 14.0pt;">ip pim
accept-rp {rp-address | Auto-rp} [group-list acl]<o:p></o:p></span></b></div>
<div class="MsoNoSpacing" style="margin-left: .5in;">
<br /></div>
<div class="MsoNoSpacing">
When the router receives IGMP join from a local host, it
will run the RP and group address against this filter, if the filter permits,
the group will be created in sparse mode, else the group will be created in
dense mode.<o:p></o:p></div>
<div class="MsoNoSpacing">
When the router receives (*, G) join from a downstream router,
the RP address in the join message and group address will be run against the filter,
if the filter allows, the join is propagated towards RP, else discarded.<o:p></o:p></div>
<div class="MsoNoSpacing">
When the router receives register messages for a group,
the group address and destination address will be run through the filter, if
the filter allows, the register is processed else it will send register stop is
sent.<o:p></o:p></div>
<div class="MsoNoSpacing">
<br /></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<span style="font-size: 12.0pt; mso-bidi-font-family: Calibri; mso-bidi-theme-font: minor-latin;">The <b>ip
pim accept-rp </b>command has the following three basic forms:<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<span style="font-size: 14.0pt; mso-bidi-font-family: Calibri; mso-bidi-font-weight: bold; mso-bidi-theme-font: minor-latin;">ip pim accept-rp rp-address [group-list acl] </span><span style="font-family: "wingdings"; font-size: 14.0pt;">à</span><span style="font-size: 14.0pt; mso-bidi-font-family: Calibri; mso-bidi-font-weight: bold; mso-bidi-theme-font: minor-latin;">If the matching entry found, search terminates. If permitted,
sparse mode will be used.<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<span style="font-size: 14.0pt; mso-bidi-font-family: Calibri; mso-bidi-font-weight: bold; mso-bidi-theme-font: minor-latin;">ip pim accept-rp Auto-rp [group-list acl]</span><span style="font-family: "wingdings"; font-size: 14.0pt;">à</span><span style="font-size: 14.0pt; mso-bidi-font-family: Calibri; mso-bidi-font-weight: bold; mso-bidi-theme-font: minor-latin;">If the group to RP cache permits, the group is
created in sparse mode. If denied, wildcard entry will be tried.<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<span style="font-size: 14.0pt; mso-bidi-font-family: Calibri; mso-bidi-font-weight: bold; mso-bidi-theme-font: minor-latin;">ip pim accept-rp 0.0.0.0 [group-list acl]</span><span style="font-family: "wingdings"; font-size: 14.0pt;">à</span><span style="font-size: 14.0pt; mso-bidi-font-family: Calibri; mso-bidi-font-weight: bold; mso-bidi-theme-font: minor-latin;"> If the matching entry found, search terminates. If permitted,
sparse mode will be used.<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<br /></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<span style="font-size: 14.0pt; mso-bidi-font-family: Calibri; mso-bidi-font-weight: bold; mso-bidi-theme-font: minor-latin;">Configure <b>ip pim rp-address</b> to force the group to operate in
sparse mode.<o:p></o:p></span></div>
<div class="MsoNoSpacing">
<br /></div>
<div class="MsoNoSpacing">
<b><span style="color: red;">MSDP:</span><o:p></o:p></b></div>
<div class="MsoNoSpacing">
<br /></div>
<div class="MsoNoSpacing">
MSDP is a mechanism to connect multiple PIM-SM domains. It shares
the active multicast sources in a domain to RPs in other domains.<o:p></o:p></div>
<div class="MsoNoSpacing">
MSDP is configured between RPs, it uses TCP over port 639.<o:p></o:p></div>
<div class="MsoNoSpacing">
<br /></div>
<div class="MsoNoSpacing">
On receiving the register messages from first hop router, the RP
will re-encapsulated in source-active messages and are forwarded to all MSDP peers.<o:p></o:p></div>
<div class="MsoNoSpacing">
<br /></div>
<div class="MsoNoSpacing">
MSDP messages are flooded across MSDP peers.<o:p></o:p></div>
<div class="MsoNoSpacing">
R1----R2-----R3<o:p></o:p></div>
<div class="MsoNoSpacing">
R1 & R2 msdp peers<o:p></o:p></div>
<div class="MsoNoSpacing">
R2 & R3 msdp peers <o:p></o:p></div>
<div class="MsoNoSpacing">
<br /></div>
<div class="MsoNoSpacing">
If R1 send a SA message to R2, R2 can forward it to R3.<o:p></o:p></div>
<div class="MsoNoSpacing">
<br /></div>
<div class="MsoNoSpacing">
<b><span style="color: red;">SSM:</span><o:p></o:p></b></div>
<div class="MsoNoSpacing">
<br /></div>
<div class="MsoNoSpacing">
In SSM,only the router closest to the receiving host needs to have
SSM enabled. <o:p></o:p></div>
<div class="MsoNoSpacing">
<br /></div>
<div class="MsoNoSpacing">
<i>access-list
1 permit 232.0.0.0 0.255.255.255<o:p></o:p></i></div>
<div class="MsoNoSpacing">
<i>ip pim ssm
range 1<o:p></o:p></i></div>
<div class="MsoNoSpacing">
<br /></div>
<div class="MsoNoSpacing">
When SSM is enabled, only (S, G) state will be created ,no
(*, G) will be created for the groups
specified in SSM range.<o:p></o:p></div>
<div class="MsoNoSpacing">
<br /></div>
<div class="MsoNoSpacing">
<b><span style="color: red;">Bi-directional
PIM:</span><o:p></o:p></b></div>
<div class="MsoNoSpacing">
<br /></div>
<div class="MsoNoSpacing">
ip pim bidir-enable --- This must be enabled<o:p></o:p></div>
<div class="MsoNoSpacing">
ip pim rp-address 1.1.1.3 bidir<o:p></o:p></div>
<div class="MsoNoSpacing">
<br /></div>
<div class="MsoNoSpacing">
A designated forwarder is elected for each segment, DF is
nothing but a multicast router that can forward (*, G) traffic in 2 different
directions.<o:p></o:p></div>
<div class="MsoNoSpacing">
The router with lowest cost to RP will get elected as DR.<o:p></o:p></div>
<div class="MsoNoSpacing">
<br /></div>
<div class="MsoNoSpacing">
<b><span style="color: red;">IGMP:</span><o:p></o:p></b></div>
<div class="MsoNoSpacing">
In IGMP v2, the router with lowest ip address will become
the querier for that segment.<o:p></o:p></div>
<div class="MsoNoSpacing">
<br />
<div class="pB1_Body1" style="background-color: white; font-size: 12.236px; margin: 1px 0em 6px;">
<span style="font-family: Verdana, sans-serif;">The DR is the router with the highest IP address on the subnet, whereas the IGMP querier is the router with the lowest IP address.</span></div>
<br /></div>
<div class="MsoNoSpacing">
The router periodically send query message to all host
224.0.0.1<o:p></o:p></div>
<div class="MsoNoSpacing">
The hosts which want multicast traffic will reply with
membership reports to 224.0.0.2<o:p></o:p></div>
<div class="MsoNoSpacing">
While leaving, IGMP uses group specific queries to
improve the performance. Host will send a leave message and router will send a
group specific query.<o:p></o:p></div>
<div class="MsoNoSpacing">
<br /></div>
<div class="MsoNoSpacing">
By default, if PIM is enabled on the interface, IGMP v2
is also enabled.<o:p></o:p></div>
<div class="MsoNoSpacing">
<br /></div>
<div class="MsoNoSpacing">
R2#sh ip igmp int fa0/0<o:p></o:p></div>
<div class="MsoNoSpacing">
IGMP is enabled
on interface<o:p></o:p></div>
<div class="MsoNoSpacing">
Current IGMP host
version is 2<o:p></o:p></div>
<div class="MsoNoSpacing">
Current IGMP
router version is 2<o:p></o:p></div>
<div class="MsoNoSpacing">
IGMP query
interval is 60 seconds<span style="font-family: "wingdings"; mso-ascii-font-family: Calibri; mso-ascii-theme-font: minor-latin; mso-char-type: symbol; mso-hansi-font-family: Calibri; mso-hansi-theme-font: minor-latin; mso-symbol-font-family: Wingdings;">à</span>to
discover active multicast group receivers. If two queries are missed, election
for new querier starts.<o:p></o:p></div>
<div class="MsoNoSpacing">
IGMP querier
timeout is 120 seconds<span style="font-family: "wingdings"; mso-ascii-font-family: Calibri; mso-ascii-theme-font: minor-latin; mso-char-type: symbol; mso-hansi-font-family: Calibri; mso-hansi-theme-font: minor-latin; mso-symbol-font-family: Wingdings;">à</span>if
no query seen for 120 sec, the other router will trigger an election for selecting
new querier<o:p></o:p></div>
<div class="MsoNoSpacing">
IGMP max query
response time is 10 seconds<span style="font-family: "wingdings"; mso-ascii-font-family: Calibri; mso-ascii-theme-font: minor-latin; mso-char-type: symbol; mso-hansi-font-family: Calibri; mso-hansi-theme-font: minor-latin; mso-symbol-font-family: Wingdings;">à</span>Tweak
to improve the burstiness of the query responses<o:p></o:p></div>
<div class="MsoNoSpacing">
Last member query
count is 2<span style="font-family: "wingdings"; mso-ascii-font-family: Calibri; mso-ascii-theme-font: minor-latin; mso-char-type: symbol; mso-hansi-font-family: Calibri; mso-hansi-theme-font: minor-latin; mso-symbol-font-family: Wingdings;">à</span>no. of queries sent after receiving group
specific leave and before stopping forwarding of multicast traffic<o:p></o:p></div>
<div class="MsoNoSpacing">
Last member query
response interval is 1000 ms<o:p></o:p></div>
<div class="MsoNoSpacing">
Inbound IGMP
access group is not set<span style="font-family: "wingdings"; mso-ascii-font-family: Calibri; mso-ascii-theme-font: minor-latin; mso-char-type: symbol; mso-hansi-font-family: Calibri; mso-hansi-theme-font: minor-latin; mso-symbol-font-family: Wingdings;">à</span>access-list
to restrict hosts from joining some mcast groups<o:p></o:p></div>
<div class="MsoNoSpacing">
IGMP activity: 1
joins, 0 leaves<o:p></o:p></div>
<div class="MsoNoSpacing">
Interface IGMP State Limit: 0 active out of 2 max<span style="font-family: "wingdings"; mso-ascii-font-family: Calibri; mso-ascii-theme-font: minor-latin; mso-char-type: symbol; mso-hansi-font-family: Calibri; mso-hansi-theme-font: minor-latin; mso-symbol-font-family: Wingdings;">à</span>Max no. of groups that
hosts can join. After two groups are joined, third group joins are access
denied.<o:p></o:p></div>
<div class="MsoNoSpacing">
Multicast routing
is enabled on interface<o:p></o:p></div>
<div class="MsoNoSpacing">
Multicast TTL
threshold is 0<o:p></o:p></div>
<div class="MsoNoSpacing">
Multicast
designated router (DR) is 10.1.100.2 (this system)<o:p></o:p></div>
<div class="MsoNoSpacing">
IGMP querying
router is 10.1.100.1-<span style="font-family: "wingdings"; mso-ascii-font-family: Calibri; mso-ascii-theme-font: minor-latin; mso-char-type: symbol; mso-hansi-font-family: Calibri; mso-hansi-theme-font: minor-latin; mso-symbol-font-family: Wingdings;">à</span>Lower
ip address router will assume the role of querier. This is different from PIM
DR router.<o:p></o:p></div>
<div class="MsoNoSpacing" style="margin-left: .5in;">
</div>
<div class="MsoNoSpacing">
No multicast
groups joined by this system<o:p></o:p></div>
</div>
Anonymoushttp://www.blogger.com/profile/16547104544524126934noreply@blogger.com0tag:blogger.com,1999:blog-6535850563298713199.post-92053806236339070922015-11-29T17:16:00.002-08:002016-01-25T02:46:30.913-08:00Multicast - Part1<div dir="ltr" style="text-align: left;" trbidi="on">
<div class="MsoNoSpacing">
<b><span style="font-size: 13.0pt; mso-bidi-font-size: 11.0pt;">PIM:<o:p></o:p></span></b></div>
<div class="MsoNoSpacing">
224.0.0.13 multicast group for all PM routers.<o:p></o:p></div>
<div class="MsoNoSpacing">
Sends hello message every 30sec and hold down timer three
times of hello interval.<o:p></o:p></div>
<div class="MsoNoSpacing">
Highest priority router will become DR for the segment,
if priorities are equal, router with highest ip will become DR. <span style="font-family: Verdana, sans-serif;">(<span style="background-color: white; font-size: 12.236px; text-indent: -0.25in;">Sending PIM register and PIM join and prune messages toward the RP, S</span></span><span style="background-color: white; font-family: Verdana, sans-serif; font-size: 12.236px; text-indent: -0.25in;">ending IGMP host-query messages.</span><span style="font-family: Verdana, sans-serif;">)</span><br />
<o:p></o:p></div>
<div class="MsoNoSpacing">
RPF check is done to ensure the packet arrived on the
correct interface in the direction of source.<o:p></o:p></div>
<div class="MsoNoSpacing">
When multiple entries exist in the routing table, the
entry with the highest next-hop will get selected.<o:p></o:p></div>
<div class="MsoNoSpacing">
<br /></div>
<div class="MsoNoSpacing">
<b><span style="font-size: 13.0pt; mso-bidi-font-size: 11.0pt;">PIM DM:<o:p></o:p></span></b><br />
<b><span style="font-size: 13.0pt; mso-bidi-font-size: 11.0pt;"><br /></span></b>
<span style="background-color: white; font-size: 12.236px;"><span style="font-family: "verdana" , sans-serif;">PIM-DM builds source-based multicast distribution trees that operate on a "flood and prune" principle.</span></span><br />
<span style="background-color: white; font-family: "arial" , "helvetica" , sans-serif; font-size: 12.236px;"><br /></span></div>
<div class="MsoNoSpacing">
In dense mode, prune messages are sent when<o:p></o:p></div>
<div class="MsoNoSpacing">
Traffic arrives on non-RPF interfaces<o:p></o:p></div>
<div class="MsoNoSpacing">
No receivers<o:p></o:p></div>
<div class="MsoNoSpacing">
<br /></div>
<div class="MsoNoSpacing">
<b>Prune override:<o:p></o:p></b></div>
<div class="MsoNoSpacing">
On multi access networks, if routers sees a prune message
and has receivers, it will send join message to override the prune message.<o:p></o:p></div>
<div class="MsoNoSpacing">
A 3 second prune delay timer is started on receiving a
prune message, if no join is received in this 3 sec prune will take place.<o:p></o:p></div>
<div class="MsoNoSpacing">
<br /></div>
<div class="MsoNoSpacing">
<b>PIM asserts:<o:p></o:p></b></div>
<div class="MsoNoSpacing">
On multi-access networks to avoid duplicate multicast
traffic.<o:p></o:p></div>
<div class="MsoNoSpacing">
If a router receives a multicast packet via an interface in the
outgoing interface list associated with a multicast source, send a PIM Assert
message out the interface to resolve which router will continue forwarding this
traffic. The router with better metric to the source will win and continue to
relay multicast traffic.<o:p></o:p></div>
<div class="MsoNoSpacing">
If tie in metric, the router with highest ip will win.<o:p></o:p></div>
<div class="MsoNoSpacing">
<br /></div>
<div class="MsoNoSpacing">
<b>PIM graft:<o:p></o:p></b></div>
<div class="MsoNoSpacing">
To restart the flow of multicast traffic on a previously
pruned interface without having to wait for the timers to expire.<o:p></o:p></div>
<div class="MsoNoSpacing">
<br /></div>
<div class="MsoNoSpacing">
<br /></div>
<div class="MsoNoSpacing">
<b>PIM State refresh
capability<o:p></o:p></b></div>
<div class="MsoNoSpacing">
If state refresh is enabled on an interface, the router
will send a mcast control packet, if the receiving has no interfaces in OIL, it
will send a prune back to sender refreshing the state.<o:p></o:p></div>
<div class="MsoNoSpacing">
<br />
<a href="https://www.blogger.com/null" name="wp1042433" style="-webkit-text-stroke-width: 0px; background-color: white; color: black; font-family: Arial, Helvetica, sans-serif; font-size: 12.88px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: -webkit-left; text-indent: 0px; text-transform: none; white-space: normal; widows: 1; word-spacing: 0px;"></a><span style="background-color: white; color: black; display: inline; float: none; font-family: "arial" , "helvetica" , sans-serif; font-size: 12.88px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; text-align: -webkit-left; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px;"></span><a href="https://www.blogger.com/null" name="wpmkr1042432" style="-webkit-text-stroke-width: 0px; background-color: white; color: black; font-family: Arial, Helvetica, sans-serif; font-size: 12.88px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: -webkit-left; text-indent: 0px; text-transform: none; white-space: normal; widows: 1; word-spacing: 0px;"></a><span style="background-color: white; color: black; display: inline; float: none; font-family: "arial" , "helvetica" , sans-serif; font-size: 12.88px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; text-align: -webkit-left; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px;"></span><br />
<div class="pB1_Body1" style="-webkit-text-stroke-width: 0px; background-color: white; color: black; font-size: 12.236px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; margin: 1px 0em 6px; orphans: auto; text-align: left; text-decoration: none; text-indent: 0px; text-transform: none; white-space: normal; widows: 1; word-spacing: 0px;">
<span style="font-family: "verdana" , sans-serif;">If PIM dense mode (PIM-DM) is enabled on a router interface, the PIM Dense Mode State Refresh feature is also enabled by default.</span></div>
</div>
<div class="MsoNoSpacing">
<br /></div>
<div class="MsoNoSpacing">
<b>General Rules in
forwarding multicast traffic:<o:p></o:p></b></div>
<div class="MsoNoSpacing">
The multicast traffic is forwarded using mroute tables,
the following rules help in understanding the mroute tables<o:p></o:p></div>
<div class="MsoNoSpacing" style="margin-left: .5in; mso-list: l0 level1 lfo1; text-indent: -.25in;">
<!--[if !supportLists]--><span style="font-family: "symbol"; mso-bidi-font-family: Symbol; mso-fareast-font-family: Symbol;">·<span style="font-family: "times new roman"; font-size: 7pt; font-stretch: normal;">
</span></span><!--[endif]-->When creating (S, G) entry, create (*, G) if it
doesn’t exists<o:p></o:p></div>
<div class="MsoNoSpacing" style="margin-left: .5in; mso-list: l0 level1 lfo1; text-indent: -.25in;">
<!--[if !supportLists]--><span style="font-family: "symbol"; mso-bidi-font-family: Symbol; mso-fareast-font-family: Symbol;">·<span style="font-family: "times new roman"; font-size: 7pt; font-stretch: normal;">
</span></span><!--[endif]-->The RPF interface will be calculated as the
interface with lowest cost to the source in case of (S, G) and with lowest cost
to the RP in case of sparse mode (*, G).If multiple interfaces have the same cost,
the interface with highest IP will become the RPF interface.<o:p></o:p></div>
<div class="MsoNoSpacing" style="margin-left: .5in; mso-list: l0 level1 lfo1; text-indent: -.25in;">
<!--[if !supportLists]--><span style="font-family: "symbol"; mso-bidi-font-family: Symbol; mso-fareast-font-family: Symbol;">·<span style="font-family: "times new roman"; font-size: 7pt; font-stretch: normal;">
</span></span><!--[endif]-->When creating (S,G) entry, its outgoing
interface list(OIL) is copied from the parent (*,G)<o:p></o:p></div>
<div class="MsoNoSpacing" style="margin-left: .5in; mso-list: l0 level1 lfo1; text-indent: -.25in;">
<!--[if !supportLists]--><span style="font-family: "symbol"; mso-bidi-font-family: Symbol; mso-fareast-font-family: Symbol;">·<span style="font-family: "times new roman"; font-size: 7pt; font-stretch: normal;">
</span></span><!--[endif]-->The incoming interface of a multicast forwarding
entry must never appear in the OIL<o:p></o:p></div>
<div class="MsoNoSpacing" style="margin-left: .5in; mso-list: l0 level1 lfo1; text-indent: -.25in;">
<!--[if !supportLists]--><span style="font-family: "symbol"; mso-bidi-font-family: Symbol; mso-fareast-font-family: Symbol;">·<span style="font-family: "times new roman"; font-size: 7pt; font-stretch: normal;">
</span></span><!--[endif]-->The RPF interface of every multicast state entry
will be calculated every 5 sec and the OIL is adjusted according with the
rules.<o:p></o:p></div>
<div class="MsoNoSpacing" style="margin-left: .5in; mso-list: l0 level1 lfo1; text-indent: -.25in;">
<!--[if !supportLists]--><span style="font-family: "symbol"; mso-bidi-font-family: Symbol; mso-fareast-font-family: Symbol;">·<span style="font-family: "times new roman"; font-size: 7pt; font-stretch: normal;">
</span></span><!--[endif]-->Addition/deletions to the outgoing interface
list of (*, G) are replicated to the associated (S, G) entries.<o:p></o:p></div>
<div class="MsoNoSpacing">
<br /></div>
<div class="MsoNoSpacing">
<br /></div>
<div class="MsoNoSpacing">
<b><span style="font-size: 13.0pt; mso-bidi-font-size: 11.0pt;">Sparse Mode:<o:p></o:p></span></b></div>
<div class="MsoNoSpacing">
Unlike dense mode, sparse mode uses (*, G) to forward
multicast traffic.<o:p></o:p></div>
<div class="MsoNoSpacing">
<br /></div>
<div class="MsoNoSpacing">
Sparse mode (*, G) rules:<o:p></o:p></div>
<div class="MsoNoSpacing" style="margin-left: .5in; mso-list: l1 level1 lfo2; text-indent: -.25in;">
<!--[if !supportLists]--><span style="font-family: "symbol"; mso-bidi-font-family: Symbol; mso-fareast-font-family: Symbol;">·<span style="font-family: "times new roman"; font-size: 7pt; font-stretch: normal;">
</span></span><!--[endif]-->A (*, G) is created as a result of explicit join
operation. Due to a directly connected host joining the group or in response to
(*, G) join request downstream router <o:p></o:p></div>
<div class="MsoNoSpacing" style="margin-left: .5in; mso-list: l1 level1 lfo2; text-indent: -.25in;">
<!--[if !supportLists]--><span style="font-family: "symbol"; mso-bidi-font-family: Symbol; mso-fareast-font-family: Symbol;">·<span style="font-family: "times new roman"; font-size: 7pt; font-stretch: normal;">
</span></span><!--[endif]--><b>The
incoming interface of (*, G) always points up the shared tree towards the RP.<o:p></o:p></b></div>
<div class="MsoNoSpacing">
<br /></div>
<div class="MsoNoSpacing">
Sparse mode (S, G) rules:<o:p></o:p></div>
<div class="MsoNoSpacing" style="margin-left: .5in; mso-list: l2 level1 lfo3; text-indent: -.25in;">
<!--[if !supportLists]--><span style="font-family: "symbol"; mso-bidi-font-family: Symbol; mso-fareast-font-family: Symbol;">·<span style="font-family: "times new roman"; font-size: 7pt; font-stretch: normal;">
</span></span><!--[endif]-->A (S, G) entry is created on receiving a (S,G)
join/prune message or last hop router deciding to switchover to shortest path
or unexpected arrival of (S,G) traffic or RP on getting register message<o:p></o:p></div>
<div class="MsoNoSpacing" style="margin-left: .5in; mso-list: l2 level1 lfo3; text-indent: -.25in;">
<!--[if !supportLists]--><span style="font-family: "symbol"; mso-bidi-font-family: Symbol; mso-fareast-font-family: Symbol;">·<span style="font-family: "times new roman"; font-size: 7pt; font-stretch: normal;">
</span></span><!--[endif]-->When a (*, G) join is received, the interface is
added to the outgoing interface list of (*, G) and subsequently to (S,G)<o:p></o:p></div>
<div class="MsoNoSpacing" style="margin-left: .5in;">
<b>When a (S, G) join is received</b>, the interface is added to the OIL
of (S, G) only. The (S, G) join is specific to SPT for source S and group G and
is not applicable to the shared tree.<o:p></o:p></div>
<div class="MsoNoSpacing" style="margin-left: .5in; mso-list: l2 level1 lfo3; text-indent: -.25in;">
<!--[if !supportLists]--><span style="font-family: "symbol"; mso-bidi-font-family: Symbol; mso-fareast-font-family: Symbol;">·<span style="font-family: "times new roman"; font-size: 7pt; font-stretch: normal;">
</span></span><!--[endif]-->The interface is removed from OIL on receiving a
(*, G) or (S, G) prune or interface expiration timer counts to zero.<o:p></o:p></div>
<div class="MsoNoSpacing" style="margin-left: .5in; mso-list: l2 level1 lfo3; text-indent: -.25in;">
<!--[if !supportLists]--><span style="font-family: "symbol"; mso-bidi-font-family: Symbol; mso-fareast-font-family: Symbol;">·<span style="font-family: "times new roman"; font-size: 7pt; font-stretch: normal;">
</span></span><!--[endif]-->The expiration timer is reset on receiving a (*,
G) or (S, G) join or IGMP membership report. Downstream routers will refresh
the state by sending the joins periodically every minute.<o:p></o:p></div>
<div class="MsoNoSpacing" style="margin-left: .5in; mso-list: l2 level1 lfo3; text-indent: -.25in;">
<!--[if !supportLists]--><span style="font-family: "symbol"; mso-bidi-font-family: Symbol; mso-fareast-font-family: Symbol;">·<span style="font-family: "times new roman"; font-size: 7pt; font-stretch: normal;">
</span></span><!--[endif]-->When the last hop router decides to switch to
shortest path, the router no longer needs to receive the traffic via shared
tree. To stop the flow of this redundant traffic down the shared tree,<o:p></o:p></div>
<div class="MsoNoSpacing" style="margin-left: .5in;">
router will send (S, G) prune
with RP bit set. Router receiving the prune message sees this message
as a request to prune the specified (S, G) traffic from this branch of the
shared tree.<o:p></o:p></div>
<div class="MsoNoSpacing" style="margin-left: .5in;">
Router will send an (S, G) RP-bit
prune when the RPF interface of (*, G) is different from RPF interface of (S, G)
i.e. shortest path.<o:p></o:p></div>
<div class="MsoNoSpacing" style="margin-left: .5in; mso-list: l2 level1 lfo3; text-indent: -.25in;">
<!--[if !supportLists]--><span style="font-family: "symbol"; mso-bidi-font-family: Symbol; mso-fareast-font-family: Symbol;">·<span style="font-family: "times new roman"; font-size: 7pt; font-stretch: normal;">
</span></span><!--[endif]-->When the router receives an (S, G) RP-bit set
prune from a downstream neighbor, it will remove the interface from the OIL of
(S, G) and sets the R flag.<o:p></o:p></div>
<div class="MsoNoSpacing" style="margin-left: .5in; mso-list: l2 level1 lfo3; text-indent: -.25in;">
<!--[if !supportLists]--><span style="font-family: "symbol"; mso-bidi-font-family: Symbol; mso-fareast-font-family: Symbol;">·<span style="font-family: "times new roman"; font-size: 7pt; font-stretch: normal;">
</span></span><!--[endif]--><b>The RPF of
(S, G) is calculated by using the IP address of the source except when RP bit
is set, in which case the IP address of RP is used(Incoming interface)</b><o:p></o:p></div>
<div class="MsoNoSpacing" style="margin-left: .5in;">
<br /></div>
<div class="MsoNoSpacing" style="margin-left: .5in;">
<br /></div>
<div class="MsoNoSpacing" style="margin-left: .5in;">
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-d3popnn1deQ/Vlui-DsGp-I/AAAAAAAAAFc/pGkA81tR5os/s1600/img1.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="230" src="http://2.bp.blogspot.com/-d3popnn1deQ/Vlui-DsGp-I/AAAAAAAAAFc/pGkA81tR5os/s320/img1.JPG" width="320" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<br /></div>
<div class="MsoNoSpacing" style="margin-left: .5in;">
<v:shapetype coordsize="21600,21600" filled="f" id="_x0000_t75" o:preferrelative="t" o:spt="75" path="m@4@5l@4@11@9@11@9@5xe" stroked="f">
<v:stroke joinstyle="miter">
<v:formulas>
<v:f eqn="if lineDrawn pixelLineWidth 0">
<v:f eqn="sum @0 1 0">
<v:f eqn="sum 0 0 @1">
<v:f eqn="prod @2 1 2">
<v:f eqn="prod @3 21600 pixelWidth">
<v:f eqn="prod @3 21600 pixelHeight">
<v:f eqn="sum @0 0 1">
<v:f eqn="prod @6 1 2">
<v:f eqn="prod @7 21600 pixelWidth">
<v:f eqn="sum @8 21600 0">
<v:f eqn="prod @7 21600 pixelHeight">
<v:f eqn="sum @10 21600 0">
</v:f></v:f></v:f></v:f></v:f></v:f></v:f></v:f></v:f></v:f></v:f></v:f></v:formulas>
<v:path gradientshapeok="t" o:connecttype="rect" o:extrusionok="f">
<o:lock aspectratio="t" v:ext="edit">
</o:lock></v:path></v:stroke></v:shapetype><v:shape id="Picture_x0020_1" o:spid="_x0000_i1027" style="height: 249.75pt; mso-wrap-style: square; visibility: visible; width: 342pt;" type="#_x0000_t75">
<v:imagedata o:title="" src="file:///C:\Users\badha01\AppData\Local\Temp\msohtmlclip1\01\clip_image001.png">
</v:imagedata></v:shape><o:p></o:p></div>
<div class="MsoNoSpacing" style="margin-left: .5in;">
<br /></div>
<div class="MsoNoSpacing" style="margin-left: .5in;">
Say R3 and R4 have sent join for
the group G1.<o:p></o:p></div>
<div class="MsoNoSpacing" style="margin-left: .5in;">
At this point, all the routers
R2, R3, R4 and RP will have (*, G1) entries.<o:p></o:p></div>
<div class="MsoNoSpacing" style="margin-left: .5in;">
<br /></div>
<div class="MsoNoSpacing" style="margin-left: .5in;">
When the source starts sending
traffic, RP will forward the multicast traffic and subsequently it reaches R3
and R4.<o:p></o:p></div>
<div class="MsoNoSpacing" style="margin-left: .5in;">
R3 sees that it has shortest
path to the source and will send an (S, G1) join to R1 and (S, G1) RP-bit prune
to R2.<o:p></o:p></div>
<div class="MsoNoSpacing" style="margin-left: .5in;">
R2 will create (S, G1) state and
set the R flag and copies the OIL from (*, G1) and removes the interface S1
from it.<o:p></o:p></div>
<div class="MsoNoSpacing" style="margin-left: .5in;">
R3 will get the traffic from R1
directly and R4 will continue to get the traffic from shared tree. At the point,
the (S, G1) entry in R2 will also have a flag <b>T</b> indicating the traffic is forwarded via the (S, G1) entry.<br />
<br />
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
Prunes are sent up the shared tree to prune
off sources whose traffic is being received directly via the SPT along a
different path. These (S, G)RP-bit Prunes must continue to be sent periodically along
with the associated (*, G) Join to refresh state along the shared tree. When
these periodic Joins are sent up the shared tree, both the (*, G) Join and any
associated (S, G) RP-bit Prunes are all sent inside of the same PIM Join/Prune
message. This leads to the following two categories of (*, G) Joins:</div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<o:p></o:p></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<b>Atomic (*,
G) Joins</b>---These are Join/Prune messages that contain both the (*, G) Join
along with all associated (S, G)RP-bit Prunes for Group G.<o:p></o:p></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<b>Nonatomic (*, G) Joins</b>---These are
Join/Prune messages that contain only the (*, G) Join without any associated
(S, G)RP-bit Prunes for Group G.<o:p></o:p></div>
<br />
<div class="MsoNoSpacing" style="margin-left: .5in;">
<br /></div>
</div>
<div class="MsoNoSpacing" style="margin-left: .5in;">
<br /></div>
<div class="MsoNoSpacing" style="margin-left: .5in;">
If the source joins first,
Register, Register-stop sequence will continue to happen until some receiver
joins.<o:p></o:p></div>
<div class="MsoNoSpacing" style="margin-left: .5in;">
<br /></div>
<div class="MsoNoSpacing" style="margin-left: .5in;">
SPT Switchover:<o:p></o:p></div>
<div class="MsoNoSpacing" style="margin-left: .5in;">
Once each second, the router
will compute the total traffic flowing down the shared tree.<o:p></o:p></div>
<div class="MsoNoSpacing" style="margin-left: .5in;">
If this exceeds the threshold,
the router will set the J flag on (*, G) and join the (S, G) on arrival of next
packet.<o:p></o:p></div>
<div class="MsoNoSpacing" style="margin-left: .5in;">
Here are the steps<o:p></o:p></div>
<div class="MsoNoSpacing" style="margin-left: .5in; mso-list: l2 level1 lfo3; text-indent: -.25in;">
<!--[if !supportLists]--><span style="font-family: "symbol"; mso-bidi-font-family: Symbol; mso-fareast-font-family: Symbol;">·<span style="font-family: "times new roman"; font-size: 7pt; font-stretch: normal;">
</span></span><!--[endif]-->Set J flag on (*, G) and wait for the next (S,
G)<o:p></o:p></div>
<div class="MsoNoSpacing" style="margin-left: .5in; mso-list: l2 level1 lfo3; text-indent: -.25in;">
<!--[if !supportLists]--><span style="font-family: "symbol"; mso-bidi-font-family: Symbol; mso-fareast-font-family: Symbol;">·<span style="font-family: "times new roman"; font-size: 7pt; font-stretch: normal;">
</span></span><!--[endif]-->When (S, G) arrives down the shared tree, clear
J flag on (*, G) and send (S, G) join.<o:p></o:p></div>
<div class="MsoNoSpacing" style="margin-left: .5in;">
The J flag will again be set
after 1 sec interval on (*, G).This is to avoid multiple (S, G) switchovers.<o:p></o:p></div>
<div class="MsoNoSpacing" style="margin-left: .5in; mso-list: l2 level1 lfo3; text-indent: -.25in;">
<!--[if !supportLists]--><span style="font-family: "symbol"; mso-bidi-font-family: Symbol; mso-fareast-font-family: Symbol;">·<span style="font-family: "times new roman"; font-size: 7pt; font-stretch: normal;">
</span></span><!--[endif]-->Once the traffic is pruned of the shared tree
and traffic arrives on (S, G),the router will continue o calculate the rate of
traffic on (S, G)<o:p></o:p></div>
<div class="MsoNoSpacing" style="margin-left: .25in;">
If the rate is lower than the threshold, the
router will switchover to shared tree and prune off the flow down the SPT. <o:p></o:p></div>
<div class="MsoNoSpacing" style="margin-left: .5in;">
<br /></div>
<div class="MsoNoSpacing" style="margin-left: .5in;">
<br /></div>
<div class="MsoNoSpacing" style="margin-left: .5in;">
Pruning: <o:p></o:p></div>
<div class="MsoNoSpacing" style="margin-left: .5in;">
Shared Tree: If router no longer
wants multicast traffic it will send (*, G) prune.<o:p></o:p></div>
<div class="MsoNoSpacing" style="margin-left: .5in;">
When (*, G) prune is received,
the interface is removed from OIL. If the OIL is null, the P flag is set on the
(*, G) and a prune is sent to upstream router.<o:p></o:p></div>
<div class="MsoNoSpacing" style="margin-left: .5in;">
<br /></div>
<div class="MsoNoSpacing" style="margin-left: .5in;">
Shortest Tree: If router no
longer wants multicast traffic it will send (*, G) prune up the SPT.<o:p></o:p></div>
<div class="MsoNoSpacing" style="margin-left: .5in;">
No (S, G) prune will be sent, instead
P flag is set on the (S, G) and expire timer is triggered on them and allowed
to age out.<o:p></o:p></div>
<div class="MsoNoSpacing" style="margin-left: .5in;">
<v:shape id="Picture_x0020_2" o:spid="_x0000_i1026" style="height: 126.75pt; mso-wrap-style: square; visibility: visible; width: 208.5pt;" type="#_x0000_t75">
<v:imagedata o:title="" src="file:///C:\Users\badha01\AppData\Local\Temp\msohtmlclip1\01\clip_image002.png">
</v:imagedata></v:shape><o:p></o:p></div>
<div class="MsoNoSpacing" style="margin-left: .5in;">
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-yEpkdTFE9Hk/VlujAkAxSwI/AAAAAAAAAFs/Zdm7ES1Jr3c/s1600/img2.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="176" src="http://2.bp.blogspot.com/-yEpkdTFE9Hk/VlujAkAxSwI/AAAAAAAAAFs/Zdm7ES1Jr3c/s320/img2.JPG" width="320" /></a></div>
<br /></div>
<div class="MsoNoSpacing" style="margin-left: .5in;">
R4 will not send (S, G) prune,
it will start expire timer on (S, G) and will send (*, G) prune up the shared
tree.<o:p></o:p></div>
<div class="MsoNoSpacing" style="margin-left: .5in;">
R4 will also not send periodic
(*, G) and (S, G) joins to refresh the state.<o:p></o:p></div>
<div class="MsoNoSpacing" style="margin-left: .5in;">
<br /></div>
<div class="MsoNoSpacing" style="margin-left: .5in;">
When (*, G) prune arrives at R2,
it will send the (*, G) prune up the shared tree and start expiration timer on
(S, G).<o:p></o:p></div>
<div class="MsoNoSpacing" style="margin-left: .5in;">
The source will continue to send
the (S, G) traffic and on arrival of (S, G), the router R2 will send (S, G)
prune.<o:p></o:p></div>
<div class="MsoNoSpacing" style="margin-left: .5in;">
<br /></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt; text-indent: 0.5in;">
The reason
that (S, G) Prunes are triggered only by the arrival of data is to optimize the
amount of control traffic sent in the network, bandwidth is not wasted sending
(S, G) Prunes for bursty or other low-rate sources in the network.<o:p></o:p></div>
<div class="MsoNoSpacing" style="margin-left: .5in;">
<br /></div>
<div class="MsoNoSpacing" style="margin-left: .5in;">
<b>Turnaround Router:<o:p></o:p></b></div>
<div class="MsoNoSpacing" style="margin-left: .5in;">
The turnaround router scenario
occurs when the SPT and shared tree paths merge at a router (with traffic
flowing in opp directions).<o:p></o:p></div>
<div class="MsoNoSpacing" style="margin-left: .5in;">
The router at which the paths
merge is called turnaround router, it is upstream of the shared tree receivers
and downstream of the source on the SPT<o:p></o:p></div>
<div class="MsoNoSpacing" style="margin-left: .5in;">
<br /></div>
<div class="MsoNoSpacing" style="margin-left: .5in;">
<v:shape id="Picture_x0020_4" o:spid="_x0000_i1025" style="height: 237.75pt; mso-wrap-style: square; visibility: visible; width: 213pt;" type="#_x0000_t75">
<v:imagedata o:title="" src="file:///C:\Users\badha01\AppData\Local\Temp\msohtmlclip1\01\clip_image003.png">
</v:imagedata></v:shape><o:p></o:p></div>
<div class="MsoNoSpacing" style="margin-left: .5in;">
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-5qoGb999fh0/VlujAhBATVI/AAAAAAAAAFw/OBDJ1501y-0/s1600/img3.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="320" src="http://2.bp.blogspot.com/-5qoGb999fh0/VlujAhBATVI/AAAAAAAAAFw/OBDJ1501y-0/s320/img3.JPG" width="285" /></a></div>
</div>
<div class="MsoNoSpacing" style="margin-left: .5in;">
<div class="MsoNoSpacing" style="margin-left: .5in;">
<br /></div>
<br />
<br />
Proxy join timer is used to handle such scenario, it is associated only with (S,G) entries in the mroute table.<br />
<b>Rules:</b></div>
<div class="MsoNoSpacing" style="margin-left: .5in;">
A proxy-join timer is started on
RP when the (S, G) entry is created by a register message and OIL of (*, G) is
not null.<o:p></o:p></div>
<div class="MsoNoSpacing" style="margin-left: .5in;">
When the router receives a
non-atomic (*, G) join on the incoming interface of (S, G) entry from a non RPF
neighbor.<o:p></o:p></div>
<div class="MsoNoSpacing" style="margin-left: .5in;">
<br /></div>
<div class="MsoNoSpacing" style="margin-left: .5in;">
The proxy-join timer is reset by
the receipt of non-atomic joins,<o:p></o:p></div>
<div class="MsoNoSpacing" style="margin-left: .5in;">
They are simply allowed to age
out if the non-atomic joins are not received.<o:p></o:p></div>
<div class="MsoNoSpacing" style="margin-left: .5in;">
<br /></div>
<div class="MsoNoSpacing">
When
the proxy-join timer is running on an (S, G) entry,<o:p></o:p></div>
<div class="MsoNoSpacing">
The
router will send (S, G) joins towards the source and suppress sending (S, G)
prunes towards the source.<o:p></o:p></div>
<div class="MsoNoSpacing" style="margin-left: .5in;">
<br /></div>
<div class="MsoNoSpacing" style="margin-left: .5in;">
Say R2 has a receiver and it
joins the shared tree.<o:p></o:p></div>
<div class="MsoNoSpacing" style="margin-left: .5in; mso-list: l2 level1 lfo3; text-indent: -.25in;">
<!--[if !supportLists]--><span style="font-family: "symbol"; mso-bidi-font-family: Symbol; mso-fareast-font-family: Symbol;">·<span style="font-family: "times new roman"; font-size: 7pt; font-stretch: normal;">
</span></span><!--[endif]-->When a source starts sending at R1, it will send
register message to RP.<o:p></o:p></div>
<div class="MsoNoSpacing" style="margin-left: .5in; mso-list: l2 level1 lfo3; text-indent: -.25in;">
<!--[if !supportLists]--><span style="font-family: "symbol"; mso-bidi-font-family: Symbol; mso-fareast-font-family: Symbol;">·<span style="font-family: "times new roman"; font-size: 7pt; font-stretch: normal;">
</span></span><!--[endif]-->RP will have (*, G) with OIL, so it will start
proxy join timer and starts sending (S, G) joins towards the source.Ideally,the
OIL of (S, G) on RP will be null and it should have been sending prunes.<o:p></o:p></div>
<div class="MsoNoSpacing" style="margin-left: .5in; mso-list: l2 level1 lfo3; text-indent: -.25in;">
<!--[if !supportLists]--><span style="font-family: "symbol"; mso-bidi-font-family: Symbol; mso-fareast-font-family: Symbol;">·<span style="font-family: "times new roman"; font-size: 7pt; font-stretch: normal;">
</span></span><!--[endif]-->Once the SPT is built, R3 will hear the
non-atomic join sent by R2 and it will start its proxy-join timer.<o:p></o:p></div>
<div class="MsoNoSpacing" style="margin-left: .5in; mso-list: l2 level1 lfo3; text-indent: -.25in;">
<!--[if !supportLists]--><span style="font-family: "symbol"; mso-bidi-font-family: Symbol; mso-fareast-font-family: Symbol;">·<span style="font-family: "times new roman"; font-size: 7pt; font-stretch: normal;">
</span></span><!--[endif]-->R3 will start sending (S, G) joins towards the
source and will also send atomic joins towards RP. Atomic joins will be sent
because RPF of (*, G) and (S, G) are different<o:p></o:p><span style="font-family: "calibri" , sans-serif; font-size: 11pt; line-height: 107%; text-indent: -0.25in;">(PIM
SM rules,prune with rp bit set).</span></div>
<div class="MsoNoSpacing" style="margin-left: .5in; mso-list: l2 level1 lfo3; text-indent: -.25in;">
<!--[if !supportLists]--><span style="font-family: "symbol"; mso-bidi-font-family: Symbol; mso-fareast-font-family: Symbol;">·<span style="font-family: "times new roman"; font-size: 7pt; font-stretch: normal;">
</span></span><!--[endif]-->The proxy join timer will be reset by non-atomic
joins, since RP is receiving atomic joins, the proxy join timer on RP will age
out<o:p></o:p></div>
<div class="MsoNoSpacing" style="margin-left: .5in; mso-list: l2 level1 lfo3; text-indent: -.25in;">
<!--[if !supportLists]--><span style="font-family: "symbol"; mso-bidi-font-family: Symbol; mso-fareast-font-family: Symbol;">·<span style="font-family: "times new roman"; font-size: 7pt; font-stretch: normal;">
</span></span><!--[endif]-->When the timer expires on RP, it will not send
periodic (S, G) joins to R3 and the interface will eventually be removed from
OIL of (S, G) in R3.<o:p></o:p></div>
<div class="MsoNoSpacing" style="margin-left: .5in;">
<br /></div>
<div class="MsoNoSpacing" style="margin-left: .5in;">
The turnaround router functionality
will not work if R2 switches over to SPT.This is because, it will be sending
atomic joins.<o:p></o:p></div>
<br />
<div class="MsoNoSpacing" style="margin-left: .5in;">
<br /></div>
</div>
Anonymoushttp://www.blogger.com/profile/16547104544524126934noreply@blogger.com0tag:blogger.com,1999:blog-6535850563298713199.post-43934067303429168572015-07-30T20:26:00.001-07:002015-07-30T20:27:24.486-07:00ip access-lists <div dir="ltr" style="text-align: left;" trbidi="on">
<div class="MsoNoSpacing">
<b>Reflexive ACL:<o:p></o:p></b></div>
<div class="MsoNoSpacing">
The idea is to selectively allow the outside traffic for some
time.<o:p></o:p></div>
<div class="MsoNoSpacing">
<br /></div>
<div class="MsoNoSpacing">
<br /></div>
<div class="MsoNoSpacing">
R1------------------------------(fa0/1) R2 (fa0/0)------------------------------R3<o:p></o:p></div>
<div class="MsoNoSpacing">
(LAN) (INTERNET)<o:p></o:p></div>
<div class="MsoNoSpacing">
<br /></div>
<div class="MsoNoSpacing">
<br /></div>
<div class="MsoNoSpacing">
The requirement is R1 and R2 can initiate the traffic
towards R3.<o:p></o:p></div>
<div class="MsoNoSpacing">
R3 cannot initiate traffic to R1 or R2<o:p></o:p></div>
<div class="MsoNoSpacing">
<br /></div>
<div class="MsoNoSpacing">
We will use reflexive acl to achieve this goal,<o:p></o:p></div>
<div class="MsoNoSpacing">
<br /></div>
<div class="MsoNoSpacing">
Reflexive ACL will have 3 components,<o:p></o:p></div>
<div class="MsoNoSpacing">
<br /></div>
<div class="MsoNoSpacing">
First one to match the interesting traffic from R1,R2 and
apply it to the interface fa0/0<o:p></o:p></div>
<div class="MsoNoSpacing">
<i><span style="background: yellow; mso-highlight: yellow;">R2(config)#ip access-list
extended LAN_TO_INTERNET<o:p></o:p></span></i></div>
<div class="MsoNoSpacing">
<i><span style="background: yellow; mso-highlight: yellow;">R2(config-ext-nacl)#permit icmp
any any reflect MIRROR_ACL</span><o:p></o:p></i></div>
<div class="MsoNoSpacing">
<i><span style="background: yellow; mso-highlight: yellow;">R2(config)#int fa0/0<o:p></o:p></span></i></div>
<div class="MsoNoSpacing">
<i><span style="background: yellow; mso-highlight: yellow;">R2(config-if)#ip access-group
LAN_TO_INTERNET out</span><o:p></o:p></i></div>
<div class="MsoNoSpacing">
<br /></div>
<div class="MsoNoSpacing">
The packets matched by the acl <i>LAN_TO_INTERNET </i>will be reflected into the acl <i>MIRROR_ACL<o:p></o:p></i></div>
<div class="MsoNoSpacing">
<br /></div>
<div class="MsoNoSpacing">
We can see the contents of the acl, (the acl will get
dynamically updated on seeing the matching traffic for the acl <i>LAN_TO_INTERNET</i>),when I ping R3 from
R1,the acl will get updated as <o:p></o:p></div>
<div class="MsoNoSpacing">
<i><span style="background: lime; mso-highlight: lime;">R2#sh ip access-lists MIRROR_ACL<o:p></o:p></span></i></div>
<div class="MsoNoSpacing">
<i><span style="background: lime; mso-highlight: lime;">Reflexive IP access list MIRROR_ACL<o:p></o:p></span></i></div>
<div class="MsoNoSpacing">
<i><span style="background: lime; mso-highlight: lime;">
permit icmp host 10.23.1.3 host 10.12.1.1 (15 matches) (time left 138)</span><o:p></o:p></i></div>
<div class="MsoNoSpacing">
<br /></div>
<div class="MsoNoSpacing">
<br /></div>
<div class="MsoNoSpacing">
To apply this reflexive acl, we need to associate it to an
ACL and apply inbound on fa0/0.<o:p></o:p></div>
<div class="MsoNoSpacing">
<i><span style="background: yellow; mso-highlight: yellow;">R2(config)#ip access-list extend
INTERNET_TO_LAN<o:p></o:p></span></i></div>
<div class="MsoNoSpacing">
<i><span style="background: yellow; mso-highlight: yellow;">R2(config-ext-nacl)#<b>evaluate</b> REFLEX_ACL( can add permit/deny
statements as well) <o:p></o:p></span></i></div>
<div class="MsoNoSpacing">
<i><span style="background: yellow; mso-highlight: yellow;">R2(config)#int fa0/0<o:p></o:p></span></i></div>
<div class="MsoNoSpacing">
<i><span style="background: yellow; mso-highlight: yellow;">R2(config-if)#ip access-group
INTERNET_TO_LAN in</span><o:p></o:p></i></div>
<div class="MsoNoSpacing">
<br /></div>
<div class="MsoNoSpacing">
With this configuration, R1 will be able to ping R3 but
not vice versa<o:p></o:p></div>
<div class="MsoNoSpacing">
<i><span style="background: lime; mso-highlight: lime;">R1#ping 10.23.1.3<o:p></o:p></span></i></div>
<div class="MsoNoSpacing">
<i><span style="background: lime; mso-highlight: lime;">Sending 5, 100-byte ICMP Echos to
10.23.1.3, timeout is 2 seconds:<o:p></o:p></span></i></div>
<div class="MsoNoSpacing">
<i><span style="background: lime; mso-highlight: lime;">!!!!!<o:p></o:p></span></i></div>
<div class="MsoNoSpacing">
<i><span style="background: lime; mso-highlight: lime;">Success rate is 100 percent (5/5),
round-trip min/avg/max = 80/99/128 ms<o:p></o:p></span></i></div>
<div class="MsoNoSpacing">
<i><span style="background: lime; mso-highlight: lime;">R1#telnet 10.23.1.3<o:p></o:p></span></i></div>
<div class="MsoNoSpacing">
<i><span style="background: lime; mso-highlight: lime;">Trying 10.23.1.3 ...<o:p></o:p></span></i></div>
<div class="MsoNoSpacing">
<i><span style="background: lime; mso-highlight: lime;">% Destination unreachable; gateway
or host down</span><o:p></o:p></i></div>
<div class="MsoNoSpacing">
<br /></div>
<div class="MsoNoSpacing">
R1 is able to ping R3 but not able to telnet, this is
because we permitted only icmp traffic in the LAN_TO_INTERNET acl.To allow
telnet,lets modify the acl as<o:p></o:p></div>
<div class="MsoNoSpacing">
<br /></div>
<div class="MsoNoSpacing">
<i><span style="background: yellow; mso-highlight: yellow;">R2(config)#ip access-list
extended LAN_TO_INTERNET<o:p></o:p></span></i></div>
<div class="MsoNoSpacing">
<i><span style="background: yellow; mso-highlight: yellow;">R2(config-ext-nacl)#permit tcp any any reflect MIRROR_ACL</span><o:p></o:p></i></div>
<div class="MsoNoSpacing">
<br /></div>
<div class="MsoNoSpacing">
If we try to telnet now,<o:p></o:p></div>
<div class="MsoNoSpacing">
<br /></div>
<div class="MsoNoSpacing">
<span style="background: lime; mso-highlight: lime;">R1#telnet
10.23.1.3<o:p></o:p></span></div>
<div class="MsoNoSpacing">
<span style="background: lime; mso-highlight: lime;">Trying
10.23.1.3 ... Open<o:p></o:p></span></div>
<div class="MsoNoSpacing">
<span style="background: lime; mso-highlight: lime;">User
Access Verification<o:p></o:p></span></div>
<div class="MsoNoSpacing">
<span style="background: lime; mso-highlight: lime;">Password:<o:p></o:p></span></div>
<div class="MsoNoSpacing">
<span style="background: lime; mso-highlight: lime;">R3#</span><i><o:p></o:p></i></div>
<div class="MsoNoSpacing">
<br /></div>
<div class="MsoNoSpacing">
The access-list on R2 will be<o:p></o:p></div>
<div class="MsoNoSpacing">
<i><span style="background: lime; mso-highlight: lime;">R2#sh ip access-lists<o:p></o:p></span></i></div>
<div class="MsoNoSpacing">
<i><span style="background: lime; mso-highlight: lime;">Extended IP access list
INTERNET_TO_LAN<o:p></o:p></span></i></div>
<div class="MsoNoSpacing">
<i><span style="background: lime; mso-highlight: lime;">
10 evaluate MIRROR_ACL<o:p></o:p></span></i></div>
<div class="MsoNoSpacing">
<i><span style="background: lime; mso-highlight: lime;">
Extended IP access list LAN_TO_INTERNET<o:p></o:p></span></i></div>
<div class="MsoNoSpacing">
<i><span style="background: lime; mso-highlight: lime;">
10 permit icmp any any reflect MIRROR_ACL (25 matches)<o:p></o:p></span></i></div>
<div class="MsoNoSpacing">
<i><span style="background: lime; mso-highlight: lime;">
20 permit tcp any any reflect MIRROR_ACL (139 matches)<o:p></o:p></span></i></div>
<div class="MsoNoSpacing">
<b><i><span style="background: lime; mso-highlight: lime;">Reflexive IP access list MIRROR_ACL<o:p></o:p></span></i></b></div>
<div class="MsoNoSpacing">
<b><i><span style="background: lime; mso-highlight: lime;"> permit tcp host 10.23.1.3 eq
telnet host 10.12.1.1 eq 15837 (28 matches) (time left 295)<o:p></o:p></span></i></b></div>
<div class="MsoNoSpacing">
<b><i><span style="background-attachment: initial; background-clip: initial; background-color: white; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial;">(The above is reflection of tcp flow source-10.12.1.1,destination-10.23.1.3,source port-15837,</span></i></b></div>
<div class="MsoNoSpacing">
<b><i><span style="background-attachment: initial; background-clip: initial; background-color: white; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial;">destination port-23)</span></i></b></div>
<div class="MsoNoSpacing">
<b><i><span style="background: lime; mso-highlight: lime;"> permit icmp host 10.23.1.3
host 10.12.1.1 (10 matches) (time left
275)</span><o:p></o:p></i></b></div>
<div class="MsoNoSpacing">
<br /></div>
<div class="MsoNoSpacing">
Let’s try the ping from R2,<o:p></o:p></div>
<div class="MsoNoSpacing">
<i><span style="background: lime; mso-highlight: lime;">R2#ping 10.23.1.3<o:p></o:p></span></i></div>
<div class="MsoNoSpacing">
<i><span style="background: lime; mso-highlight: lime;">Sending 5, 100-byte ICMP Echos to 10.23.1.3,
timeout is 2 seconds:<o:p></o:p></span></i></div>
<div class="MsoNoSpacing">
<i><span style="background: lime; mso-highlight: lime;">.....<o:p></o:p></span></i></div>
<div class="MsoNoSpacing">
<i><span style="background: lime; mso-highlight: lime;">Success rate is 0 percent (0/5)<o:p></o:p></span></i></div>
<div class="MsoNoSpacing">
<br /></div>
<div class="MsoNoSpacing">
It’s failing because locally generated packets will not
be inspected by outbound access-lists, so it will not be reflected under
reflexive access-lists. So R3 replies to the ping will be blocked by the
inbound access-list.<o:p></o:p></div>
<div class="MsoNoSpacing">
<br /></div>
<div class="MsoNoSpacing">
We can use local policy routing to fix this issue.<o:p></o:p></div>
<div class="MsoNoSpacing">
With local policy routing, we will force the traffic to
reenter the router and be inspected by the outgoing access-lists<o:p></o:p></div>
<div class="MsoNoSpacing">
<br /></div>
<div class="MsoNoSpacing">
<b><i><span style="background: yellow; mso-highlight: yellow;">Create an access-list that matches the traffic from R2 to R3</span><o:p></o:p></i></b></div>
<div class="MsoNoSpacing">
<i><span style="background: yellow; mso-highlight: yellow;">R2(config)#ip access-list
extended LOCAL_TRAFFIC<o:p></o:p></span></i></div>
<div class="MsoNoSpacing">
<i><span style="background: yellow; mso-highlight: yellow;">R2(config-ext-nacl)#permit tcp
any any<o:p></o:p></span></i></div>
<div class="MsoNoSpacing">
<i><span style="background: yellow; mso-highlight: yellow;">R2(config-ext-nacl)#permit icmp
any any<o:p></o:p></span></i></div>
<div class="MsoNoSpacing">
<br /></div>
<div class="MsoNoSpacing">
<b><i><span style="background: yellow; mso-highlight: yellow;">Create a route-map that matches the access-list and set output
interface to some loopback<o:p></o:p></span></i></b></div>
<div class="MsoNoSpacing">
<i><span style="background: yellow; mso-highlight: yellow;">R2(config)#route-map
LOCAL_POLICY 10<o:p></o:p></span></i></div>
<div class="MsoNoSpacing">
<i><span style="background: yellow; mso-highlight: yellow;">R2(config-route-map)#match ip
address LOCAL_TRAFFIC<o:p></o:p></span></i></div>
<div class="MsoNoSpacing">
<i><span style="background: yellow; mso-highlight: yellow;">R2(config-route-map)#set
interface lo100<o:p></o:p></span></i></div>
<div class="MsoNoSpacing">
<br /></div>
<div class="MsoNoSpacing">
<b><i><span style="background: yellow; mso-highlight: yellow;">Apply the route-map in global config<o:p></o:p></span></i></b></div>
<div class="MsoNoSpacing">
<i><span style="background: yellow; mso-highlight: yellow;">R2(config)#ip local policy
route-map LOCAL_POLICY<o:p></o:p></span></i></div>
<div class="MsoNoSpacing">
<br /></div>
<div class="MsoNoSpacing">
<br /></div>
<div class="MsoNoSpacing">
<br /></div>
<div class="MsoNoSpacing">
<br /></div>
<div class="MsoNoSpacing">
The ping should be successful now<o:p></o:p></div>
<div class="MsoNoSpacing">
<i><span style="background: lime; mso-highlight: lime;">R2#ping 10.23.1.3<o:p></o:p></span></i></div>
<div class="MsoNoSpacing">
<i><span style="background: lime; mso-highlight: lime;">Sending 5, 100-byte ICMP Echos to
10.23.1.3, timeout is 2 seconds:<o:p></o:p></span></i></div>
<div class="MsoNoSpacing">
<i><span style="background: lime; mso-highlight: lime;">.!!!!<o:p></o:p></span></i></div>
<div class="MsoNoSpacing">
<br /></div>
<div class="MsoNoSpacing">
<br /></div>
</div>
Anonymoushttp://www.blogger.com/profile/16547104544524126934noreply@blogger.com0tag:blogger.com,1999:blog-6535850563298713199.post-26197059362081124562015-06-20T18:20:00.004-07:002015-06-25T17:37:38.160-07:00MPLS Part1<div dir="ltr" style="text-align: left;" trbidi="on">
<div class="MsoNoSpacing">
<b><span style="color: #274e13;">VRF-lite:</span></b><o:p></o:p></div>
<div class="MsoNoSpacing">
<br /></div>
<div class="MsoNoSpacing">
VRFs create an instance of the routing table. <o:p></o:p></div>
<div class="MsoNoSpacing">
<span style="background: white; color: #333333; font-family: "Georgia","serif";">VRF, when used inside a single router or without MPLS is VRF-Lite</span><o:p></o:p></div>
<div class="MsoNoSpacing">
<br /></div>
<div class="MsoNoSpacing">
We can create VRFs in two ways<o:p></o:p></div>
<div class="MsoNoSpacing">
<br /></div>
<div class="MsoNoSpacing">
Legacy method—supports only ipv4<o:p></o:p></div>
<div class="MsoNoSpacing">
<i><span style="background: yellow; font-size: 10.0pt; mso-highlight: yellow;">R6(config)#ip
vrf VPN_A<o:p></o:p></span></i></div>
<div class="MsoNoSpacing">
<i><span style="background: yellow; font-size: 10.0pt; mso-highlight: yellow;">R6(config)#int
fa0/0<o:p></o:p></span></i></div>
<div class="MsoNoSpacing">
<i><span style="background: yellow; font-size: 10.0pt; mso-highlight: yellow;">R6(config)#ip
vrf forwarding VPN_A</span></i></div>
<div class="MsoNoSpacing">
When applied, this will remove only the ipv4 address
attached to the interface. The ipv6 address of the interface will be part of
global routing table and ipv4 address will be part of corresponding VRF table<i><span style="background: yellow; font-size: 10.0pt; mso-highlight: yellow;"><o:p></o:p></span></i></div>
<div class="MsoNoSpacing">
<br /></div>
<div class="MsoNoSpacing">
Newer method—supports ipv4 and ipv6, we need to mention
with address family commands under vrf<i><span style="background: yellow; font-size: 10.0pt; mso-highlight: yellow;"><o:p></o:p></span></i></div>
<div class="MsoNoSpacing">
<i><span style="background: yellow; font-size: 10.0pt; mso-highlight: yellow;">R6(config)#vrf
definition VPN_B<o:p></o:p></span></i></div>
<div class="MsoNoSpacing">
<i><span style="background: yellow; font-size: 10.0pt; mso-highlight: yellow;">R6(config-vrf)#address-family
ipv4<o:p></o:p></span></i></div>
<div class="MsoNoSpacing">
<i><span style="background: yellow; font-size: 10.0pt; mso-highlight: yellow;">R6(config-vrf)#address-family
ipv6</span></i><i><span style="font-size: 10.0pt;"><o:p></o:p></span></i></div>
<div class="MsoNoSpacing">
<i><span style="background: yellow; font-size: 10.0pt; mso-highlight: yellow;">R6(config)#int
fa0/0<o:p></o:p></span></i></div>
<div class="MsoNoSpacing">
<i><span style="background: yellow; font-size: 10.0pt; mso-highlight: yellow;">R6(config)# vrf
forwarding VPN_B</span></i></div>
<div class="MsoNoSpacing">
When applied, this will remove both the ipv4 and ipv6
addresses attached to the interface.<o:p></o:p></div>
<div class="MsoNoSpacing">
<br /></div>
<div class="MsoNoSpacing">
Each VRF instance has its own RIB and FIB.<o:p></o:p></div>
<div class="MsoNoSpacing">
An interface in VRF instance A1 cannot ping an interface
in VRF instance A2.<o:p></o:p></div>
<div class="MsoNoSpacing">
<br /></div>
<div class="MsoNoSpacing">
To facilitate inter VRF reachability,<o:p></o:p></div>
<div class="MsoNoSpacing" style="margin-left: .5in; mso-list: l0 level1 lfo1; text-indent: -.25in;">
<!--[if !supportLists]--><span style="font-family: Symbol; mso-bidi-font-family: Symbol; mso-fareast-font-family: Symbol;">·<span style="font-family: 'Times New Roman'; font-size: 7pt; font-stretch: normal;">
</span></span><!--[endif]-->Ip route VRF VRF_Name prefix mask [interface] [next-hop]<span style="font-family: Wingdings; mso-ascii-font-family: Calibri; mso-ascii-theme-font: minor-latin; mso-char-type: symbol; mso-hansi-font-family: Calibri; mso-hansi-theme-font: minor-latin; mso-symbol-font-family: Wingdings;">à</span>The interface can be in
any VRF<o:p></o:p></div>
<div class="MsoNoSpacing" style="margin-left: .5in; mso-list: l0 level1 lfo1; text-indent: -.25in;">
<!--[if !supportLists]--><span style="background: yellow; font-family: Symbol; mso-bidi-font-family: Symbol; mso-fareast-font-family: Symbol; mso-highlight: yellow;">·<span style="font-family: 'Times New Roman'; font-size: 7pt; font-stretch: normal;">
</span></span><!--[endif]-->The other option is to use the “global” keyword
on the end of the route statement to instruct the router to look up the next
hop from the global routing table<span style="background: yellow; mso-highlight: yellow;"><o:p></o:p></span></div>
<div class="MsoNoSpacing">
<br /></div>
<div class="MsoNoSpacing">
<br /></div>
<div class="MsoNoSpacing">
<br /></div>
<div class="MsoNoSpacing">
Some useful show commands,<o:p></o:p></div>
<div class="MsoNoSpacing">
<i><span style="background: lime; mso-highlight: lime;">Show vrf<o:p></o:p></span></i></div>
<i><span style="background: lime; mso-highlight: lime;">Show run vrf</span></i><br />
<i><span style="background: lime; mso-highlight: lime;"><br /></span></i>
<div class="MsoNoSpacing">
<b><span style="color: #274e13;">LDP:</span><o:p></o:p></b></div>
<div class="MsoNoSpacing">
LDP advertises its router-id as the transport address in
the hello discovery messages.<o:p></o:p></div>
<div class="MsoNoSpacing">
So make sure the router-id is reachable.<b> There must be an exact match for the
router-id in the routing table.<o:p></o:p></b></div>
<div class="MsoNoSpacing">
<br /></div>
<div class="MsoNoSpacing">
The hello messages are sent to 224.0.0.2 on the UDP port
646.<o:p></o:p></div>
<div class="MsoNoSpacing">
After discovering a neighbor, the tcp connection will be
established on 646 and labels are exchanged.<o:p></o:p></div>
<div class="MsoNoSpacing">
<br /></div>
<div class="MsoNoSpacing">
We can change the transport address <o:p></o:p></div>
<div class="MsoNoSpacing">
<i><span style="background: yellow; font-size: 10.0pt; mso-highlight: yellow;">R1(config)#int
fa0/0<o:p></o:p></span></i></div>
<div class="MsoNoSpacing">
<i><span style="background: yellow; font-size: 10.0pt; mso-highlight: yellow;">R1(config-if)#mpls
ldp discovery transport-address interface</span></i><i><span style="font-size: 10.0pt;"><o:p></o:p></span></i></div>
<div class="MsoNoSpacing">
<br /></div>
<div class="MsoNoSpacing">
The tcp session will be reestablished on giving the above
command.<o:p></o:p></div>
<div class="MsoNoSpacing">
The TCP connection can be authenticated using an MD5 hash
option.<o:p></o:p></div>
<div class="MsoNoSpacing">
The hashing key is
defined per-neighbor by using the command <i><span style="background: yellow; font-size: 10.0pt; mso-bidi-font-size: 11.0pt; mso-highlight: yellow;">mpls ldp neighbor <IP> password <password>.</span></i> <o:p></o:p></div>
<div class="MsoNoSpacing">
The IP address here is the neighbor’s LDP Router ID. To
make the use of passwords mandatory, we need the global command <i><span style="background: yellow; font-size: 10.0pt; mso-bidi-font-size: 11.0pt; mso-highlight: yellow;">mpls ldp password required.</span></i><o:p></o:p></div>
<div class="MsoNoSpacing">
<br /></div>
<div class="MsoNoSpacing">
When an LDP session is established, the hold time used
for the session is lower of the values configured on the two routers.<o:p></o:p></div>
<div class="MsoNoSpacing">
<i><span style="background: yellow; font-size: 10.0pt; mso-highlight: yellow;">R1(config)#mpls
ldp holdtime 45</span></i><i><span style="font-size: 10.0pt;"><o:p></o:p></span></i></div>
<div class="MsoNoSpacing">
<br /></div>
<div class="MsoNoSpacing">
To change the neighbor discovery interval and hold time<o:p></o:p></div>
<div class="MsoNoSpacing">
<i><span style="background: yellow; font-size: 10.0pt; mso-highlight: yellow;">R1(config)#mpls
ldp discovery hello interval 15<o:p></o:p></span></i></div>
<div class="MsoNoSpacing">
<i><span style="background: yellow; font-size: 10.0pt; mso-highlight: yellow;">R1(config)#mpls
ldp discovery hello holdtime 45</span></i><i><span style="font-size: 10.0pt;"><o:p></o:p></span></i></div>
<div class="MsoNoSpacing">
<br /></div>
<div class="MsoNoSpacing">
To change the router-id <o:p></o:p></div>
<div class="MsoNoSpacing">
<i><span style="background: yellow; font-size: 10.0pt; mso-highlight: yellow;">R1(config)#mpls
ldp router-id lo0 force</span></i><i><span style="background: yellow; font-family: Wingdings; font-size: 10.0pt; mso-ascii-font-family: Calibri; mso-ascii-theme-font: minor-latin; mso-char-type: symbol; mso-hansi-font-family: Calibri; mso-hansi-theme-font: minor-latin; mso-highlight: yellow; mso-symbol-font-family: Wingdings;">à</span></i><i><span style="background: yellow; font-size: 10.0pt; mso-highlight: yellow;">I<b>f force is not used, the router must be
reloaded to get the change into effect</b></span></i><b><i><span style="font-size: 10.0pt;"><o:p></o:p></span></i></b></div>
<div class="MsoNoSpacing">
<b><i><span style="font-size: 10.0pt;">‘Force’ will
reset the tcp session</span></i></b><i><span style="font-size: 10.0pt;"><o:p></o:p></span></i></div>
<div class="MsoNoSpacing">
<br /></div>
<div class="MsoNoSpacing">
<br /></div>
<div class="MsoNoSpacing">
Normally, LDP advertises ‘implicit-null’(i.e. Label 3)
for connected routes. So PHP router will pop the label before sending the
packet.<o:p></o:p></div>
<div class="MsoNoSpacing">
Say if the packet contains Qos markings and we don’t want
the PHP to pop the top label, we can configure the router to advertise
‘explicit-null’ for connected routes.<o:p></o:p></div>
<div class="MsoNoSpacing">
In such a case, the router will receive packets with
‘label 0’ for connected routes.<o:p></o:p></div>
<div class="MsoNoSpacing">
<br /></div>
<div class="MsoNoSpacing">
<i><span style="background: yellow; font-size: 10.0pt; mso-bidi-font-size: 11.0pt; mso-highlight: yellow;">R1(config)#mpls ldp expliticit-null for <prefixes> to
<ldpPeers></span></i><i><span style="font-size: 10.0pt; mso-bidi-font-size: 11.0pt;"><o:p></o:p></span></i></div>
<div class="MsoNoSpacing">
<br /></div>
<div class="MsoNoSpacing">
Normal trace route from a customer router to other
customer site<o:p></o:p></div>
<div class="MsoNoSpacing">
<i><span style="background: lime; font-size: 10.0pt; mso-highlight: lime;">BB1#traceroute
1.1.1.1<o:p></o:p></span></i></div>
<div class="MsoNoSpacing">
<i><span style="background: lime; font-size: 10.0pt; mso-highlight: lime;"> 1 10.1.67.6 72 msec 80 msec 60 msec<o:p></o:p></span></i></div>
<div class="MsoNoSpacing">
<i><span style="background: lime; font-size: 10.0pt; mso-highlight: lime;"> 2 10.1.56.5 [MPLS: Label 16 Exp 0] 156 msec
148 msec 152 msec<o:p></o:p></span></i></div>
<div class="MsoNoSpacing">
<i><span style="background: lime; font-size: 10.0pt; mso-highlight: lime;"> 3 10.1.35.3 [MPLS: Label 16 Exp 0] 152 msec
148 msec 128 msec<o:p></o:p></span></i></div>
<div class="MsoNoSpacing">
<i><span style="background: lime; font-size: 10.0pt; mso-highlight: lime;"> 4 10.1.23.2 [MPLS: Label 27 Exp 0] 104 msec
108 msec 104 msec<o:p></o:p></span></i></div>
<div class="MsoNoSpacing">
<i><span style="background: lime; font-size: 10.0pt; mso-highlight: lime;"> 5 10.1.12.1 160 msec 132 msec 132 msec</span></i><i><span style="font-size: 10.0pt;"><o:p></o:p></span></i></div>
<div class="MsoNoSpacing">
<br /></div>
<div class="MsoNoSpacing">
The network is<o:p></o:p></div>
<div class="MsoNoSpacing">
R1=====R2-----R3-----R5-----R6=====BB1<o:p></o:p></div>
<div class="MsoNoSpacing">
<br /></div>
<div class="MsoNoSpacing">
<br /></div>
<div class="MsoNoSpacing">
In the above output, customer is able to see the routers
and transit links in the provider’s network.<o:p></o:p></div>
<div class="MsoNoSpacing">
If we want to hide these details from the customer, we
should configure the following command on the <b>Edge router (not required on all P routers)</b><o:p></o:p></div>
<div class="MsoNoSpacing">
<i><span style="background: yellow; font-size: 10.0pt; mso-highlight: yellow;">R6(config)#mpls
ip propagate-ttl<o:p></o:p></span></i></div>
<div class="MsoNoSpacing">
<i><span style="background: yellow; font-size: 10.0pt; mso-highlight: yellow;">R6(config)#no
mpls ip propagate-ttl forwarded</span></i><i><span style="background: yellow; font-family: Wingdings; font-size: 10.0pt; mso-ascii-font-family: Calibri; mso-ascii-theme-font: minor-latin; mso-char-type: symbol; mso-hansi-font-family: Calibri; mso-hansi-theme-font: minor-latin; mso-highlight: yellow; mso-symbol-font-family: Wingdings;">à</span></i><b><i><span style="background: yellow; font-size: 10.0pt; mso-highlight: yellow;">This will cause not to copy the TTL from IP into
MPLS label for forwarded traffic only ,for locally generated traffic it works
normal.<o:p></o:p></span></i></b></div>
<div class="MsoNoSpacing">
<b><i><span style="background: yellow; font-size: 10.0pt; mso-highlight: yellow;">So the traceroute from PE routers will show all
the transit links and for CE they will be hidden.</span></i></b><i><span style="background: yellow; font-size: 10.0pt; mso-highlight: yellow;"><o:p></o:p></span></i></div>
<div class="MsoNoSpacing">
<br /></div>
<div class="MsoNoSpacing">
<br /></div>
<div class="MsoNoSpacing">
Then the trace route output from CE and PE routers will
looks as<o:p></o:p></div>
<div class="MsoNoSpacing">
<i><span style="background: lime; font-size: 10.0pt; mso-highlight: lime;">BB1#traceroute
1.1.1.1<o:p></o:p></span></i></div>
<div class="MsoNoSpacing">
<i><span style="background: lime; font-size: 10.0pt; mso-highlight: lime;"> 1 10.1.67.6 84 msec 72 msec 72 msec<o:p></o:p></span></i></div>
<div class="MsoNoSpacing">
<i><span style="background: lime; font-size: 10.0pt; mso-highlight: lime;"> 2 10.1.23.2 [MPLS: Label 27 Exp 0] 124 msec
120 msec 124 msec<o:p></o:p></span></i></div>
<div class="MsoNoSpacing">
<i><span style="background: lime; font-size: 10.0pt; mso-highlight: lime;"> 3 10.1.12.1 152 msec 132 msec 124 msec</span></i><i><span style="font-size: 10.0pt;"><o:p></o:p></span></i></div>
<div class="MsoNoSpacing">
<br /></div>
<div class="MsoNoSpacing">
<i><span style="background: lime; font-size: 10.0pt; mso-highlight: lime;">R6(config)#do
traceroute 1.1.1.</span></i><span style="background: lime; mso-highlight: lime;">1<o:p></o:p></span></div>
<div class="MsoNoSpacing">
<i><span style="background: lime; font-size: 10.0pt; mso-highlight: lime;"> 1 10.1.56.5 [MPLS: Label 16 Exp 0] 120 msec
168 msec 140 msec<o:p></o:p></span></i></div>
<div class="MsoNoSpacing">
<i><span style="background: lime; font-size: 10.0pt; mso-highlight: lime;"> 2 10.1.35.3 [MPLS: Label 16 Exp 0] 104 msec
112 msec 112 msec<o:p></o:p></span></i></div>
<div class="MsoNoSpacing">
<i><span style="background: lime; font-size: 10.0pt; mso-highlight: lime;"> 3 10.1.23.2 [MPLS: Label 27 Exp 0] 80 msec 92
msec 84 msec<o:p></o:p></span></i></div>
<div class="MsoNoSpacing">
<i><span style="background: lime; font-size: 10.0pt; mso-highlight: lime;"> 4 10.1.12.1 120 msec 108 msec 104 msec</span></i><i><span style="font-size: 10.0pt;"><o:p></o:p></span></i></div>
<div class="MsoNoSpacing">
<br /></div>
<div class="MsoNoSpacing">
<i><span style="background: yellow; font-size: 10.0pt; mso-highlight: yellow;">R6(config)#mpls
ip propagate-ttl<o:p></o:p></span></i></div>
<div class="MsoNoSpacing">
<i><span style="background: yellow; font-size: 10.0pt; mso-highlight: yellow;">R6(config)#no
mpls ip propagate-ttl local<b> </b></span></i><b><i><span style="background: yellow; font-family: Wingdings; font-size: 10.0pt; mso-ascii-font-family: Calibri; mso-ascii-theme-font: minor-latin; mso-char-type: symbol; mso-hansi-font-family: Calibri; mso-hansi-theme-font: minor-latin; mso-highlight: yellow; mso-symbol-font-family: Wingdings;">à</span></i></b><b><i><span style="background: yellow; font-size: 10.0pt; mso-highlight: yellow;">This will cause not to copy the TTL from IP into
MPLS label for locally generated traffic
only ,for forwarded traffic it works normal.<o:p></o:p></span></i></b></div>
<div class="MsoNoSpacing">
<b><i><span style="background: yellow; font-size: 10.0pt; mso-highlight: yellow;">So the traceroute from CE routers will show all
the transit links and for PE router they will be hidden</span></i></b><b><i><span style="font-size: 10.0pt;"><o:p></o:p></span></i></b></div>
<div class="MsoNoSpacing">
<br /></div>
<div class="MsoNoSpacing">
<i><span style="background: lime; font-size: 10.0pt; mso-highlight: lime;">R6(config)#do
traceroute 1.1.1.1<o:p></o:p></span></i></div>
<div class="MsoNoSpacing">
<i><span style="background: lime; font-size: 10.0pt; mso-highlight: lime;"> 1 10.1.23.2 [MPLS: Label 27 Exp 0] 120 msec
84 msec 140 msec<o:p></o:p></span></i></div>
<div class="MsoNoSpacing">
<i><span style="background: lime; font-size: 10.0pt; mso-highlight: lime;"> 2 10.1.12.1 132 msec 160 msec 108 msec<o:p></o:p></span></i></div>
<div class="MsoNoSpacing">
<i><span style="background: lime; font-size: 10.0pt; mso-highlight: lime;">R6(config)#</span></i><i><span style="font-size: 10.0pt;"><o:p></o:p></span></i></div>
<div class="MsoNoSpacing">
<br /></div>
<div class="MsoNoSpacing">
<i><span style="background: lime; font-size: 10.0pt; mso-highlight: lime;">BB1#traceroute
1.1.1.1<o:p></o:p></span></i></div>
<div class="MsoNoSpacing">
<i><span style="background: lime; font-size: 10.0pt; mso-highlight: lime;"> 1 10.1.67.6 60 msec 56 msec 56 msec<o:p></o:p></span></i></div>
<div class="MsoNoSpacing">
<i><span style="background: lime; font-size: 10.0pt; mso-highlight: lime;"> 2 10.1.56.5 [MPLS: Label 16 Exp 0] 172 msec
156 msec 152 msec<o:p></o:p></span></i></div>
<div class="MsoNoSpacing">
<i><span style="background: lime; font-size: 10.0pt; mso-highlight: lime;"> 3 10.1.35.3 [MPLS: Label 16 Exp 0] 280 msec
148 msec 124 msec<o:p></o:p></span></i></div>
<div class="MsoNoSpacing">
<i><span style="background: lime; font-size: 10.0pt; mso-highlight: lime;"> 4 10.1.23.2 [MPLS: Label 27 Exp 0] 140 msec
112 msec 104 msec<o:p></o:p></span></i></div>
<div class="MsoNoSpacing">
<i><span style="background: lime; font-size: 10.0pt; mso-highlight: lime;"> 5 10.1.12.1 124 msec 128 msec 128 msec</span></i><i><span style="font-size: 10.0pt;"><o:p></o:p></span></i></div>
<div class="MsoNoSpacing">
<br /></div>
<div class="MsoNoSpacing">
<br /></div>
<div class="MsoNoSpacing">
<br /></div>
<div class="MsoNoSpacing">
<b><i>LDP targeted hellos:<o:p></o:p></i></b></div>
<div class="MsoNoSpacing" style="margin-left: .5in; mso-list: l0 level1 lfo1; text-indent: -.25in;">
<!--[if !supportLists]--><span style="font-family: Symbol; mso-bidi-font-family: Symbol; mso-fareast-font-family: Symbol;">·<span style="font-family: 'Times New Roman'; font-size: 7pt; font-stretch: normal;">
</span></span><!--[endif]-->To establish ldp adjacency with devices that are
not directly connected<o:p></o:p></div>
<div class="MsoNoSpacing" style="margin-left: .5in; mso-list: l0 level1 lfo1; text-indent: -.25in;">
<!--[if !supportLists]--><span style="font-family: Symbol; mso-bidi-font-family: Symbol; mso-fareast-font-family: Symbol;">·<span style="font-family: 'Times New Roman'; font-size: 7pt; font-stretch: normal;">
</span></span><!--[endif]-->Hellos will be unicasted<o:p></o:p></div>
<div class="MsoNoSpacing" style="margin-left: .5in; mso-list: l0 level1 lfo1; text-indent: -.25in;">
<!--[if !supportLists]--><span style="font-family: Symbol; mso-bidi-font-family: Symbol; mso-fareast-font-family: Symbol;">·<span style="font-family: 'Times New Roman'; font-size: 7pt; font-stretch: normal;">
</span></span><!--[endif]-->Normally used in TE for LDP session between
tunnel endpoints<o:p></o:p></div>
<div class="MsoNoSpacing" style="margin-left: .5in; mso-list: l0 level1 lfo1; text-indent: -.25in;">
<!--[if !supportLists]--><span style="font-family: Symbol; mso-bidi-font-family: Symbol; mso-fareast-font-family: Symbol;">·<span style="font-family: 'Times New Roman'; font-size: 7pt; font-stretch: normal;">
</span></span><!--[endif]-->When enabled between directly connected devices,
may improve the convergence by retaining the labels even when the link to
neighbor is down.<o:p></o:p></div>
<div class="MsoNoSpacing">
<br /></div>
<div class="MsoNoSpacing">
<br /></div>
<div class="MsoNoSpacing">
By default, LDP will generate and advertise labels for
every prefix found in the local routing table.<o:p></o:p></div>
<div class="MsoNoSpacing">
If we want to change this behavior and generate labels
only for specific prefixes, we can use access-list to select the prefixes
eligible for label generation.<o:p></o:p></div>
<div class="MsoNoSpacing">
<i><span style="background: yellow; font-size: 10.0pt; mso-bidi-font-size: 11.0pt; mso-highlight: yellow;">R4(config)#no mpls ldp advertise-labels</span></i><i><span style="background: yellow; font-family: Wingdings; font-size: 10.0pt; mso-ascii-font-family: Calibri; mso-ascii-theme-font: minor-latin; mso-bidi-font-size: 11.0pt; mso-char-type: symbol; mso-hansi-font-family: Calibri; mso-hansi-theme-font: minor-latin; mso-highlight: yellow; mso-symbol-font-family: Wingdings;">à</span></i><b><i><span style="background: yellow; font-size: 10.0pt; mso-bidi-font-size: 11.0pt; mso-highlight: yellow;">This command must be entered to see the change</span></i></b><i><span style="background: yellow; font-size: 10.0pt; mso-bidi-font-size: 11.0pt; mso-highlight: yellow;"><o:p></o:p></span></i></div>
<div class="MsoNoSpacing">
<i><span style="background: yellow; font-size: 10.0pt; mso-bidi-font-size: 11.0pt; mso-highlight: yellow;">R4(config)#mpls ldp advertise-labels for 10</span></i> </div>
<div class="MsoNoSpacing">
<br /></div>
<div class="MsoNoSpacing">
<br /></div>
<div class="MsoNoSpacing">
<o:p> A sample traceroute in a network with LDP not turned on completely</o:p></div>
<div class="MsoNoSpacing">
<i><span style="background: lime; font-size: 10.0pt; mso-bidi-font-size: 11.0pt; mso-highlight: lime;">R1#traceroute 10.1.67.7<o:p></o:p></span></i></div>
<div class="MsoNoSpacing">
<i><span style="background: lime; font-size: 10.0pt; mso-bidi-font-size: 11.0pt; mso-highlight: lime;"> 1 10.1.12.2 [MPLS: Label 26 Exp
0] 72 msec 52 msec 52 msec<o:p></o:p></span></i></div>
<div class="MsoNoSpacing">
<i><span style="background: lime; font-size: 10.0pt; mso-bidi-font-size: 11.0pt; mso-highlight: lime;"> 2 10.1.23.3 48 msec 56 msec 68
msec<o:p></o:p></span></i></div>
<div class="MsoNoSpacing">
<i><span style="background: lime; font-size: 10.0pt; mso-bidi-font-size: 11.0pt; mso-highlight: lime;"> 3 10.1.35.5 [MPLS: Label 25 Exp
0] 100 msec 100 msec 44 msec<o:p></o:p></span></i></div>
<div class="MsoNoSpacing">
<i><span style="background: lime; font-size: 10.0pt; mso-bidi-font-size: 11.0pt; mso-highlight: lime;"> 4 10.1.56.6 104 msec 120 msec 68
msec<o:p></o:p></span></i></div>
<div class="MsoNoSpacing">
<i><span style="background: lime; font-size: 10.0pt; mso-bidi-font-size: 11.0pt; mso-highlight: lime;"> 5 10.1.67.7 120 msec 132 msec 128
msec</span></i><i><span style="font-size: 10.0pt; mso-bidi-font-size: 11.0pt;"><o:p></o:p></span></i></div>
<div class="MsoNoSpacing">
<br /></div>
<div class="MsoNoSpacing">
Some useful show commands</div>
<div class="MsoNoSpacing">
<i><span style="background: lime; font-size: 10.0pt; mso-bidi-font-size: 11.0pt; mso-highlight: lime;">Sh mpls ldp binding 10.1.67.0 24 </span></i><i><span style="background: lime; font-family: Wingdings; font-size: 10.0pt; mso-ascii-font-family: Calibri; mso-ascii-theme-font: minor-latin; mso-bidi-font-size: 11.0pt; mso-char-type: symbol; mso-hansi-font-family: Calibri; mso-hansi-theme-font: minor-latin; mso-highlight: lime; mso-symbol-font-family: Wingdings;">à</span></i><i><span style="background: lime; font-size: 10.0pt; mso-bidi-font-size: 11.0pt; mso-highlight: lime;">to check the LIB<o:p></o:p></span></i></div>
<div class="MsoNoSpacing">
<i><span style="background: lime; font-size: 10.0pt; mso-bidi-font-size: 11.0pt; mso-highlight: lime;">Sh mpls forwarding-table 10.1.67.0 24 </span></i><i><span style="background: lime; font-family: Wingdings; font-size: 10.0pt; mso-ascii-font-family: Calibri; mso-ascii-theme-font: minor-latin; mso-bidi-font-size: 11.0pt; mso-char-type: symbol; mso-hansi-font-family: Calibri; mso-hansi-theme-font: minor-latin; mso-highlight: lime; mso-symbol-font-family: Wingdings;">à</span></i><i><span style="background: lime; font-size: 10.0pt; mso-bidi-font-size: 11.0pt; mso-highlight: lime;">to check the LFIB<o:p></o:p></span></i></div>
<div class="MsoNoSpacing">
<i><span style="background: lime; font-size: 10.0pt; mso-bidi-font-size: 11.0pt; mso-highlight: lime;">Sh mpls ldp discovery detail<o:p></o:p></span></i></div>
<div class="MsoNoSpacing">
<i><span style="background: lime; font-size: 10.0pt; mso-bidi-font-size: 11.0pt; mso-highlight: lime;">Sh mpls ldp neighbor<o:p></o:p></span></i></div>
<div class="MsoNoSpacing">
</div>
<div class="MsoNoSpacing">
<i><span style="background: lime; font-size: 10.0pt; mso-bidi-font-size: 11.0pt; mso-highlight: lime;">Sh mpls ldp parameter</span></i><i><span style="font-size: 10.0pt; mso-bidi-font-size: 11.0pt;"><o:p></o:p></span></i></div>
<br />
<div class="MsoNoSpacing">
<br /></div>
</div>
Anonymoushttp://www.blogger.com/profile/16547104544524126934noreply@blogger.com0tag:blogger.com,1999:blog-6535850563298713199.post-31555123964940637382015-06-17T18:32:00.000-07:002015-06-18T09:26:21.903-07:00DMVPN-Part2<div dir="ltr" style="text-align: left;" trbidi="on">
<div class="MsoNoSpacing">
<b>Routing protocols
in Phase 1:<o:p></o:p></b></div>
<div class="MsoNoSpacing">
<br /></div>
<div class="MsoNoSpacing">
The next hop will always be the HUB.<o:p></o:p></div>
<div class="MsoNoSpacing">
<br /></div>
<div class="MsoNoSpacing">
In Phase1, the control plane should be kept as simple as
possible because the data plane is always going to be point-to-point hub and
spoke tunnels <o:p></o:p></div>
<div class="MsoNoSpacing">
regardless of the next-hop and routing protocol.<o:p></o:p></div>
<div class="MsoNoSpacing">
<br /></div>
<div class="MsoNoSpacing">
<b>Eigrp:<o:p></o:p></b></div>
<div class="MsoNoSpacing">
<br /></div>
<div class="MsoNoSpacing">
On enabling eigrp, the spokes can establish adjacency
with the hub.<o:p></o:p></div>
<div class="MsoNoSpacing">
They can’t establish adjacency with other spokes as they
cannot replicate multicast traffic directly between them (in all the three
phases of dmvpn).<o:p></o:p></div>
<div class="MsoNoSpacing">
<br /></div>
<div class="MsoNoSpacing">
To establish connectivity between spokes, we have two
options<o:p></o:p></div>
<div class="MsoNoSpacing">
<br /></div>
<div class="MsoNoSpacing">
First one is, advertise a default route<o:p></o:p></div>
<div class="MsoNoSpacing">
<i><span style="background: yellow; mso-highlight: yellow;">R5(config-if)#int tun0<o:p></o:p></span></i></div>
<div class="MsoNoSpacing">
<i><span style="background: yellow; mso-highlight: yellow;">R5(config-if)#ip summary-address
eigrp 100 0.0.0.0 0.0.0.0<o:p></o:p></span></i></div>
<div class="MsoNoSpacing">
<br /></div>
<div class="MsoNoSpacing">
Second one is, disable split-horizon. Spokes will learn
the routes from other spokes but the next-hop will be the HUB.<o:p></o:p></div>
<div class="MsoNoSpacing">
<i><span style="background: yellow; mso-highlight: yellow;">R5(config-if)#int tun0<o:p></o:p></span></i></div>
<div class="MsoNoSpacing">
<i><span style="background: yellow; mso-highlight: yellow;">R5(config-if)#no ip
split-horizon eigrp 100</span><o:p></o:p></i></div>
<div class="MsoNoSpacing">
<br /></div>
<div class="MsoNoSpacing">
<b>ODR:<o:p></o:p></b></div>
<div class="MsoNoSpacing">
ODR is based on CDP.<o:p></o:p></div>
<div class="MsoNoSpacing">
CDP is enabled by default from IOS 15.x.Just make sure
cdp is running on the tunnel interfaces.<o:p></o:p></div>
<div class="MsoNoSpacing">
<i><span style="background: lime;">R5#show
cdp neighbors</span><span style="background: white;"><o:p></o:p></span></i></div>
<div class="MsoNoSpacing">
<br /></div>
<div class="MsoNoSpacing">
<i><span style="background: white;">Steps to run ODR<o:p></o:p></span></i></div>
<div class="MsoNoSpacing">
<i><span style="background: white;">First enable cdp on the tunnel interface,<o:p></o:p></span></i></div>
<div class="MsoNoSpacing">
<i><span style="background: yellow; mso-highlight: yellow;">R5(config)#cdp run<o:p></o:p></span></i></div>
<div class="MsoNoSpacing">
<i><span style="background: yellow; mso-highlight: yellow;">R5(config)#int tun0<o:p></o:p></span></i></div>
<div class="MsoNoSpacing">
<i><span style="background: yellow; mso-highlight: yellow;">R5(config-if)#cdp enable</span><o:p></o:p></i></div>
<div class="MsoNoSpacing">
<br /></div>
<div class="MsoNoSpacing">
Enable ODR, this must be done the hub, the hub will
announce a default route to the spokes and spokes will send their connected links
information in the cdp messages to the HUB.<o:p></o:p></div>
<div class="MsoNoSpacing">
<i><span style="background: yellow; mso-highlight: yellow;">R5(config)#router odr</span><o:p></o:p></i></div>
<div class="MsoNoSpacing">
<br /></div>
<div class="MsoNoSpacing">
If any other routing protocol is enabled ODR will not
run.<o:p></o:p></div>
<div class="MsoNoSpacing">
<b>Exchange routing
information without enabling any routing protocol.<o:p></o:p></b></div>
<div class="MsoNoSpacing">
<br /></div>
<div class="MsoNoSpacing">
<b>BGP:<o:p></o:p></b></div>
<div class="MsoNoSpacing">
<br /></div>
<div class="MsoNoSpacing">
One of the major advantage of DMVPN is ,<o:p></o:p></div>
<div class="MsoNoSpacing">
We can easily add a spoke without changing any configuration
on the existing devices.<o:p></o:p></div>
<div class="MsoNoSpacing">
<br /></div>
<div class="MsoNoSpacing">
When using BGP,this advantage is broken. We may have to
do BGP configuration changes, policy changes.<o:p></o:p></div>
<div class="MsoNoSpacing">
We can use dynamic BGP configuration as a workaround for
this.<o:p></o:p></div>
<div class="MsoNoSpacing">
<br /></div>
<div class="MsoNoSpacing">
We can use iBGP or eBGP to speak to the HUB.<o:p></o:p></div>
<div class="MsoNoSpacing">
<br /></div>
<div class="MsoNoSpacing">
<br /></div>
<div class="MsoNoSpacing">
<b>RIP:<o:p></o:p></b></div>
<div class="MsoNoSpacing">
Normal configuration commands to enable rip.<o:p></o:p></div>
<div class="MsoNoSpacing">
<br /></div>
<div class="MsoNoSpacing">
We can send a default route to the spokes as<o:p></o:p></div>
<div style="background: white; line-height: 14.4pt; margin-bottom: 12.0pt; margin-left: 0in; margin-right: 0in; margin-top: 0in; vertical-align: baseline;">
<i><span style="background: yellow; font-family: Calibri, sans-serif; font-size: 11pt;">R5(config)#route-map DEFAULT permit 10<br />
R5(config-route-map)#set interface Tunnel0<br />
R5(config)#router rip<br />
R5(config-router)#default-information originate route-map DEFAULT</span></i><i><span style="font-family: Calibri, sans-serif; font-size: 11pt;"><o:p></o:p></span></i></div>
<div style="background: white; line-height: 14.4pt; margin-bottom: 12.0pt; margin-left: 0in; margin-right: 0in; margin-top: 0in; vertical-align: baseline;">
<i><span style="font-family: Calibri, sans-serif; font-size: 10pt;">Or<o:p></o:p></span></i></div>
<div class="MsoNoSpacing">
Disable split horizon<o:p></o:p></div>
<div class="MsoNoSpacing">
<i><span style="background: yellow; mso-highlight: yellow; mso-shading: white;">R5(config)#int
Tu0</span><span style="background: yellow; mso-highlight: yellow;"><br />
R5(config-if)#</span></i><strong><i><span style="background: yellow; border: 1pt none windowtext; font-family: Calibri, sans-serif; padding: 0in;">no ip
split-horizon</span></i></strong><i><o:p></o:p></i></div>
<div class="MsoNoSpacing">
<br /></div>
<div class="MsoNoSpacing">
<b>OSPF:<o:p></o:p></b></div>
<div class="MsoNoSpacing">
<br /></div>
<div class="MsoNoSpacing">
When OSPF is configured over GRE tunnel interfaces, the
OSPF network type defaults to point-to-point. <o:p></o:p></div>
<div class="MsoNoSpacing">
This is not supported in a DMVPN design, because the hub
must maintain multiple adjacencies on the same interface, one for each remote
spoke. <o:p></o:p></div>
<div class="MsoNoSpacing">
<br /></div>
<div class="MsoNoSpacing">
In DMVPN Phase 1 with OSPF, the OSPF network type is set
to point-to-multipoint on the hub at a minimum. With the hub being OSPF network
type point-to-multipoint and the spokes being OSPF network type point-to-point,
adjacency is supported, as long as the timer values match. <o:p></o:p></div>
<div class="MsoNoSpacing">
<br /></div>
<div class="MsoNoSpacing">
<b><span style="font-size: 13.0pt; mso-bidi-font-size: 11.0pt;">DMVPN PHASE2:<o:p></o:p></span></b></div>
<div class="MsoNoSpacing">
<br /></div>
<div class="MsoNoSpacing">
<span style="font-size: 13.0pt; mso-bidi-font-size: 11.0pt;">The
main problem with phase1 is all the spoke to spoke traffic must pass through
HUB putting huge stress on the hub resources.<o:p></o:p></span></div>
<div class="MsoNoSpacing">
<span style="font-size: 13.0pt; mso-bidi-font-size: 11.0pt;">This
limitation was primarily due to the configuration of the spoke as ‘point-point
gre tunnel’ rather than ‘multipoint gre tunnel’.<o:p></o:p></span></div>
<div class="MsoNoSpacing">
<br /></div>
<div class="MsoNoSpacing">
<span style="font-size: 13.0pt; mso-bidi-font-size: 11.0pt;">Phase2
permits spoke to spoke tunnels, for this we need to configure the spokes as ‘multipoint
gre tunnels’<o:p></o:p></span></div>
<div class="MsoNoSpacing">
<br /></div>
<div class="MsoNoSpacing">
<span style="font-size: 14.0pt; mso-bidi-font-size: 11.0pt;">The
only configuration change we need to do is, on all the spokes<o:p></o:p></span></div>
<div class="MsoNoSpacing">
<i><span style="background: yellow; mso-highlight: yellow;">R4(config-if)#int tun0<o:p></o:p></span></i></div>
<div class="MsoNoSpacing">
<i><span style="background: yellow; mso-highlight: yellow;">R4(config-if)#no tunnel
destination </span></i><b><i><span style="background: yellow; font-family: Wingdings; mso-ascii-font-family: Calibri; mso-ascii-theme-font: minor-latin; mso-char-type: symbol; mso-hansi-font-family: Calibri; mso-hansi-theme-font: minor-latin; mso-highlight: yellow; mso-symbol-font-family: Wingdings;">à</span><span style="background: yellow; mso-highlight: yellow;">removing point-to-point tunnel setting</span></i></b><i><span style="background: yellow; mso-highlight: yellow;"><o:p></o:p></span></i></div>
<div class="MsoNoSpacing">
<i><span style="background: yellow; mso-highlight: yellow;">R4(config-if)#tunnel mode gre
multipoint </span></i><b><i><span style="background: yellow; font-family: Wingdings; mso-ascii-font-family: Calibri; mso-ascii-theme-font: minor-latin; mso-char-type: symbol; mso-hansi-font-family: Calibri; mso-hansi-theme-font: minor-latin; mso-highlight: yellow; mso-symbol-font-family: Wingdings;">à</span><span style="background: yellow; mso-highlight: yellow;">enabling multipoint gre tunnel on spokes<o:p></o:p></span></i></b></div>
<div class="MsoNoSpacing">
<br /></div>
<div class="MsoNoSpacing">
<span style="font-size: 13.0pt; mso-bidi-font-size: 11.0pt;">No
configuration changes on the hub.<o:p></o:p></span></div>
<div class="MsoNoSpacing">
<br /></div>
<div class="MsoNoSpacing">
<span style="font-size: 13.0pt; mso-bidi-font-size: 11.0pt;">Routing
tables in phase2,<o:p></o:p></span></div>
<div class="MsoNoSpacing">
<span style="font-size: 13.0pt; mso-bidi-font-size: 11.0pt;">We
now know all the networks behind the spokes with next-hops<o:p></o:p></span></div>
<div class="MsoNoSpacing">
<br /></div>
<div class="MsoNoSpacing">
<b><i><span style="background: lime; mso-highlight: lime;">R4#sh ip route<o:p></o:p></span></i></b></div>
<div class="MsoNoSpacing">
<b><i><span style="background: lime; mso-highlight: lime;">Gateway of last resort is not set<o:p></o:p></span></i></b></div>
<div class="MsoNoSpacing">
<br /></div>
<div class="MsoNoSpacing">
<b><i><span style="background: lime; mso-highlight: lime;"> 14.0.0.0/8 is variably
subnetted, 2 subnets, 2 masks<o:p></o:p></span></i></b></div>
<div class="MsoNoSpacing">
<b><i><span style="background: lime; mso-highlight: lime;">C 14.1.1.0/24 is directly connected, Tunnel0<o:p></o:p></span></i></b></div>
<div class="MsoNoSpacing">
<b><i><span style="background: lime; mso-highlight: lime;">L 14.1.1.4/32 is directly
connected, Tunnel0<o:p></o:p></span></i></b></div>
<div class="MsoNoSpacing">
<b><i><span style="background: lime; mso-highlight: lime;"> 150.1.0.0/32 is subnetted, 5
subnets<o:p></o:p></span></i></b></div>
<div class="MsoNoSpacing">
<b><i><span style="background: lime; mso-highlight: lime;">D 150.1.1.1 [90/28288000]
via 14.1.1.1, 00:00:16, Tunnel0<o:p></o:p></span></i></b></div>
<div class="MsoNoSpacing">
<b><i><span style="background: lime; mso-highlight: lime;">D 150.1.2.2 [90/28288000]
via 14.1.1.2, 00:00:16, Tunnel0<o:p></o:p></span></i></b></div>
<div class="MsoNoSpacing">
<b><i><span style="background: lime; mso-highlight: lime;">D 150.1.3.3 [90/28288000]
via 14.1.1.3, 00:00:16, Tunnel0<o:p></o:p></span></i></b></div>
<div class="MsoNoSpacing">
<b><i><span style="background: lime; mso-highlight: lime;">C 150.1.4.4 is directly
connected, Loopback0<o:p></o:p></span></i></b></div>
<div class="MsoNoSpacing">
<b><i><span style="background: lime; mso-highlight: lime;">D 150.1.5.5 [90/27008000]
via 14.1.1.5, 00:00:33, Tunnel0<o:p></o:p></span></i></b></div>
<div class="MsoNoSpacing">
<br /></div>
<div class="MsoNoSpacing">
<span style="font-size: 13.0pt; mso-bidi-font-size: 11.0pt;">The
implications are<o:p></o:p></span></div>
<div class="MsoNoSpacing" style="margin-left: .5in; mso-list: l4 level1 lfo1; text-indent: -.25in;">
<!--[if !supportLists]--><span style="font-family: Symbol; font-size: 13.0pt; mso-bidi-font-family: Symbol; mso-bidi-font-size: 11.0pt; mso-fareast-font-family: Symbol;">·<span style="font-family: 'Times New Roman'; font-size: 7pt; font-stretch: normal;">
</span></span><!--[endif]--><span style="font-size: 13.0pt; mso-bidi-font-size: 11.0pt;">Summarization is not allowed on the hub</span><span style="font-family: Wingdings; font-size: 13.0pt; mso-ascii-font-family: Calibri; mso-ascii-theme-font: minor-latin; mso-bidi-font-size: 11.0pt; mso-char-type: symbol; mso-hansi-font-family: Calibri; mso-hansi-theme-font: minor-latin; mso-symbol-font-family: Wingdings;">à</span><span style="font-size: 13.0pt; mso-bidi-font-size: 11.0pt;">if summarized, all the
traffic will take the path spoke-hub-spoke<o:p></o:p></span></div>
<div class="MsoNoSpacing" style="margin-left: .5in; mso-list: l4 level1 lfo1; text-indent: -.25in;">
<!--[if !supportLists]--><span style="font-family: Symbol; font-size: 13.0pt; mso-bidi-font-family: Symbol; mso-bidi-font-size: 11.0pt; mso-fareast-font-family: Symbol;">·<span style="font-family: 'Times New Roman'; font-size: 7pt; font-stretch: normal;">
</span></span><!--[endif]--><span style="font-size: 13.0pt; mso-bidi-font-size: 11.0pt;">Next-hop must always be preserved by the hub<o:p></o:p></span></div>
<div class="MsoNoSpacing">
<br /></div>
<div class="MsoNoSpacing">
<br /></div>
<div class="MsoNoSpacing">
<b><span style="font-size: 13.0pt; mso-bidi-font-size: 11.0pt;">Routing protocols in phase2:<o:p></o:p></span></b></div>
<div class="MsoNoSpacing">
<br /></div>
<div class="MsoNoSpacing">
<b><span style="font-size: 13.0pt; mso-bidi-font-size: 11.0pt;">Eigrp:<o:p></o:p></span></b></div>
<div class="MsoNoSpacing">
<span style="font-size: 13.0pt; mso-bidi-font-size: 11.0pt;">The
following configuration must be done on the hub<o:p></o:p></span></div>
<div class="MsoNoSpacing">
<i><span style="background: yellow; mso-highlight: yellow;">R5(config-if)#int tun0<o:p></o:p></span></i></div>
<div class="MsoNoSpacing">
<i><span style="background: yellow; mso-highlight: yellow;">R5(config-if)#no ip
split-horizon eigrp 100</span></i><i><span style="background: yellow; font-family: Wingdings; mso-ascii-font-family: Calibri; mso-ascii-theme-font: minor-latin; mso-char-type: symbol; mso-hansi-font-family: Calibri; mso-hansi-theme-font: minor-latin; mso-highlight: yellow; mso-symbol-font-family: Wingdings;">à</span><span style="background: yellow; mso-highlight: yellow;">to advertise networks behind the
spokes<o:p></o:p></span></i></div>
<div class="MsoNoSpacing">
<i><span style="background: yellow; mso-highlight: yellow;">R5(config-if)#no ip
next-hop-self eigrp 100<o:p></o:p></span></i></div>
<div class="MsoNoSpacing">
<br /></div>
<div class="MsoNoSpacing">
<b><span style="font-size: 13.0pt; mso-bidi-font-size: 11.0pt;">OSPF:</span></b><span style="font-size: 13.0pt; mso-bidi-font-size: 11.0pt;"><o:p></o:p></span></div>
<div class="MsoNoSpacing">
<span style="font-size: 13.0pt; mso-bidi-font-size: 11.0pt;">One
of the main requirements in phase2 is, the routing protocol must preserve the
next-hop.<o:p></o:p></span></div>
<div class="MsoNoSpacing">
<span style="font-size: 13.0pt; mso-bidi-font-size: 11.0pt;">We
need to use the OSPF network type that preserves the next-hop, so ospf network
type point-to-multipoint is not supported in phase2.<o:p></o:p></span></div>
<div class="MsoNoSpacing">
<br /></div>
<div class="MsoNoSpacing">
<span style="font-size: 13.0pt; mso-bidi-font-size: 11.0pt;">Routing
table with ospf network type point-to-multipoint<o:p></o:p></span></div>
<div class="MsoNoSpacing">
<i><span style="background: lime; font-size: 12.0pt; mso-bidi-font-size: 11.0pt; mso-highlight: lime;">R2#show ip route ospf <o:p></o:p></span></i></div>
<div class="MsoNoSpacing">
<i><span style="background: lime; font-size: 12.0pt; mso-bidi-font-size: 11.0pt; mso-highlight: lime;">O 150.1.1.1 [110/2001] via
14.1.1.5, 00:0:27, Tunnel0<o:p></o:p></span></i></div>
<div class="MsoNoSpacing">
<i><span style="background: lime; font-size: 12.0pt; mso-bidi-font-size: 11.0pt; mso-highlight: lime;">O 150.1.3.3 [110/2001] via
14.1.1.5, 00:0:27, Tunnel0<o:p></o:p></span></i></div>
<div class="MsoNoSpacing">
<i><span style="background: lime; font-size: 12.0pt; mso-bidi-font-size: 11.0pt; mso-highlight: lime;">O 150.1.4.4 [110/2001] via
14.1.1.5, 00:0:34, Tunnel0</span></i><i><span style="font-size: 12.0pt; mso-bidi-font-size: 11.0pt;"><o:p></o:p></span></i></div>
<div class="MsoNoSpacing">
<br /></div>
<div class="MsoNoSpacing">
<span style="font-size: 14.0pt; mso-bidi-font-size: 11.0pt;">To
run ospf in phase2, we need to use the network type Broadcast or NBMA which preserves
the next-hop.<o:p></o:p></span></div>
<div class="MsoNoSpacing">
<span style="font-size: 14.0pt; mso-bidi-font-size: 11.0pt;">It
means <o:p></o:p></span></div>
<div class="MsoNoSpacing" style="margin-left: .5in; mso-list: l1 level1 lfo2; text-indent: -.25in;">
<!--[if !supportLists]--><span style="font-family: Symbol; font-size: 14.0pt; mso-bidi-font-family: Symbol; mso-bidi-font-size: 11.0pt; mso-fareast-font-family: Symbol;">·<span style="font-family: 'Times New Roman'; font-size: 7pt; font-stretch: normal;">
</span></span><!--[endif]--><span style="font-size: 14.0pt; mso-bidi-font-size: 11.0pt;">we need to configure the spokes that they never become DR and BDR(spoke
to spoke direct flooding is not possible, spokes all are in same layer3 but not
in same layer2 )<o:p></o:p></span></div>
<div class="MsoNoSpacing" style="margin-left: .5in; mso-list: l1 level1 lfo2; text-indent: -.25in;">
<!--[if !supportLists]--><span style="font-family: Symbol; font-size: 14.0pt; mso-bidi-font-family: Symbol; mso-bidi-font-size: 11.0pt; mso-fareast-font-family: Symbol;">·<span style="font-family: 'Times New Roman'; font-size: 7pt; font-stretch: normal;">
</span></span><!--[endif]--><span style="font-size: 14.0pt; mso-bidi-font-size: 11.0pt;">Not more than 2 hubs are permitted one DR and BDR<o:p></o:p></span></div>
<div class="MsoNoSpacing">
<br /></div>
<div class="MsoNoSpacing">
<span style="font-size: 14.0pt; mso-bidi-font-size: 11.0pt;">By
default the network type on tunnel interface is point-to-multipoint, the
following configuration must be done on the spokes<o:p></o:p></span></div>
<div class="MsoNoSpacing">
<i><span style="background: yellow; mso-highlight: yellow;">R4(config-if)#int tun0<o:p></o:p></span></i></div>
<div class="MsoNoSpacing">
<i><span style="background: yellow; mso-highlight: yellow;">R4(config-if)#ip ospf priority 0
</span></i><b><i><span style="background: yellow; font-family: Wingdings; mso-ascii-font-family: Calibri; mso-ascii-theme-font: minor-latin; mso-char-type: symbol; mso-hansi-font-family: Calibri; mso-hansi-theme-font: minor-latin; mso-highlight: yellow; mso-symbol-font-family: Wingdings;">à</span><span style="background: yellow; mso-highlight: yellow;">so
that spokes never attempt to claim as DR/BDR because hub cannot preempt them
once they think they are DR/BDR</span></i></b><i><span style="background: yellow; mso-highlight: yellow;"><o:p></o:p></span></i></div>
<div class="MsoNoSpacing">
<i><span style="background: yellow; mso-highlight: yellow;">R4(config-if)#ip ospf network
broadcast<o:p></o:p></span></i></div>
<div class="MsoNoSpacing">
<br /></div>
<div class="MsoNoSpacing">
<span style="font-size: 14.0pt; mso-bidi-font-size: 11.0pt;">On
the hub,<o:p></o:p></span></div>
<div class="MsoNoSpacing">
<i><span style="background: yellow; mso-highlight: yellow;">R5(config-if)#int tun0<o:p></o:p></span></i></div>
<div class="MsoNoSpacing">
<i><span style="background: yellow; mso-highlight: yellow;">R5(config-if)#ip ospf network
broadcast<o:p></o:p></span></i></div>
<div class="MsoNoSpacing">
<br /></div>
<div class="MsoNoSpacing">
<span style="font-size: 14.0pt; mso-bidi-font-size: 11.0pt;">The
routing table with ospf network type broadcast/NBMA<o:p></o:p></span></div>
<div class="MsoNoSpacing">
<i><span style="background: lime; mso-highlight: lime;">R2#show ip route ospf <o:p></o:p></span></i></div>
<div class="MsoNoSpacing">
<i><span style="background: lime; mso-highlight: lime;">O 150.1.1.1 [110/2001] via 14.1.1.1,
00:0:27, Tunnel0<o:p></o:p></span></i></div>
<div class="MsoNoSpacing">
<i><span style="background: lime; mso-highlight: lime;">O 150.1.3.3 [110/2001] via 14.1.1.3,
00:0:27, Tunnel0<o:p></o:p></span></i></div>
<div class="MsoNoSpacing">
<i><span style="background: lime; mso-highlight: lime;">O 150.1.4.4 [110/2001] via 14.1.1.4,
00:0:34, Tunnel0<o:p></o:p></span></i></div>
<div class="MsoNoSpacing">
<br /></div>
<div class="MsoNoSpacing">
<span style="font-size: 14.0pt; mso-bidi-font-size: 11.0pt;">The
next-hop is preserved and when R2 wants to communicate with 150.1.3.3,a
spoke-to-spoke tunnel will be established between R2 and R3<o:p></o:p></span></div>
<div class="MsoNoSpacing">
<br /></div>
<div class="MsoNoSpacing">
<span style="font-size: 14.0pt; mso-bidi-font-size: 11.0pt;">A
nice and simple explanation of spoke-to-spoke tunnel creation,<o:p></o:p></span></div>
<div class="MsoNoSpacing">
<span style="font-size: 14.0pt; mso-bidi-font-size: 11.0pt;"><a href="https://fredrikjj.wordpress.com/2014/08/14/mgre-and-nhrp-static-phase-1-phase-2/">https://fredrikjj.wordpress.com/2014/08/14/mgre-and-nhrp-static-phase-1-phase-2/</a><o:p></o:p></span></div>
<div class="MsoNoSpacing">
<br /></div>
<div class="MsoNoSpacing">
<span style="font-size: 14.0pt; mso-bidi-font-size: 11.0pt;">Here
are the steps,<o:p></o:p></span></div>
<ol start="1" type="1">
<li class="MsoNormal" style="background: white; line-height: 17.05pt; mso-list: l3 level1 lfo3; mso-margin-bottom-alt: auto; mso-margin-top-alt: auto; tab-stops: list .5in;"><span style="font-size: 12.0pt; mso-bidi-font-family: Calibri; mso-bidi-theme-font: minor-latin; mso-fareast-font-family: "Times New Roman";">R2
gets a packet with a next hop R3. There is no NHRP map entry for R3, so an
NHRP resolution request is sent to the hub.<o:p></o:p></span></li>
<li class="MsoNormal" style="background: white; line-height: 17.05pt; mso-list: l3 level1 lfo3; mso-margin-bottom-alt: auto; mso-margin-top-alt: auto; tab-stops: list .5in;"><span style="font-size: 12.0pt; mso-bidi-font-family: Calibri; mso-bidi-theme-font: minor-latin; mso-fareast-font-family: "Times New Roman";">The
request from R2 will also have the NBMA address of R2. The hub relays the
request to R3.<o:p></o:p></span></li>
<li class="MsoNormal" style="background: white; line-height: 17.05pt; mso-list: l3 level1 lfo3; mso-margin-bottom-alt: auto; mso-margin-top-alt: auto; tab-stops: list .5in;"><span style="font-size: 12.0pt; mso-bidi-font-family: Calibri; mso-bidi-theme-font: minor-latin; mso-fareast-font-family: "Times New Roman";">R3
receives the request, adds its own address mapping to it and sends it as
an NHRP reply directly to R2.<o:p></o:p></span></li>
<li class="MsoNormal" style="background: white; line-height: 17.05pt; mso-list: l3 level1 lfo3; mso-margin-bottom-alt: auto; mso-margin-top-alt: auto; tab-stops: list .5in;"><span style="font-size: 12.0pt; mso-bidi-font-family: Calibri; mso-bidi-theme-font: minor-latin; mso-fareast-font-family: "Times New Roman";">R3
then sends its own request to the hub that relays it to R2.<o:p></o:p></span></li>
<li class="MsoNormal" style="background: white; line-height: 17.05pt; mso-list: l3 level1 lfo3; mso-margin-bottom-alt: auto; mso-margin-top-alt: auto; tab-stops: list .5in;"><span style="font-size: 12.0pt; mso-bidi-font-family: Calibri; mso-bidi-theme-font: minor-latin; mso-fareast-font-family: "Times New Roman";">R2
receives the request from R3 via the hub and replies by adding its own
mapping to the packet and sending it directly to R3<o:p></o:p></span></li>
</ol>
<div class="MsoNormal" style="background: white; line-height: 17.05pt; mso-margin-bottom-alt: auto; mso-margin-top-alt: auto;">
<span style="font-size: 12.0pt; mso-bidi-font-family: Calibri; mso-bidi-theme-font: minor-latin; mso-fareast-font-family: "Times New Roman";">Technically,
the requests themselves provide enough information to build a spoke to spoke
tunnel but the replies accomplish two things. They acknowledge to the other
spoke that the request was received and also verify that spoke to spoke NBMA
reachability exists.<o:p></o:p></span></div>
<div class="MsoNoSpacing">
<b><span style="font-size: 14.0pt; mso-bidi-font-size: 11.0pt;">DMVPN PHASE3:<o:p></o:p></span></b></div>
<div class="MsoNoSpacing">
<br /></div>
<div class="MsoNoSpacing">
<span style="font-size: 14.0pt; mso-bidi-font-size: 11.0pt;">The
problem with phase2 is scalability.<o:p></o:p></span></div>
<div class="MsoNoSpacing">
<br /></div>
<div class="MsoNoSpacing" style="margin-left: .5in; mso-list: l2 level1 lfo4; text-indent: -.25in;">
<!--[if !supportLists]--><span style="font-family: Symbol; font-size: 14.0pt; mso-bidi-font-family: Symbol; mso-bidi-font-size: 11.0pt; mso-fareast-font-family: Symbol;">·<span style="font-family: 'Times New Roman'; font-size: 7pt; font-stretch: normal;">
</span></span><!--[endif]--><span style="font-size: 14.0pt; mso-bidi-font-size: 11.0pt;">Summarization is not allowed at hub, as a result all the spokes must
have routes to all the subnets. This results in huge routing tables/updates.<o:p></o:p></span></div>
<div class="MsoNoSpacing" style="margin-left: .5in; mso-list: l2 level1 lfo4; text-indent: -.25in;">
<!--[if !supportLists]--><span style="font-family: Symbol; font-size: 14.0pt; mso-bidi-font-family: Symbol; mso-bidi-font-size: 11.0pt; mso-fareast-font-family: Symbol;">·<span style="font-family: 'Times New Roman'; font-size: 7pt; font-stretch: normal;">
</span></span><!--[endif]--><span style="font-size: 14.0pt; mso-bidi-font-size: 11.0pt;">Scalability when the no. of devices increases, very good explanation is
provided at the following link</span> <span style="font-size: 14.0pt; mso-bidi-font-size: 11.0pt;"><o:p></o:p></span></div>
<div class="MsoNoSpacing" style="margin-left: .5in;">
<span style="font-size: 14.0pt; mso-bidi-font-size: 11.0pt;"><a href="http://brbccie.blogspot.in/2014/05/dmvpn.html">http://brbccie.blogspot.in/2014/05/dmvpn.html</a><o:p></o:p></span></div>
<div class="MsoNoSpacing">
<br /></div>
<div class="MsoNoSpacing">
<span style="font-size: 14.0pt; mso-bidi-font-size: 11.0pt;">Phase3
solves the main issue of phase1 in a different way.<o:p></o:p></span></div>
<div class="MsoNoSpacing">
<span style="font-size: 14.0pt; mso-bidi-font-size: 11.0pt;">When
the spoke forwards a packet to the hub, the hub will check if the destination
is reachable via the same tunnel and in such a case will redirect the spoke to
the destination attached spoke.<o:p></o:p></span></div>
<div class="MsoNoSpacing">
<br /></div>
<div class="MsoNoSpacing">
<span style="font-size: 14.0pt; mso-bidi-font-size: 11.0pt;">This is how
phase3 works,<o:p></o:p></span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-hdNyiOgZKtw/VYLwqLUElII/AAAAAAAAAFE/4zCBpsE1b50/s1600/phase3.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="289" src="http://1.bp.blogspot.com/-hdNyiOgZKtw/VYLwqLUElII/AAAAAAAAAFE/4zCBpsE1b50/s640/phase3.JPG" width="640" /></a></div>
<span style="font-size: 14.0pt; mso-bidi-font-size: 11.0pt;"><br /></span>
<span style="font-size: 14.0pt; mso-bidi-font-size: 11.0pt;"><br /></span>
<span style="font-size: 14.0pt; mso-bidi-font-size: 11.0pt;"><br /></span>
<span style="font-size: 14.0pt; mso-bidi-font-size: 11.0pt;"><br /></span>
<span style="font-size: 14.0pt; mso-bidi-font-size: 11.0pt;"><br /></span>
<span style="font-size: 14.0pt; mso-bidi-font-family: Calibri; mso-bidi-font-size: 11.0pt; mso-bidi-theme-font: minor-latin;">1.<span style="font-size: 7pt; font-stretch: normal;"> </span></span><span style="font-size: 14.0pt; mso-bidi-font-size: 11.0pt;">R1 and R2 announce the
subnets attached to the hub.</span></div>
<div class="MsoNoSpacing" style="margin-left: .5in; mso-list: l0 level1 lfo5; text-indent: -.25in;">
<!--[if !supportLists]--><span style="font-size: 14.0pt; mso-bidi-font-family: Calibri; mso-bidi-font-size: 11.0pt; mso-bidi-theme-font: minor-latin;">2.<span style="font-size: 7pt; font-stretch: normal;"> </span></span><!--[endif]--><span style="font-size: 14.0pt; mso-bidi-font-size: 11.0pt;">The hub can be configured to
advertise a default route to the spokes.<o:p></o:p></span></div>
<div class="MsoNoSpacing" style="margin-left: .5in; mso-list: l0 level1 lfo5; text-indent: -.25in;">
<!--[if !supportLists]--><span style="font-size: 14.0pt; mso-bidi-font-family: Calibri; mso-bidi-font-size: 11.0pt; mso-bidi-theme-font: minor-latin;">3.<span style="font-size: 7pt; font-stretch: normal;"> </span></span><!--[endif]--><span style="font-size: 14.0pt; mso-bidi-font-size: 11.0pt;">Now R1 needs to send traffic
to 23.1.1.1, it will send the packet to hub.<o:p></o:p></span></div>
<div class="MsoNoSpacing" style="margin-left: .5in; mso-list: l0 level1 lfo5; text-indent: -.25in;">
<!--[if !supportLists]--><span style="font-size: 14.0pt; mso-bidi-font-family: Calibri; mso-bidi-font-size: 11.0pt; mso-bidi-theme-font: minor-latin;">4.<span style="font-size: 7pt; font-stretch: normal;"> </span></span><!--[endif]--><span style="font-size: 14.0pt; mso-bidi-font-size: 11.0pt;">The hub will see that the
destination is reachable via the same tunnel, so it will send nhrp redirect
packet to R1.<o:p></o:p></span></div>
<div class="MsoNoSpacing" style="margin-left: .5in; mso-list: l0 level1 lfo5; text-indent: -.25in;">
<!--[if !supportLists]--><span style="font-size: 14.0pt; mso-bidi-font-family: Calibri; mso-bidi-font-size: 11.0pt; mso-bidi-theme-font: minor-latin;">5.<span style="font-size: 7pt; font-stretch: normal;"> </span></span><span style="font-size: 14.0pt; mso-bidi-font-size: 11.0pt;">R1 will send an nhrp
resolution request for the IP 23.1.1.1.The hub will relay this nhrp request to
R2.<o:p></o:p></span></div>
<div class="MsoNoSpacing" style="margin-left: .5in; mso-list: l0 level1 lfo5; text-indent: -.25in;">
<!--[if !supportLists]--><span style="font-size: 14.0pt; mso-bidi-font-family: Calibri; mso-bidi-font-size: 11.0pt; mso-bidi-theme-font: minor-latin;">6.<span style="font-size: 7pt; font-stretch: normal;"> </span></span><!--[endif]--><span style="font-size: 14.0pt; mso-bidi-font-size: 11.0pt;">R2 will send the nhrp reply
directly to R1(nhrp request packet will have the nbma address of R1).<o:p></o:p></span></div>
<div class="MsoNoSpacing" style="margin-left: .5in; mso-list: l0 level1 lfo5; text-indent: -.25in;">
<!--[if !supportLists]--><span style="font-size: 14.0pt; mso-bidi-font-family: Calibri; mso-bidi-font-size: 11.0pt; mso-bidi-theme-font: minor-latin;">7.<span style="font-size: 7pt; font-stretch: normal;"> </span></span><!--[endif]--><span style="font-size: 14.0pt; mso-bidi-font-size: 11.0pt;">R1 will install a route in
its routing table for the prefix 23.1.1.0/24 via 22.1.1.1 with an AD of 250<o:p></o:p></span></div>
<div class="MsoNoSpacing" style="margin-left: .25in;">
<br /></div>
<div class="MsoNoSpacing" style="margin-left: .25in;">
<span style="font-size: 14.0pt; mso-bidi-font-size: 11.0pt;">In phase3,a new route is installed in the routing
table that tells the spoke how to reach the remote spoke.<o:p></o:p></span></div>
<div class="MsoNoSpacing" style="margin-left: .25in;">
<span style="font-size: 14.0pt; mso-bidi-font-size: 11.0pt;">We can do summarization and use default routes at
the hub.<o:p></o:p></span></div>
<div class="MsoNoSpacing" style="margin-left: .25in;">
<br /></div>
<div class="MsoNoSpacing" style="margin-left: .25in;">
<b><span style="font-size: 14.0pt; mso-bidi-font-size: 11.0pt;">Configuration</span></b><span style="font-size: 14.0pt; mso-bidi-font-size: 11.0pt;">:<o:p></o:p></span></div>
<div class="MsoNoSpacing" style="margin-left: .25in;">
<br /></div>
<div class="MsoNoSpacing">
<span style="font-size: 14.0pt; mso-bidi-font-size: 11.0pt;">On
the hub,<o:p></o:p></span></div>
<div class="MsoNoSpacing">
<i><span style="background: yellow; mso-highlight: yellow;">R5(config-if)#int tun0<o:p></o:p></span></i></div>
<div class="MsoNoSpacing">
<i><span style="background: yellow; mso-highlight: yellow;">R5(config-if)#ip nhrp redirect<o:p></o:p></span></i></div>
<div class="MsoNoSpacing">
<br /></div>
<div class="MsoNoSpacing">
<span style="font-size: 14.0pt; mso-bidi-font-size: 11.0pt;">On
the spokes,<o:p></o:p></span></div>
<div class="MsoNoSpacing">
<i><span style="background: yellow; mso-highlight: yellow;">R4(config-if)#int tun0<o:p></o:p></span></i></div>
<div class="MsoNoSpacing">
<i><span style="background: yellow; mso-highlight: yellow;">R4(config-if)#ip nhrp shortcut</span></i><i><span style="background: yellow; font-family: Wingdings; mso-ascii-font-family: Calibri; mso-ascii-theme-font: minor-latin; mso-char-type: symbol; mso-hansi-font-family: Calibri; mso-hansi-theme-font: minor-latin; mso-highlight: yellow; mso-symbol-font-family: Wingdings;">à</span><span style="background: yellow; mso-highlight: yellow;">make sure tunnel mode is gre multipoint<o:p></o:p></span></i></div>
<div class="MsoNoSpacing">
<br /></div>
<div class="MsoNoSpacing">
<br /></div>
<div class="MsoNoSpacing">
<b><span style="font-size: 14.0pt; mso-bidi-font-size: 11.0pt;">OSPF:<o:p></o:p></span></b></div>
<div class="MsoNoSpacing">
<span style="font-size: 14.0pt; mso-bidi-font-size: 11.0pt;">In
phase2, ospf network type point-to-multipoint is nor supported as the hub will not
preserve the next-hop and will always set itself as the next-hop.<o:p></o:p></span></div>
<div class="MsoNoSpacing">
<span style="font-size: 14.0pt; mso-bidi-font-size: 11.0pt;">In
phase3, we can use point-to-multipoint network type as the hub can send a
redirect message for other spokes traffic.</span><i><span style="background: yellow; mso-highlight: yellow;"><o:p></o:p></span></i></div>
<br />
<div class="MsoNoSpacing" style="margin-left: .25in;">
<br /></div>
</div>
Anonymoushttp://www.blogger.com/profile/16547104544524126934noreply@blogger.com0tag:blogger.com,1999:blog-6535850563298713199.post-71261281327678239432015-06-10T11:57:00.005-07:002015-06-10T12:03:18.535-07:00DMVPN-Part1<div dir="ltr" style="text-align: left;" trbidi="on">
<div class="MsoNoSpacing">
DMVPN solves some of the scalability issues with GRE
tunnels.<o:p></o:p></div>
<div class="MsoNoSpacing">
Highly scalable<o:p></o:p></div>
<div class="MsoNoSpacing">
Easy configuration<o:p></o:p></div>
<div class="MsoNoSpacing">
<br /></div>
<div class="MsoNoSpacing">
<b>DMVPN Phase1:<o:p></o:p></b></div>
<div class="MsoNoSpacing">
In phase1 of DMVPN, the hub is a multipoint GRE tunnel
and the spokes are point-to-point GRE tunnels. It means<o:p></o:p></div>
<div class="MsoNoSpacing" style="margin-left: .5in; mso-list: l0 level1 lfo1; text-indent: -.25in;">
<!--[if !supportLists]--><span style="font-family: Symbol; mso-bidi-font-family: Symbol; mso-fareast-font-family: Symbol;">·<span style="font-family: 'Times New Roman'; font-size: 7pt; font-stretch: normal;">
</span></span><!--[endif]-->Spoke to spoke traffic must go through hub<o:p></o:p></div>
<div class="MsoNoSpacing" style="margin-left: .5in; mso-list: l0 level1 lfo1; text-indent: -.25in;">
<!--[if !supportLists]--><span style="font-family: Symbol; mso-bidi-font-family: Symbol; mso-fareast-font-family: Symbol;">·<span style="font-family: 'Times New Roman'; font-size: 7pt; font-stretch: normal;">
</span></span><!--[endif]-->Simplified routing-just a default route on
spokes will do<o:p></o:p></div>
<div class="MsoNoSpacing" style="margin-left: .5in; mso-list: l0 level1 lfo1; text-indent: -.25in;">
<!--[if !supportLists]--><span style="font-family: Symbol; mso-bidi-font-family: Symbol; mso-fareast-font-family: Symbol;">·<span style="font-family: 'Times New Roman'; font-size: 7pt; font-stretch: normal;">
</span></span><!--[endif]-->Summarization and default routing can be used on
the hub<o:p></o:p></div>
<div class="MsoNoSpacing" style="margin-left: .5in; mso-list: l0 level1 lfo1; text-indent: -.25in;">
<!--[if !supportLists]--><span style="font-family: Symbol; mso-bidi-font-family: Symbol; mso-fareast-font-family: Symbol;">·<span style="font-family: 'Times New Roman'; font-size: 7pt; font-stretch: normal;">
</span></span><!--[endif]-->Next hop is always changed by the hub<o:p></o:p></div>
<div class="MsoNoSpacing" style="margin-left: .5in;">
<br /></div>
<div class="MsoNoSpacing">
Here is the sample topo for discussion<o:p></o:p></div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-wXCxmNDXsEI/VXiHA7tIhyI/AAAAAAAAAEA/Z09Gdwks-R0/s1600/topo.JPG" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="327" src="http://4.bp.blogspot.com/-wXCxmNDXsEI/VXiHA7tIhyI/AAAAAAAAAEA/Z09Gdwks-R0/s400/topo.JPG" width="400" /></a></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div class="MsoNoSpacing">
The IP address used is just to illustrate that the spoke just
needs an internet connection to be part of DMVPN and each of them can be in any
arbitrary network as along as connectivity is available.<o:p></o:p></div>
<div class="MsoNoSpacing">
<br /></div>
<div class="MsoNoSpacing">
For our discussions and configurations,<o:p></o:p></div>
<div class="MsoNoSpacing">
NBMA address –169.254.100.xx<o:p></o:p></div>
<div class="MsoNoSpacing">
Overlay DMVPN network—14.1.1.xx<o:p></o:p></div>
<div class="MsoNoSpacing">
<br /></div>
<div class="MsoNoSpacing">
We do ping tests on loopbacks of the devices, ip address
is 150.1.x.x<o:p></o:p></div>
<div class="MsoNoSpacing">
<br /></div>
<div class="MsoNoSpacing">
<b>Configuration:<o:p></o:p></b></div>
<div class="MsoNoSpacing">
<br /></div>
<div class="MsoNoSpacing">
Spoke Configuration,<o:p></o:p></div>
<div class="MsoNoSpacing">
<br /></div>
<div class="MsoNoSpacing">
<i><span style="background: yellow; mso-highlight: yellow;">R3# sh run int tun0<o:p></o:p></span></i></div>
<div class="MsoNoSpacing">
<i><span style="background: yellow; mso-highlight: yellow;">Building configuration...<o:p></o:p></span></i></div>
<div class="MsoNoSpacing">
<br /></div>
<div class="MsoNoSpacing">
<i><span style="background: yellow; mso-highlight: yellow;">Current configuration : 352
bytes<o:p></o:p></span></i></div>
<div class="MsoNoSpacing">
<i><span style="background: yellow; mso-highlight: yellow;">!<o:p></o:p></span></i></div>
<div class="MsoNoSpacing">
<i><span style="background: yellow; mso-highlight: yellow;">interface Tunnel0<o:p></o:p></span></i></div>
<div class="MsoNoSpacing">
<i><span style="background: yellow; mso-highlight: yellow;"> ip address 14.1.1.3 255.255.255.0<o:p></o:p></span></i></div>
<div class="MsoNoSpacing">
<i><span style="background: yellow; mso-highlight: yellow;"> ip mtu 1400<o:p></o:p></span></i></div>
<div class="MsoNoSpacing">
<i><span style="background: yellow; mso-highlight: yellow;"> ip nhrp authentication NHRPAUTH<o:p></o:p></span></i></div>
<div class="MsoNoSpacing">
<i><span style="background: yellow; mso-highlight: yellow;"> ip nhrp group INE<o:p></o:p></span></i></div>
<div class="MsoNoSpacing">
<i><span style="background: yellow; mso-highlight: yellow;"> ip nhrp map multicast 169.254.100.5<o:p></o:p></span></i></div>
<div class="MsoNoSpacing">
<i><span style="background: yellow; mso-highlight: yellow;"> ip nhrp map 14.1.1.5 169.254.100.5<o:p></o:p></span></i></div>
<div class="MsoNoSpacing">
<i><span style="background: yellow; mso-highlight: yellow;"> ip nhrp network-id 1<o:p></o:p></span></i></div>
<div class="MsoNoSpacing">
<i><span style="background: yellow; mso-highlight: yellow;"> i<b>p nhrp
nhs 14.1.1.5 ----------------</b></span></i><b><i><span style="background: yellow; font-family: Wingdings; mso-ascii-font-family: Calibri; mso-ascii-theme-font: minor-latin; mso-char-type: symbol; mso-hansi-font-family: Calibri; mso-hansi-theme-font: minor-latin; mso-highlight: yellow; mso-symbol-font-family: Wingdings;">à</span><span style="background: yellow; mso-highlight: yellow;">Overlay address of the HUB</span></i></b><i><span style="background: yellow; mso-highlight: yellow;"><o:p></o:p></span></i></div>
<div class="MsoNoSpacing">
<i><span style="background: yellow; mso-highlight: yellow;"> ip tcp adjust-mss 1360<o:p></o:p></span></i></div>
<div class="MsoNoSpacing">
<i><span style="background: yellow; mso-highlight: yellow;"> tunnel source GigabitEthernet0/0.100<o:p></o:p></span></i></div>
<div class="MsoNoSpacing">
<i><span style="background: yellow; mso-highlight: yellow;"> <b>tunnel
destination 169.254.100.5--- </b></span></i><b><i><span style="background: yellow; font-family: Wingdings; mso-ascii-font-family: Calibri; mso-ascii-theme-font: minor-latin; mso-char-type: symbol; mso-hansi-font-family: Calibri; mso-hansi-theme-font: minor-latin; mso-highlight: yellow; mso-symbol-font-family: Wingdings;">à</span><span style="background: yellow; mso-highlight: yellow;">NBMA/Public/Underlay address of the HUB<o:p></o:p></span></i></b></div>
<div class="MsoNoSpacing">
<i><span style="background: yellow; mso-highlight: yellow;"> tunnel key 2<o:p></o:p></span></i></div>
<div class="MsoNoSpacing">
<i><span style="background: yellow; mso-highlight: yellow;">end</span><o:p></o:p></i></div>
<div class="MsoNoSpacing">
<br /></div>
<div class="MsoNoSpacing">
HUB Configuration <o:p></o:p></div>
<div class="MsoNoSpacing">
<br /></div>
<div class="MsoNoSpacing">
<i><span style="background: yellow; mso-highlight: yellow;">R5#sh run int tun0<o:p></o:p></span></i></div>
<div class="MsoNoSpacing">
<i><span style="background: yellow; mso-highlight: yellow;">Building configuration...<o:p></o:p></span></i></div>
<div class="MsoNoSpacing">
<br /></div>
<div class="MsoNoSpacing">
<i><span style="background: yellow; mso-highlight: yellow;">Current configuration : 293
bytes<o:p></o:p></span></i></div>
<div class="MsoNoSpacing">
<i><span style="background: yellow; mso-highlight: yellow;">!<o:p></o:p></span></i></div>
<div class="MsoNoSpacing">
<i><span style="background: yellow; mso-highlight: yellow;">interface Tunnel0<o:p></o:p></span></i></div>
<div class="MsoNoSpacing">
<i><span style="background: yellow; mso-highlight: yellow;"> ip address 14.1.1.5 255.255.255.0<o:p></o:p></span></i></div>
<div class="MsoNoSpacing">
<i><span style="background: yellow; mso-highlight: yellow;"> no ip redirects<o:p></o:p></span></i></div>
<div class="MsoNoSpacing">
<i><span style="background: yellow; mso-highlight: yellow;"> no ip split-horizon eigrp 100<o:p></o:p></span></i></div>
<div class="MsoNoSpacing">
<i><span style="background: yellow; mso-highlight: yellow;"> ip nhrp authentication NHRPAUTH<o:p></o:p></span></i></div>
<div class="MsoNoSpacing">
<i><span style="background: yellow; mso-highlight: yellow;"> ip nhrp group INE<o:p></o:p></span></i></div>
<div class="MsoNoSpacing">
<i><span style="background: yellow; mso-highlight: yellow;"> ip nhrp map multicast dynamic<o:p></o:p></span></i></div>
<div class="MsoNoSpacing">
<i><span style="background: yellow; mso-highlight: yellow;"> ip nhrp network-id 1<o:p></o:p></span></i></div>
<div class="MsoNoSpacing">
<i><span style="background: yellow; mso-highlight: yellow;"> tunnel source GigabitEthernet0/0.100<o:p></o:p></span></i></div>
<div class="MsoNoSpacing">
<i><span style="background: yellow; mso-highlight: yellow;"> <b>tunnel
mode gre multipoint----</b></span></i><b><i><span style="background: yellow; font-family: Wingdings; mso-ascii-font-family: Calibri; mso-ascii-theme-font: minor-latin; mso-char-type: symbol; mso-hansi-font-family: Calibri; mso-hansi-theme-font: minor-latin; mso-highlight: yellow; mso-symbol-font-family: Wingdings;">à</span><span style="background: yellow; mso-highlight: yellow;">Mode must be multipoint on HUB, should specify
destination on spokes.<o:p></o:p></span></i></b></div>
<div class="MsoNoSpacing">
<i><span style="background: yellow; mso-highlight: yellow;"> tunnel key 2<o:p></o:p></span></i></div>
<div class="MsoNoSpacing">
<i><span style="background: yellow; mso-highlight: yellow;">end</span><o:p></o:p></i></div>
<div class="MsoNoSpacing">
<br /></div>
<div class="MsoNoSpacing">
Once the DMVPN network is established and a routing
protocol say EIGRP is enabled, the routers will form adjacency as they are
connected in a LAN.<o:p></o:p></div>
<div class="MsoNoSpacing">
The spoke will multicast the hello packets to HUB.<o:p></o:p></div>
<div class="MsoNoSpacing">
The hub will multicast the hello packets to the spokes, it’s
basically replication of the packets.<o:p></o:p></div>
<div class="MsoNoSpacing">
<br /></div>
<div class="MsoNoSpacing">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-sTza_5JYB_w/VXiHDxrwj1I/AAAAAAAAAEU/4FHqBRGnq_s/s1600/dmvpn_multicast.JPG" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="264" src="http://2.bp.blogspot.com/-sTza_5JYB_w/VXiHDxrwj1I/AAAAAAAAAEU/4FHqBRGnq_s/s640/dmvpn_multicast.JPG" width="640" /></a></div>
<br />
<div class="MsoNoSpacing">
<br /></div>
<div class="MsoNoSpacing">
<o:p><br /></o:p></div>
<div class="MsoNoSpacing">
<o:p><br /></o:p></div>
<div class="MsoNoSpacing">
<o:p><br /></o:p></div>
<div class="MsoNoSpacing">
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
The routes learned on a router<o:p></o:p><br />
<br /></div>
<div class="MsoNoSpacing">
<br /></div>
<div class="MsoNoSpacing">
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-qG7R14UYdwQ/VXiJI1QhIZI/AAAAAAAAAE0/qxGozkiF888/s1600/dmvpn_route_phase1.JPG" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="505" src="http://4.bp.blogspot.com/-qG7R14UYdwQ/VXiJI1QhIZI/AAAAAAAAAE0/qxGozkiF888/s640/dmvpn_route_phase1.JPG" width="640" /></a></div>
<o:p><br /></o:p></div>
<div class="MsoNoSpacing">
<o:p><br /></o:p></div>
<div class="MsoNoSpacing">
<o:p><br /></o:p></div>
<div class="MsoNoSpacing">
<o:p><br /></o:p></div>
<div class="MsoNoSpacing">
<o:p><br /></o:p></div>
<div class="MsoNoSpacing">
<o:p><br /></o:p></div>
<div class="MsoNoSpacing">
<o:p><br /></o:p></div>
<div class="MsoNoSpacing">
<o:p><br /></o:p></div>
<div class="MsoNoSpacing">
<o:p><br /></o:p></div>
<div class="MsoNoSpacing">
<o:p><br /></o:p></div>
<div class="MsoNoSpacing">
<o:p><br /></o:p></div>
<div class="MsoNoSpacing">
<o:p><br /></o:p></div>
<div class="MsoNoSpacing">
<o:p><br /></o:p></div>
<div class="MsoNoSpacing">
<o:p><br /></o:p></div>
<div class="MsoNoSpacing">
<o:p><br /></o:p></div>
<div class="MsoNoSpacing">
<o:p><br /></o:p></div>
<div class="MsoNoSpacing">
<o:p><br /></o:p></div>
<div class="MsoNoSpacing">
<o:p><br /></o:p></div>
<div class="MsoNoSpacing">
<o:p><br /></o:p></div>
<div class="MsoNoSpacing">
<o:p><br /></o:p></div>
<div class="MsoNoSpacing">
<o:p><br /></o:p></div>
<div class="MsoNoSpacing">
<o:p><br /></o:p></div>
<div class="MsoNoSpacing">
<o:p><br /></o:p></div>
<div class="MsoNoSpacing">
<o:p><br /></o:p></div>
<div class="MsoNoSpacing">
<o:p><br /></o:p></div>
<div class="MsoNoSpacing">
<o:p><br /></o:p></div>
<div class="MsoNoSpacing">
<o:p><br /></o:p></div>
<div class="MsoNoSpacing">
<br /></div>
<div class="MsoNoSpacing">
<br />
<br />
<br />
Ping from spoke R1 to spoke R3 will go as<o:p></o:p></div>
<div class="MsoNoSpacing">
The destination is reachable via dmvpn tunnel,so the icmp
ping request will get gre encapsulated<o:p></o:p></div>
<div class="MsoNoSpacing">
<br /></div>
<div class="MsoNoSpacing">
Icmp ping request sent to hub<o:p></o:p><br />
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-CdQ30cSLbIA/VXiHD7_dXcI/AAAAAAAAAEk/sjQFXLwi0sk/s1600/dmvpn_ping1.JPG" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="235" src="http://1.bp.blogspot.com/-CdQ30cSLbIA/VXiHD7_dXcI/AAAAAAAAAEk/sjQFXLwi0sk/s640/dmvpn_ping1.JPG" width="640" /></a></div>
<div class="MsoNoSpacing">
<br /></div>
<div class="MsoNoSpacing">
<br /></div>
<div class="MsoNoSpacing">
<br /></div>
<div class="MsoNoSpacing">
<br /></div>
<div class="MsoNoSpacing">
<br /></div>
<div class="MsoNoSpacing">
<br /></div>
<div class="MsoNoSpacing">
<br /></div>
<div class="MsoNoSpacing">
<br /></div>
<div class="MsoNoSpacing">
<br /></div>
<div class="MsoNoSpacing">
<br /></div>
<div class="MsoNoSpacing">
<br /></div>
<div class="MsoNoSpacing">
<br /></div>
<div class="MsoNoSpacing">
<br />
<br />
<br />
<br />
<br />
Hub will re encapsulate and send it to spoke3<br />
<br /></div>
<div class="MsoNoSpacing">
<o:p></o:p></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-OEo0NotqnK8/VXiHEDX2JUI/AAAAAAAAAEc/dLvaWqOMFr4/s1600/dmvpn_ping2.JPG" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="246" src="http://3.bp.blogspot.com/-OEo0NotqnK8/VXiHEDX2JUI/AAAAAAAAAEc/dLvaWqOMFr4/s640/dmvpn_ping2.JPG" width="640" /></a></div>
<div class="MsoNoSpacing">
<br /></div>
<div class="MsoNoSpacing">
<br /></div>
<div class="MsoNoSpacing">
<br /></div>
<div class="MsoNoSpacing">
<br /></div>
<div class="MsoNoSpacing">
<br /></div>
<div class="MsoNoSpacing">
<br /></div>
<div class="MsoNoSpacing">
<br /></div>
<div class="MsoNoSpacing">
<br /></div>
<div class="MsoNoSpacing">
<br /></div>
<div class="MsoNoSpacing">
<br /></div>
<div class="MsoNoSpacing">
<br /></div>
<div class="MsoNoSpacing">
<br /></div>
<div class="MsoNoSpacing">
<br />
<br />
<br />
<br />
<br />
Spoke3 will send the reply to hub</div>
<div class="MsoNoSpacing">
<o:p></o:p></div>
<div class="MsoNoSpacing">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-RSaeUlNXrxo/VXiHEQLfrwI/AAAAAAAAAEg/1KZoiR-C_AE/s1600/dmvpn_ping3.JPG" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="184" src="http://2.bp.blogspot.com/-RSaeUlNXrxo/VXiHEQLfrwI/AAAAAAAAAEg/1KZoiR-C_AE/s640/dmvpn_ping3.JPG" width="640" /></a></div>
<div class="MsoNoSpacing">
<br /></div>
<div class="MsoNoSpacing">
<br /></div>
<div class="MsoNoSpacing">
<br /></div>
<div class="MsoNoSpacing">
<br /></div>
<div class="MsoNoSpacing">
<br /></div>
<div class="MsoNoSpacing">
<br /></div>
<div class="MsoNoSpacing">
<br /></div>
<div class="MsoNoSpacing">
<br /></div>
<div class="MsoNoSpacing">
<br /></div>
<div class="MsoNoSpacing">
<br /></div>
<div class="MsoNoSpacing">
<br /></div>
<div class="MsoNoSpacing">
<br /></div>
<div class="MsoNoSpacing">
<br />
Hub will reencapsulate and send the reply to spoke1<o:p></o:p></div>
<br />
<div class="MsoNoSpacing">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-0FYWjbyvKqU/VXiHErYU8qI/AAAAAAAAAEo/ixijR644pfw/s1600/dmvpn_ping4.JPG" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="210" src="http://3.bp.blogspot.com/-0FYWjbyvKqU/VXiHErYU8qI/AAAAAAAAAEo/ixijR644pfw/s640/dmvpn_ping4.JPG" width="640" /></a></div>
</div>
Anonymoushttp://www.blogger.com/profile/16547104544524126934noreply@blogger.com0tag:blogger.com,1999:blog-6535850563298713199.post-43253517616434309552015-06-09T17:47:00.006-07:002015-06-09T17:48:08.984-07:00IPSec -Part2<div dir="ltr" style="text-align: left;" trbidi="on">
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<span style="font-family: 'Times New Roman', serif; font-size: 13.5pt;">In this post we will
focus on <o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<span style="font-family: 'Times New Roman', serif; font-size: 13.5pt;">GRE over IPSec<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<span style="font-family: 'Times New Roman', serif; font-size: 13.5pt;">IPSec over GRE<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<br /></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<span style="font-family: 'Times New Roman', serif; font-size: 13.5pt;">GRE over IPSec falls
under the category of Route-based VPNs.<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<br /></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<span style="font-family: 'Times New Roman', serif; font-size: 13.5pt;">The following are the
limitations with the policy based VPNs <o:p></o:p></span></div>
<ul type="disc">
<li class="MsoNormal"><span style="font-family: "Times New Roman","serif"; font-size: 13.5pt; mso-fareast-font-family: "Times New Roman";">Does not support multicast or non IP traffic.<o:p></o:p></span></li>
<li class="MsoNormal"><span style="font-family: "Times New Roman","serif"; font-size: 13.5pt; mso-fareast-font-family: "Times New Roman";">The interesting traffic must be defined through an
ACL--increases the configuration complexity and maintenance.<o:p></o:p></span></li>
</ul>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<br /></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<b><i><span style="color: #984806; font-family: "Times New Roman","serif"; font-size: 13.5pt; mso-fareast-font-family: "Times New Roman"; mso-themecolor: accent6; mso-themeshade: 128;">GRE Over IPSec</span></i></b><i><span style="color: #984806; font-family: "Times New Roman","serif"; font-size: 13.5pt; mso-fareast-font-family: "Times New Roman"; mso-themecolor: accent6; mso-themeshade: 128;"> (IPSEC is transport):</span></i><span style="color: #984806; font-family: "Times New Roman","serif"; font-size: 13.5pt; mso-fareast-font-family: "Times New Roman"; mso-themecolor: accent6; mso-themeshade: 128;"><o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<br /></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<i><span style="font-family: 'Times New Roman', serif; font-size: 13.5pt;">It’s basically,<o:p></o:p></span></i></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<br /></div>
<table border="1" cellpadding="0" cellspacing="0" class="MsoTableGrid" style="border-collapse: collapse; border: none; margin-left: 34.85pt; mso-border-alt: solid windowtext .5pt; mso-padding-alt: 0in 5.4pt 0in 5.4pt; mso-yfti-tbllook: 1184;">
<tbody>
<tr style="height: 12.45pt; mso-yfti-firstrow: yes; mso-yfti-irow: 0; mso-yfti-lastrow: yes;">
<td style="background: #9BBB59; border: solid windowtext 1.0pt; height: 12.45pt; mso-background-themecolor: accent3; mso-border-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 75.5pt;" valign="top" width="101"><div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<b><i><span style="font-family: 'Times New Roman', serif; font-size: 13.5pt;">L2 Header<o:p></o:p></span></i></b></div>
</td>
<td style="background: #9BBB59; border-left: none; border: solid windowtext 1.0pt; height: 12.45pt; mso-background-themecolor: accent3; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 75.5pt;" valign="top" width="101"><div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<b><i><span style="font-family: 'Times New Roman', serif; font-size: 13.5pt;">ESP<o:p></o:p></span></i></b></div>
</td>
<td style="background: #9BBB59; border-left: none; border: solid windowtext 1.0pt; height: 12.45pt; mso-background-themecolor: accent3; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 75.5pt;" valign="top" width="101"><div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<b><i><span style="font-family: 'Times New Roman', serif; font-size: 13.5pt;">GRE<o:p></o:p></span></i></b></div>
</td>
<td style="background: #9BBB59; border-left: none; border: solid windowtext 1.0pt; height: 12.45pt; mso-background-themecolor: accent3; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 75.5pt;" valign="top" width="101"><div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<b><i><span style="font-family: 'Times New Roman', serif; font-size: 13.5pt;">IP<o:p></o:p></span></i></b></div>
</td>
<td style="background: #9BBB59; border-left: none; border: solid windowtext 1.0pt; height: 12.45pt; mso-background-themecolor: accent3; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 81.4pt;" valign="top" width="109"><div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<b><i><span style="font-family: 'Times New Roman', serif; font-size: 13.5pt;">Data<o:p></o:p></span></i></b></div>
</td>
</tr>
</tbody></table>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<br /></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<br /></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<i><span style="background: white; font-family: 'Times New Roman', serif; font-size: 12pt;">When doing GRE over IPsec, what really changes
comparing with normal IPsec encryption is <b>WHAT MUST BE ENCRYPTED</b>.</span></i><i><span style="font-family: 'Times New Roman', serif; font-size: 12pt;"><o:p></o:p></span></i></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<br /></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<i><span style="font-family: 'Times New Roman', serif; font-size: 13.5pt;">The decision of how traffic is encrypted or not depends on the
routing protocols. <o:p></o:p></span></i></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<i><span style="font-family: 'Times New Roman', serif; font-size: 13.5pt;">If ospf route points to a tunnel and the tunnel is running encryption,
that particular traffic is encrypted.<o:p></o:p></span></i></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<br /></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<i><span style="font-family: 'Times New Roman', serif; font-size: 13.5pt;">This is how the limitation with the policy based VPNs is overcome
and complex/frequent ACL changes are not required.<o:p></o:p></span></i></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<br /></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<i><span style="font-family: 'Times New Roman', serif; font-size: 13.5pt;">Configuration wise its
same as traditional way of setting an IPSec tunnel.<o:p></o:p></span></i></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<br /></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<i><span style="font-family: 'Times New Roman', serif; font-size: 13.5pt;">The way we define the
proxy acl changes.</span></i><i><span style="font-family: 'Times New Roman', serif; font-size: 13.5pt;"><o:p></o:p></span></i></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<i><span style="font-family: 'Times New Roman', serif; font-size: 13.5pt;">In GRE over IPsec, p</span></i><i><span style="font-family: 'Times New Roman', serif; font-size: 13.5pt;">roxy
ACL will be just the endpoints of the GRE tunnel,<o:p></o:p></span></i></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<i><span style="font-family: 'Times New Roman', serif; font-size: 13.5pt;">'permit gre hostA host B' (or permit gre any any)<o:p></o:p></span></i></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<br /></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<i><span style="font-family: 'Times New Roman', serif; font-size: 13.5pt;">Here the crypto map is applied under the physical interface which
the GRE tunnel uses. So GRE encapsulation first and encryption second.<o:p></o:p></span></i></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<br /></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<i><span style="font-family: 'Times New Roman', serif; font-size: 13.5pt;">If we apply the crypto map to the gre interface, it becomes IPSec
over GRE where encryption happens first and encapsulation second.<o:p></o:p></span></i></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<br /></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<br /></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<span style="font-family: 'Times New Roman', serif; font-size: 13.5pt;">Eg:<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<br /></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<span style="font-family: 'Times New Roman', serif; font-size: 13.5pt;">R1----------R2==============R3-----------R4<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<br /></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<span style="font-family: 'Times New Roman', serif; font-size: 13.5pt;">R2==R3 -->GRE over
IPSec tunnel.<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<span style="font-family: 'Times New Roman', serif; font-size: 13.5pt;">R1,R4 are end host that
run tcp,ping applications.<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<br /></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<br /></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<b><i><span style="font-family: 'Times New Roman', serif; font-size: 13.5pt;">Configuration Steps:</span></i></b><span style="font-family: 'Times New Roman', serif; font-size: 13.5pt;"><o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<span style="font-family: 'Times New Roman', serif; font-size: 13.5pt;">Create a GRE tunnel
between R2 and R3.<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<span style="font-family: 'Times New Roman', serif; font-size: 13.5pt;">Create ISAKMP policy.<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<span style="font-family: 'Times New Roman', serif; font-size: 13.5pt;">Create crypto map and
associate it with the physical interface that the tunnel will use.</span></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<span style="font-family: Times New Roman, serif;"><span style="background-color: orange;"><i>R2(config)#ip access-list ext GRE</i></span></span></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<span style="font-family: Times New Roman, serif;"><span style="background-color: orange;"><i>R2(config-ext-nacl)#permit gre any any</i></span></span></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<span style="font-family: Times New Roman, serif;"><span style="background-color: orange;"><i><br /></i></span></span></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<span style="font-family: Times New Roman, serif;"><span style="background-color: orange;"><i>R2(config)#crypto map GRE_O_IPSEC 50 ipsec-isakmp</i></span></span></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<span style="font-family: Times New Roman, serif;"><span style="background-color: orange;"><i>R2(config-crypto-map)#match address GRE</i></span></span></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<span style="font-family: Times New Roman, serif;"><span style="background-color: orange;"><i>R2(config-crypto-map)#set peer 4.4.4.4</i></span></span></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
</div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<span style="font-family: Times New Roman, serif;"><span style="background-color: orange;"><i>R2(config-crypto-map)#set transform-set 3DES_MD5</i></span></span></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<span style="font-family: 'Times New Roman', serif; font-size: 13.5pt;"><br /></span></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<span style="font-family: 'Times New Roman', serif; font-size: 13.5pt;">Transport mode is
negotiated only when the traffic is from one router to other router(i.e.
sourced locally to the other end point).</span></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<span style="font-family: 'Times New Roman', serif; font-size: 13.5pt;">This is controlled by
the proxy ACL.<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<b><i><span style="font-family: 'Times New Roman', serif; font-size: 13.5pt;">For traffic going
through the router-->Always Tunnel mode is negotiated irrespective of
configuration.<o:p></o:p></span></i></b></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<b><i><span style="font-family: 'Times New Roman', serif; font-size: 13.5pt;">For traffic going to the
router-->As per the configuration in the crypto map tunnel or transport.<o:p></o:p></span></i></b></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<br /></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<br /></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<span style="font-family: 'Times New Roman', serif; font-size: 13.5pt;">If the proxy on R2 is
configured as 'permit gre any any' -->ipsec mode will be tunnel irrespective
of crypto map config.<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<span style="font-family: 'Times New Roman', serif; font-size: 13.5pt;">If the proxy acl on R2
is configured as 'permit gre host 10.2.2.2 host 10.4.4.4 ' and tunnel
mode transport in crypto map,ipsec <o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<span style="font-family: 'Times New Roman', serif; font-size: 13.5pt;">tunnel will comeup in
transport mode.<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<br /></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<br /></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<span style="font-family: 'Times New Roman', serif; font-size: 13.5pt;">Because of GRE header
and esp header, the MTU gets reduced. So if traffic is sent with default
MTU,the routers at the tunnel ends have to do<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<span style="font-family: 'Times New Roman', serif; font-size: 13.5pt;">Fragmentation resulting
in higher CPU usage.<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<br /></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<span style="font-family: 'Times New Roman', serif; font-size: 13.5pt;">So to avoid
fragmentation,set the mtu to lower values.<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<span style="font-family: 'Times New Roman', serif; font-size: 13.5pt;">If the hosts dont run
PMTUD,set the MSS in tcp syn & syn ack packets.<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<span style="font-family: 'Times New Roman', serif; font-size: 13.5pt;">On R2,R3:<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<span style="background-color: orange; font-family: 'Times New Roman', serif; font-size: 13.5pt;"><i>int tunnel0<o:p></o:p></i></span></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<span style="background-color: orange; font-family: 'Times New Roman', serif; font-size: 13.5pt;"><i>ip tcp adjust-mss 1400</i><o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<br /></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<br /></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<span style="font-family: 'Times New Roman', serif; font-size: 13.5pt;">For UDP, we need to do
on the end host.<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<br /></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<span style="font-family: 'Times New Roman', serif; font-size: 13.5pt;">On R1,R4:<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<span style="font-family: 'Times New Roman', serif; font-size: 13.5pt;">ip tcp mss 1450-->This
is when the tcp session if from the router,affects bgp,msdp...<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<br /></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<br /></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<br /></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<br /></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<b><span style="font-family: 'Times New Roman', serif; font-size: 13.5pt;">IPSec VTI:<o:p></o:p></span></b></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<br /></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<span style="font-family: 'Times New Roman', serif; font-size: 13.5pt;">Conceptually same as GRE
over IPSec but without the additional GRE header overhead<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<br /></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<span style="font-family: 'Times New Roman', serif; font-size: 13.5pt;">Static VTI </span><span style="font-family: Wingdings; font-size: 13.5pt;">à</span><span style="font-family: 'Times New Roman', serif; font-size: 13.5pt;">used for site to site <o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<span style="font-family: 'Times New Roman', serif; font-size: 13.5pt;">Dynamic VTI </span><span style="font-family: Wingdings; font-size: 13.5pt;">à</span><span style="font-family: 'Times New Roman', serif; font-size: 13.5pt;">used for remote access<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<br /></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<br /></div>
<table border="1" cellpadding="0" cellspacing="0" class="MsoTableGrid" style="border-collapse: collapse; border: none; mso-border-alt: solid windowtext .5pt; mso-padding-alt: 0in 5.4pt 0in 5.4pt; mso-yfti-tbllook: 1184;">
<tbody>
<tr style="height: 19.3pt; mso-yfti-firstrow: yes; mso-yfti-irow: 0;">
<td style="background: #9BBB59; border: solid windowtext 1.0pt; height: 19.3pt; mso-background-themecolor: accent3; mso-border-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 361.15pt;" valign="top" width="482"><div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<b><span style="font-family: 'Times New Roman', serif; font-size: 13.5pt;">GRE over IPSec<o:p></o:p></span></b></div>
</td>
<td style="background: #9BBB59; border-left: none; border: solid windowtext 1.0pt; height: 19.3pt; mso-background-themecolor: accent3; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 361.15pt;" valign="top" width="482"><div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<b><span style="font-family: 'Times New Roman', serif; font-size: 13.5pt;">VTI<o:p></o:p></span></b></div>
</td>
</tr>
<tr style="height: 19.3pt; mso-yfti-irow: 1;">
<td style="border-top: none; border: solid windowtext 1.0pt; height: 19.3pt; mso-border-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 361.15pt;" valign="top" width="482"><div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<span style="font-family: 'Times New Roman', serif;">More overhead but
negligible(4 bytes)<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<em><span style="background: white; font-family: Calibri, sans-serif;">We
use GRE over IPsec because crypto map cannot define an interface in the
routing table, so dynamic routing protocol couldn't run without the the
tunnel interface.</span></em><span style="font-family: 'Times New Roman', serif;"><o:p></o:p></span></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; height: 19.3pt; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 361.15pt;" valign="top" width="482"><div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<span style="font-family: 'Times New Roman', serif;">Saves 4 bytes of gre
overhead<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<em><u><span style="background: white; font-family: Calibri, sans-serif;">With
IPsec VTI we have an interface in the routing table, this remove the need to
have an extra GRE IP header encapsulation.</span></u></em><span style="font-family: 'Times New Roman', serif;"><o:p></o:p></span></div>
</td>
</tr>
<tr style="height: 58.0pt; mso-yfti-irow: 2;">
<td style="border-top: none; border: solid windowtext 1.0pt; height: 58.0pt; mso-border-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 361.15pt;" valign="top" width="482"><div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<span style="font-family: 'Times New Roman', serif;">Multiprotocol
encapsulation<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<span style="font-family: 'Times New Roman', serif;">Ipv4,ipv6,is-is,etc<o:p></o:p></span></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; height: 58.0pt; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 361.15pt;" valign="top" width="482"><div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<span style="font-family: 'Times New Roman', serif;">Single protocol<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<span style="font-family: 'Times New Roman', serif;">Ipv4 only over ipv4
ipsec tunnel<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<span style="font-family: 'Times New Roman', serif;">Ipv6 only over ipv6
ipsec tunnel<o:p></o:p></span></div>
</td>
</tr>
<tr style="height: 38.6pt; mso-yfti-irow: 3;">
<td style="border-top: none; border: solid windowtext 1.0pt; height: 38.6pt; mso-border-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 361.15pt;" valign="top" width="482"><div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<span style="font-family: 'Times New Roman', serif;">Line protocol based on
route to destination<o:p></o:p></span></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; height: 38.6pt; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 361.15pt;" valign="top" width="482"><div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<span style="font-family: 'Times New Roman', serif;">Line protocol status
is accurate based on the ipsec phase2 negotiation <o:p></o:p></span></div>
</td>
</tr>
<tr style="height: 38.6pt; mso-yfti-irow: 4;">
<td style="border-top: none; border: solid windowtext 1.0pt; height: 38.6pt; mso-border-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 361.15pt;" valign="top" width="482"><div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<span style="background-color: orange; font-family: 'Times New Roman', serif;"><i>R4(config)#int tun0<o:p></o:p></i></span></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<span style="background-color: orange; font-family: 'Times New Roman', serif;"><i>R4(config-if)#tunnel
mode gre ip<o:p></o:p></i></span></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<span style="background-color: orange; font-family: 'Times New Roman', serif;"><i>R4(config-if)#tunnel
protection ipsec profile PROFILE1<o:p></o:p></i></span></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; height: 38.6pt; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 361.15pt;" valign="top" width="482"><div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<span style="background-color: orange; font-family: 'Times New Roman', serif;"><i>R4(config)#int tun0<o:p></o:p></i></span></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<span style="background-color: orange; font-family: 'Times New Roman', serif;"><i>R4(config-if)#tunnel
mode ipsec ipv4<o:p></o:p></i></span></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<span style="font-family: 'Times New Roman', serif;"><span style="background-color: orange;"><i>R4(config-if)#tunnel
protection ipsec profile PROFILE1</i></span><o:p></o:p></span></div>
</td>
</tr>
<tr style="height: 38.6pt; mso-yfti-irow: 5;">
<td style="border-top: none; border: solid windowtext 1.0pt; height: 38.6pt; mso-border-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 361.15pt;" valign="top" width="482"><div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<span style="background: white;">the frame
is<span class="apple-converted-space"> </span><span style="font-family: "Calibri","sans-serif"; mso-ascii-theme-font: minor-latin; mso-bidi-font-family: "Times New Roman"; mso-bidi-theme-font: minor-bidi; mso-hansi-theme-font: minor-latin;">[Eth Header][IP Header][GRE][Data]</span></span><span style="font-family: 'Times New Roman', serif;"><o:p></o:p></span></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; height: 38.6pt; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 361.15pt;" valign="top" width="482"><div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<span style="background: white; font-family: Calibri, sans-serif;">[Eth
Header][IP Header][ESP header][Data][ESP trailer]</span><span style="font-family: 'Times New Roman', serif;"><o:p></o:p></span></div>
</td>
</tr>
<tr style="height: 38.6pt; mso-yfti-irow: 6;">
<td style="border-top: none; border: solid windowtext 1.0pt; height: 38.6pt; mso-border-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 361.15pt;" valign="top" width="482"><div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<span style="background: white;">Supports
both tunnel and transport modes<o:p></o:p></span></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; height: 38.6pt; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 361.15pt;" valign="top" width="482"><div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<span style="background: white; font-family: Calibri, sans-serif;">Supports
only tunnel mode<o:p></o:p></span></div>
</td>
</tr>
<tr style="height: 38.6pt; mso-yfti-irow: 7;">
<td style="border-top: none; border: solid windowtext 1.0pt; height: 38.6pt; mso-border-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 361.15pt;" valign="top" width="482"><div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<span style="background: white;">Df-bit is
not carried upto esp header,so applications cannot do path mtu discovery<o:p></o:p></span></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; height: 38.6pt; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 361.15pt;" valign="top" width="482"><div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<span style="background: white; font-family: Calibri, sans-serif;">In
VTI mode,df-bit is carried upto the esp header.<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<span style="background: white; font-family: Calibri, sans-serif;">Applications
can do path MTU discovery and we need not configure ‘ip mtu’ under the tunnel
interface.<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<br /></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<span style="background-attachment: initial; background-clip: initial; background-color: white; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; font-family: Calibri, sans-serif;">We
can still configure ‘ip tcp adjust-mss’ for applications that cant do path
mtu discovery.<o:p></o:p></span></div>
</td>
</tr>
<tr style="height: 38.6pt; mso-yfti-irow: 8; mso-yfti-lastrow: yes;">
<td style="border-top: none; border: solid windowtext 1.0pt; height: 38.6pt; mso-border-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 361.15pt;" valign="top" width="482"><div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<span style="background: white;">Tunnel
and then encrypt<o:p></o:p></span></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; height: 38.6pt; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 361.15pt;" valign="top" width="482"><div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<span style="background-attachment: initial; background-clip: initial; background-color: white; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; font-family: Calibri, sans-serif;">Encrypt
and then tunnel<span style="font-size: 14pt; font-weight: bold;"><o:p></o:p></span></span></div>
</td>
</tr>
</tbody></table>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<br /></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<br /></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<span style="font-family: 'Times New Roman', serif; font-size: 13.5pt;">VTI configuration:<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<span style="font-family: 'Times New Roman', serif; font-size: 13.5pt;">Phase 1 is same as in
crypto map based tunnel.<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<br /></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<span style="font-family: 'Times New Roman', serif; font-size: 13.5pt;">For phase 2,<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<span style="font-family: 'Times New Roman', serif; font-size: 13.5pt;">The tunnel defines who the
end point i.e. tunnel destination is<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<span style="font-family: 'Times New Roman', serif; font-size: 13.5pt;">The tunnel already
defines the traffic i.e. ip any any<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<br /></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<span style="font-family: 'Times New Roman', serif; font-size: 13.5pt;">We just need to
configure how the traffic must be treated using ‘crypto ipsec profiles’.<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<span style="font-family: 'Times New Roman', serif; font-size: 13.5pt;">An IPSec profile just
specifies the transform set to be used in protecting the data plane.<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<br /></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<i><span style="background-color: orange; font-family: 'Times New Roman', serif; font-size: 13.5pt;">R2(config)#crypto ipsec profile PROFILE2<o:p></o:p></span></i></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<i><span style="font-family: 'Times New Roman', serif; font-size: 13.5pt;"><span style="background-color: orange;">R2(ipsec-profile)#set transform-set 3DES_MD5</span><o:p></o:p></span></i></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<br /></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<span style="font-family: 'Times New Roman', serif; font-size: 13.5pt;">The profiles can be
applied to both GRE tunnel and IPSec VTI tunnel.<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<br /></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<br /></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<span style="font-family: 'Times New Roman', serif; font-size: 13.5pt;">Some platforms may not
do hardware switching of GRE packets.<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<br /></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<b><span style="font-family: 'Times New Roman', serif; font-size: 13.5pt;">IPSec over DMVPN:<o:p></o:p></span></b></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<br /></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<span style="font-family: 'Times New Roman', serif; font-size: 13.5pt;">DMPN is p-t-m layer 3
overlay VPN.<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<span style="font-family: 'Times New Roman', serif; font-size: 13.5pt;">Logical hub and spoke
topology, direct spoke-to-spoke traffic is supported.<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<br /></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<span style="font-family: 'Times New Roman', serif; font-size: 13.5pt;">DMVPN is an mgre routing
technique<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<br /></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<span style="font-family: 'Times New Roman', serif; font-size: 13.5pt;">Order of operations:<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<span style="font-family: 'Times New Roman', serif; font-size: 13.5pt;">Crypto first<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<span style="font-family: 'Times New Roman', serif; font-size: 13.5pt;">NHRP second<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<span style="font-family: 'Times New Roman', serif; font-size: 13.5pt;">Routing third<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<br /></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<span style="font-family: 'Times New Roman', serif; font-size: 13.5pt;">So if crypto ipsec
tunnel configuration is wrong, dmvpn will not work.<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<br /></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<span style="font-family: 'Times New Roman', serif; font-size: 13.5pt;">Configuration is same as
in GRE over IPSec.<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<strong><span style="background: white; font-family: Calibri, sans-serif; font-size: 9pt;">The
peer address to use in the ISAKMP Policy is the NBMA Address</span></strong><span style="background: white; font-size: 9pt;">,<span class="apple-converted-space"> </span><strong><span style="font-family: "Calibri","sans-serif"; mso-ascii-theme-font: minor-latin; mso-bidi-font-family: "Times New Roman"; mso-bidi-theme-font: minor-bidi; mso-hansi-theme-font: minor-latin;">this is important to
understand and not to confuse configuring the Tunnel Private address
(10.1.100.x in this case).<o:p></o:p></span></strong></span></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<strong><span style="background: white; font-family: Calibri, sans-serif; font-size: 9pt;"> Crypto Process is the first thing to start, IF
IPSEC IS NOT COMPLETED TUNNELS WILL NOT GO UP.<o:p></o:p></span></strong></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<br /></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<span style="background-attachment: initial; background-clip: initial; background-color: lime; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; font-size: 9pt;">show crypto
ipsec sa | i pkts|peer <o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<span style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; font-size: 9pt;"><span style="background-color: lime;">show ip
traffic | i Frag|frag</span><span style="background-color: white;"><o:p></o:p></span></span></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<br /></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<br /></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<b><i><span style="font-family: 'Times New Roman', serif; font-size: 13.5pt;">IPSec over GRE :<o:p></o:p></span></i></b></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<br /></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<i><span style="font-family: 'Times New Roman', serif; font-size: 13.5pt;">It’s basically,<o:p></o:p></span></i></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<br /></div>
<table border="1" cellpadding="0" cellspacing="0" class="MsoTableGrid" style="border-collapse: collapse; border: none; margin-left: 34.85pt; mso-border-alt: solid windowtext .5pt; mso-padding-alt: 0in 5.4pt 0in 5.4pt; mso-yfti-tbllook: 1184;">
<tbody>
<tr style="height: 12.45pt; mso-yfti-firstrow: yes; mso-yfti-irow: 0; mso-yfti-lastrow: yes;">
<td style="background: #9BBB59; border: solid windowtext 1.0pt; height: 12.45pt; mso-background-themecolor: accent3; mso-border-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 75.5pt;" valign="top" width="101"><div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<b><i><span style="font-family: 'Times New Roman', serif; font-size: 13.5pt;">L2 Header<o:p></o:p></span></i></b></div>
</td>
<td style="background: #9BBB59; border-left: none; border: solid windowtext 1.0pt; height: 12.45pt; mso-background-themecolor: accent3; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 75.5pt;" valign="top" width="101"><div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<b><i><span style="font-family: 'Times New Roman', serif; font-size: 13.5pt;">GRE<o:p></o:p></span></i></b></div>
</td>
<td style="background: #9BBB59; border-left: none; border: solid windowtext 1.0pt; height: 12.45pt; mso-background-themecolor: accent3; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 75.5pt;" valign="top" width="101"><div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<b><i><span style="font-family: 'Times New Roman', serif; font-size: 13.5pt;">ESP<o:p></o:p></span></i></b></div>
</td>
<td style="background: #9BBB59; border-left: none; border: solid windowtext 1.0pt; height: 12.45pt; mso-background-themecolor: accent3; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 75.5pt;" valign="top" width="101"><div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<b><i><span style="font-family: 'Times New Roman', serif; font-size: 13.5pt;">IP<o:p></o:p></span></i></b></div>
</td>
<td style="background: #9BBB59; border-left: none; border: solid windowtext 1.0pt; height: 12.45pt; mso-background-themecolor: accent3; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 81.4pt;" valign="top" width="109"><div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<b><i><span style="font-family: 'Times New Roman', serif; font-size: 13.5pt;">Data<o:p></o:p></span></i></b></div>
</td>
</tr>
</tbody></table>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<br /></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<span style="font-family: 'Times New Roman', serif; font-size: 13.5pt;">Apply the crypto map
under the tunnel interface<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<span style="font-family: 'Times New Roman', serif; font-size: 13.5pt;">Proxy ACL has to match
end-end entities.<o:p></o:p></span></div>
<br />
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<span style="font-family: 'Times New Roman', serif; font-size: 13.5pt;">Encryption first and
then GRE tunnel encapsulation.<o:p></o:p></span></div>
</div>
Anonymoushttp://www.blogger.com/profile/16547104544524126934noreply@blogger.com0tag:blogger.com,1999:blog-6535850563298713199.post-48542160240349556682015-06-09T03:10:00.002-07:002015-06-09T03:12:41.710-07:00IPSec-Part1<div dir="ltr" style="text-align: left;" trbidi="on">
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<span style="background: white; font-family: Verdana, sans-serif; font-size: 13.5pt;">IPSEC is a suite of protocols to secure the data
plane by using some encryption techniques.</span><span style="font-family: 'Times New Roman', serif; font-size: 13.5pt;"><o:p></o:p></span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-Ox8T4qNQZQo/VXa5gbwdgtI/AAAAAAAAADo/Qoxyt-9UoR4/s1600/topo1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="233" src="http://2.bp.blogspot.com/-Ox8T4qNQZQo/VXa5gbwdgtI/AAAAAAAAADo/Qoxyt-9UoR4/s640/topo1.png" width="640" /></a></div>
<span style="background: white; font-family: Verdana, sans-serif; font-size: 13.5pt;"><br /></span></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<span style="background: white; font-family: Verdana, sans-serif; font-size: 13.5pt;"><br />
IPSec tunnel setup happens in two phases.</span><span style="font-family: 'Times New Roman', serif; font-size: 13.5pt;"><o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<span style="background: white; font-family: Verdana, sans-serif; font-size: 13.5pt;"><br />
PHASE 1 -->negotiates the parameters to setup a tunnel for PHASE2</span><span style="font-family: 'Times New Roman', serif; font-size: 13.5pt;"><o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<span style="background: white; font-family: Verdana, sans-serif; font-size: 13.5pt;">PHASE 2 --->Creates SA and establishes a
tunnel for data flow</span><span style="font-family: 'Times New Roman', serif; font-size: 13.5pt;"><o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<span style="background: white; font-family: Verdana, sans-serif; font-size: 13.5pt;"><br /><b>
PHASE 1 ISAKMP Configuration:</b></span><span style="font-family: 'Times New Roman', serif; font-size: 13.5pt;"><o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<span style="background: white; font-family: Verdana, sans-serif; font-size: 13.5pt;">Create a ISAKMP policy which defines the
following parameters</span><span style="font-family: 'Times New Roman', serif; font-size: 13.5pt;"><o:p></o:p></span></div>
<div class="MsoListParagraphCxSpFirst" style="margin-bottom: 0.0001pt; text-indent: -0.25in;">
<br />
<ul style="text-align: left;">
<li><span style="font-family: Symbol; font-size: 13.5pt; text-indent: -0.25in;">·<span style="font-family: 'Times New Roman'; font-size: 7pt; font-stretch: normal;">
</span></span><i style="text-indent: -0.25in;"><span style="background: white; font-family: Verdana, sans-serif; font-size: 13.5pt;">authentication</span></i></li>
<li><span style="font-family: Symbol; font-size: 13.5pt; text-indent: -0.25in;">·<span style="font-family: 'Times New Roman'; font-size: 7pt; font-stretch: normal;">
</span></span><i style="text-indent: -0.25in;"><span style="background: white; font-family: Verdana, sans-serif; font-size: 13.5pt;">encryption</span></i></li>
<li><span style="font-family: Symbol; font-size: 13.5pt; text-indent: -0.25in;">·<span style="font-family: 'Times New Roman'; font-size: 7pt; font-stretch: normal;">
</span></span><i style="text-indent: -0.25in;"><span style="background: white; font-family: Verdana, sans-serif; font-size: 13.5pt;">hash</span></i></li>
<li><span style="font-family: Symbol; font-size: 13.5pt; text-indent: -0.25in;">·<span style="font-family: 'Times New Roman'; font-size: 7pt; font-stretch: normal;">
</span></span><i style="text-indent: -0.25in;"><span style="background: white; font-family: Verdana, sans-serif; font-size: 13.5pt;">DH group</span></i></li>
</ul>
<span style="font-family: Verdana, sans-serif;"><span style="font-size: 18px;"><br /></span></span><!--[if !supportLists]--></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<span style="background: white; font-family: Verdana, sans-serif; font-size: 13.5pt;">
The two routers must agree upon a policy to establish the tunnel.</span><span style="font-family: 'Times New Roman', serif; font-size: 13.5pt;"><o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<span style="background: white; font-family: Verdana, sans-serif; font-size: 13.5pt;">The policy with lower value will have higher priority.</span><span style="font-family: 'Times New Roman', serif; font-size: 13.5pt;"><o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<br /></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<span style="background: white; color: red; font-family: Verdana, sans-serif; font-size: 13.5pt;"><b><i>Define ISAKMP policy</i></b></span></div>
<br clear="ALL" />
<br />
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<span style="font-family: Verdana, sans-serif; font-size: 13.5pt;">We need to define a pre-shared key for authentication with peer<o:p></o:p></span></div>
<table cellpadding="0" cellspacing="0" style="width: 100%px;">
<tbody>
<tr>
<td><!--[endif]-->
<br />
<div>
<div class="MsoNoSpacing">
<i><span style="background-color: orange;">R2(config)#crypto
isakmp key 0 APPLE address 10.1.34.4</span><o:p></o:p></i></div>
<div class="MsoNoSpacing">
<br /></div>
<div class="MsoNoSpacing">
<i>In case if the
ip address of the other end is not known, <o:p></o:p></i></div>
<div class="MsoNoSpacing">
<i><span style="background-color: orange;">R2(config)#crypto
isakmp key 0 APPLE address 0.0.0.0</span><o:p></o:p></i></div>
<div class="MsoNoSpacing">
<br /></div>
<div class="MsoNoSpacing">
<i>whoever wants
to establish the ipsec tunnel with R2 should use APPLE as the pre-shared
authentication key<o:p></o:p></i></div>
</div>
<!--[if !mso]--></td>
</tr>
</tbody></table>
<table cellpadding="0" cellspacing="0" style="width: 100%px;">
<tbody>
<tr>
<td><!--[endif]-->
<br />
<div>
<div class="MsoNoSpacing">
<i style="mso-bidi-font-style: normal;"><span style="background-color: orange;">R2(config)#crypto
isakmp policy 30</span><o:p></o:p></i></div>
<div class="MsoNoSpacing">
<i style="mso-bidi-font-style: normal;"><span style="background-color: orange;">R2(config-isakmp)#authentication
pre-share</span><o:p></o:p></i></div>
<div class="MsoNoSpacing">
<i style="mso-bidi-font-style: normal;"><span style="background-color: orange;">R2(config-isakmp)#hash
md5</span><o:p></o:p></i></div>
<div class="MsoNoSpacing">
<i style="mso-bidi-font-style: normal;"><span style="background-color: orange;">R2(config-isakmp)#encryption
3des</span><o:p></o:p></i></div>
<div class="MsoNoSpacing">
<i style="mso-bidi-font-style: normal;"><span style="background-color: orange;">R2(config-isakmp)#group
20</span><span style="background-color: #f1c232;"><o:p></o:p></span></i></div>
</div>
<!--[if !mso]--></td>
</tr>
</tbody></table>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<span style="background-color: #f1c232;"><v:shape fillcolor="black [3213]" id="_x0000_s1033" o:gfxdata="UEsDBBQABgAIAAAAIQC75UiUBQEAAB4CAAATAAAAW0NvbnRlbnRfVHlwZXNdLnhtbKSRvU7DMBSF
dyTewfKKEqcMCKEmHfgZgaE8wMW+SSwc27JvS/v23KTJgkoXFsu+P+c7Ol5vDoMTe0zZBl/LVVlJ
gV4HY31Xy4/tS3EvRSbwBlzwWMsjZrlprq/W22PELHjb51r2RPFBqax7HCCXIaLnThvSAMTP1KkI
+gs6VLdVdad08ISeCho1ZLN+whZ2jsTzgcsnJwldluLxNDiyagkxOquB2Knae/OLUsyEkjenmdzb
mG/YhlRnCWPnb8C898bRJGtQvEOiVxjYhtLOxs8AySiT4JuDystlVV4WPeM6tK3VaILeDZxIOSsu
ti/jidNGNZ3/J08yC1dNv9v8AAAA//8DAFBLAwQUAAYACAAAACEArTA/8cEAAAAyAQAACwAAAF9y
ZWxzLy5yZWxzhI/NCsIwEITvgu8Q9m7TehCRpr2I4FX0AdZk2wbbJGTj39ubi6AgeJtl2G9m6vYx
jeJGka13CqqiBEFOe2Ndr+B03C3WIDihMzh6RwqexNA281l9oBFTfuLBBhaZ4ljBkFLYSMl6oAm5
8IFcdjofJ0z5jL0MqC/Yk1yW5UrGTwY0X0yxNwri3lQgjs+Qk/+zfddZTVuvrxO59CNCmoj3vCwj
MfaUFOjRhrPHaN4Wv0VV5OYgm1p+LW1eAAAA//8DAFBLAwQUAAYACAAAACEAnH0yjqQDAACIEAAA
HwAAAGNsaXBib2FyZC9kcmF3aW5ncy9kcmF3aW5nMS54bWzsWOFu2zYQ/j+g73Dg/nTAYsuKnaRG
lSL1kqJA2hp2+gBnirKIUKRG0pbdp9mz7Ml2pBTH6doOW4sBBmwDNsk7Hb/77ng++uWrTaVgLayT
Rmds0EsYCM1NLvUyYx/vbk4uGDiPOkdltMjYVjj26vLZTy9xvLRYl5IDWdBujBkrva/H/b7jpajQ
9UwtNMkKYyv0NLXLfm6xIcuV6qdJctavUGp2+WjqN/QIKyv/gyll+L3IJ6jX6Mik4uP9lQ6j4t9v
Gcd6/cbW83pqA3L+fj21IPOMEXMaK6KI9TtBp0bT/mdPLR8NbApbBX1TFLDJ2GmSpmdkapux0Wk6
HJ6PWnNi44GTfHSeDM7ORgw4aQxOk2R4kXQblh++bYKX1/9ghGC2cGiwB9HVAaBe/93nwYPPdwHf
a7OBdOd90Aa/oUUCGqPs6luKkgNtJiXqpbiy1jSlwNwFjZYm4rPdJlL2sKMLthbNO5MTv7jyJtr7
QdTtvMZxbZ1/I0wFYZAxK7iPO+H61vkW4INKoMQZJfMbqVSchLQXE2VhjSpjfvPg0hMtpaHJ2ItR
OmopeWLBLhe755P46lh5YqKSXlhQssrYxU4Jx4HIa53H5PMoVTsm55SOCRg4DDj9Zh7jGUKTb8PK
gr6JX2vIZUo9qgY0KI39xKChM54x9/sKrWCg3moK1YvBcEhqPk6Go/OUJnZfstiXoOZkivhg0A4n
nmZJ6319RbG8kR21LY6ASDk/91slojMRbUiACu1tREiD2aMN/loUMQA1n3rXsh/PBPnu6j3pVeG/
oRel9EhHU+TK0q6KUjVjQp98nFMp/ESpOkjIYypSbVaLoqA0afODkKOXGvy2FgVyStYJKrmwsj0V
Ar8m4W5Pcicr4eC9aGBmKtRdDhCWgN5fztLn3OhCLn/5mdtt7Q1Ih/dVDfdiCwlcTae314B5boVz
MEh6g97psDcMNYjcp89oRuh8ihZnX3Uw7PV/ufYIJgJsAx4AHKO+i/qffxwj+MXzfTDn9q0Gjk6A
LMCX9FXvDqlpVwwtW2q/cjrQ9CPp4V6bRv8Kx8AfduD/VcFOevF9jPlhx/xYrqn1+lI7djDluimN
oFYYGtTUVVKXJegevFDSlV35doKDX2ktFDTSlzBLwZVmpXJYUZXv2jB6kmp9bcWJK6mHzoFuL6XQ
XnJqFI0OPdthHfXQRu5uDuTovJ5R+9vejdqrBWmEG2P/szt4bO26/wzCRX9/fvkXAAAA//8DAFBL
AwQUAAYACAAAACEAnE5eIeIGAAA6HAAAGgAAAGNsaXBib2FyZC90aGVtZS90aGVtZTEueG1s7FlP
bxtFFL8j8R1Ge2/j/42jOlXs2A20aaPYLepxvB7vTjO7s5oZJ/UNtUckJERBHKjEjQMCKrUSl/Jp
AkVQpH4F3szsrnfiNUnbCCpoDvHu29+8/+/Nm93LV+5FDB0SISmPO171YsVDJPb5hMZBx7s1GlxY
95BUOJ5gxmPS8eZEelc233/vMt7wGU3GHIvJKCQRQcAolhu444VKJRtra9IHMpYXeUJieDblIsIK
bkWwNhH4CAREbK1WqbTWIkxjbxM4Ks2oz+BfrKQm+EwMNRuCYhyB9JvTKfWJwU4Oqhoh57LHBDrE
rOMBzwk/GpF7ykMMSwUPOl7F/Hlrm5fX8Ea6iKkVawvrBuYvXZcumBzUjEwRjHOh1UGjfWk7528A
TC3j+v1+r1/N+RkA9n2w1OpS5NkYrFe7Gc8CyF4u8+5VmpWGiy/wry/p3O52u812qotlakD2srGE
X6+0Gls1B29AFt9cwje6W71ey8EbkMW3lvCDS+1Ww8UbUMhofLCE1gEdDFLuOWTK2U4pfB3g65UU
vkBBNuTZpUVMeaxW5VqE73IxAIAGMqxojNQ8IVPsQ072cDQWFGsBeIPgwhNL8uUSSctC0hc0UR3v
wwTHXgHy8tn3L589Qcf3nx7f/+n4wYPj+z9aRs6qHRwHxVUvvv3sz0cfoz+efPPi4RfleFnE//rD
J7/8/Hk5EMpnYd7zLx//9vTx868+/f27hyXwLYHHRfiIRkSiG+QI7fMIDDNecTUnY/FqK0YhpsUV
W3EgcYy1lBL+fRU66BtzzNLoOHp0ievB2wLaRxnw6uyuo/AwFDNFSyRfCyMHuMs563JR6oVrWlbB
zaNZHJQLF7Mibh/jwzLZPRw78e3PEuibWVo6hvdC4qi5x3CscEBiopB+xg8IKbHuDqWOX3epL7jk
U4XuUNTFtNQlIzp2smmxaIdGEJd5mc0Qb8c3u7dRl7Myq7fJoYuEqsCsRPkRYY4br+KZwlEZyxGO
WNHh17EKy5QczoVfxPWlgkgHhHHUnxApy9bcFGBvIejXMHSs0rDvsnnkIoWiB2U8r2POi8htftAL
cZSUYYc0DovYD+QBpChGe1yVwXe5WyH6HuKA45Xhvk2JE+7Tu8EtGjgqLRJEP5mJklheJdzJ3+Gc
TTExrQaautOrIxr/XeNmFDq3lXB+jRta5fOvH5Xo/ba27C3YvcpqZudEo16FO9mee1xM6Nvfnbfx
LN4jUBDLW9S75vyuOXv/+ea8qp7PvyUvujA0aD2L2EHbjN3Ryql7Shkbqjkj16UZvCXsPZMBEPU6
c7ok+SksCeFSVzIIcHCBwGYNElx9RFU4DHECQ3vV00wCmbIOJEq4hMOiIZfy1ngY/JU9ajb1IcR2
DonVLp9Ycl2Ts7NGzsZoFZgDbSaorhmcVVj9UsoUbHsdYVWt1JmlVY1qpik60nKTtYvNoRxcnpsG
xNybMNQgGIXAyy0432vRcNjBjEy0322MsrCYKJxniGSIJySNkbZ7OUZVE6QsV5YM0XbYZNAHx1O8
VpDW1mzfQNpZglQU11ghLovem0Qpy+BFlIDbyXJkcbE4WYyOOl67WWt6yMdJx5vCORkuowSiLvUc
iVkAb5h8JWzan1rMpsoX0WxnhrlFUIVXH9bvSwY7fSARUm1jGdrUMI/SFGCxlmT1rzXBredlQEk3
OpsW9XVIhn9NC/CjG1oynRJfFYNdoGjf2du0lfKZImIYTo7QmM3EPobw61QFeyZUwusO0xH0Dbyb
0942j9zmnBZd8Y2YwVk6ZkmI03arSzSrZAs3DSnXwdwV1APbSnU3xr26Kabkz8mUYhr/z0zR+wm8
fahPdAR8eNErMNKV0vG4UCGHLpSE1B8IGBxM74Bsgfe78BiSCt5Km19BDvWvrTnLw5Q1HCLVPg2Q
oLAfqVAQsgdtyWTfKcyq6d5lWbKUkcmogroysWqPySFhI90DW3pv91AIqW66SdoGDO5k/rn3aQWN
Az3kFOvN6WT53mtr4J+efGwxg1FuHzYDTeb/XMV8PFjsqna9WZ7tvUVD9IPFmNXIqgKEFbaCdlr2
r6nCK261tmMtWVxrZspBFJctBmI+ECXwDgnpf7D/UeEz+wVDb6gjvg+9FcHHC80M0gay+oIdPJBu
kJY4hsHJEm0yaVbWtenopL2WbdbnPOnmck84W2t2lni/orPz4cwV59TieTo79bDja0tb6WqI7MkS
BdI0O8iYwJR9ydrFCRoH1Y4HX5Mg0PfgCr5HeUCraVpN0+AKPjLBsGS/DHW89CKjwHNLyTH1jFLP
MI2M0sgozYwCw1n6DSajtKBT6c8m8NlO/3go+0ICE1z6RSVrqs7nvs2/AAAA//8DAFBLAwQUAAYA
CAAAACEAnGZGQbsAAAAkAQAAKgAAAGNsaXBib2FyZC9kcmF3aW5ncy9fcmVscy9kcmF3aW5nMS54
bWwucmVsc4SPzQrCMBCE74LvEPZu0noQkSa9iNCr1AcIyTYtNj8kUezbG+hFQfCyMLPsN7NN+7Iz
eWJMk3ccaloBQae8npzhcOsvuyOQlKXTcvYOOSyYoBXbTXPFWeZylMYpJFIoLnEYcw4nxpIa0cpE
fUBXNoOPVuYio2FBqrs0yPZVdWDxkwHii0k6zSF2ugbSL6Ek/2f7YZgUnr16WHT5RwTLpRcWoIwG
MwdKV2edNS1dgYmGff0m3gAAAP//AwBQSwECLQAUAAYACAAAACEAu+VIlAUBAAAeAgAAEwAAAAAA
AAAAAAAAAAAAAAAAW0NvbnRlbnRfVHlwZXNdLnhtbFBLAQItABQABgAIAAAAIQCtMD/xwQAAADIB
AAALAAAAAAAAAAAAAAAAADYBAABfcmVscy8ucmVsc1BLAQItABQABgAIAAAAIQCcfTKOpAMAAIgQ
AAAfAAAAAAAAAAAAAAAAACACAABjbGlwYm9hcmQvZHJhd2luZ3MvZHJhd2luZzEueG1sUEsBAi0A
FAAGAAgAAAAhAJxOXiHiBgAAOhwAABoAAAAAAAAAAAAAAAAAAQYAAGNsaXBib2FyZC90aGVtZS90
aGVtZTEueG1sUEsBAi0AFAAGAAgAAAAhAJxmRkG7AAAAJAEAACoAAAAAAAAAAAAAAAAAGw0AAGNs
aXBib2FyZC9kcmF3aW5ncy9fcmVscy9kcmF3aW5nMS54bWwucmVsc1BLBQYAAAAABQAFAGcBAAAe
DgAAAAA=
" style="height: 102.45pt; margin-left: 16.3pt; margin-top: 4.5pt; mso-height-percent: 200; mso-height-percent: 200; mso-height-relative: margin; mso-position-horizontal-relative: text; mso-position-horizontal: absolute; mso-position-vertical-relative: text; mso-position-vertical: absolute; mso-width-percent: 0; mso-width-percent: 0; mso-width-relative: margin; mso-wrap-distance-bottom: 0; mso-wrap-distance-left: 9pt; mso-wrap-distance-right: 9pt; mso-wrap-distance-top: 0; mso-wrap-style: square; position: absolute; v-text-anchor: top; visibility: visible; width: 448.95pt; z-index: 251660288;" type="#_x0000_t202"><v:shapetype coordsize="21600,21600" id="_x0000_t202" o:spt="202" path="m,l,21600r21600,l21600,xe">
<v:stroke joinstyle="miter">
<v:path gradientshapeok="t" o:connecttype="rect">
</v:path></v:stroke></v:shapetype><v:shape fillcolor="black [3213]" id="Text_x0020_Box_x0020_2" o:gfxdata="UEsDBBQABgAIAAAAIQC75UiUBQEAAB4CAAATAAAAW0NvbnRlbnRfVHlwZXNdLnhtbKSRvU7DMBSF
dyTewfKKEqcMCKEmHfgZgaE8wMW+SSwc27JvS/v23KTJgkoXFsu+P+c7Ol5vDoMTe0zZBl/LVVlJ
gV4HY31Xy4/tS3EvRSbwBlzwWMsjZrlprq/W22PELHjb51r2RPFBqax7HCCXIaLnThvSAMTP1KkI
+gs6VLdVdad08ISeCho1ZLN+whZ2jsTzgcsnJwldluLxNDiyagkxOquB2Knae/OLUsyEkjenmdzb
mG/YhlRnCWPnb8C898bRJGtQvEOiVxjYhtLOxs8AySiT4JuDystlVV4WPeM6tK3VaILeDZxIOSsu
ti/jidNGNZ3/J08yC1dNv9v8AAAA//8DAFBLAwQUAAYACAAAACEArTA/8cEAAAAyAQAACwAAAF9y
ZWxzLy5yZWxzhI/NCsIwEITvgu8Q9m7TehCRpr2I4FX0AdZk2wbbJGTj39ubi6AgeJtl2G9m6vYx
jeJGka13CqqiBEFOe2Ndr+B03C3WIDihMzh6RwqexNA281l9oBFTfuLBBhaZ4ljBkFLYSMl6oAm5
8IFcdjofJ0z5jL0MqC/Yk1yW5UrGTwY0X0yxNwri3lQgjs+Qk/+zfddZTVuvrxO59CNCmoj3vCwj
MfaUFOjRhrPHaN4Wv0VV5OYgm1p+LW1eAAAA//8DAFBLAwQUAAYACAAAACEAmb/g1zwDAABYDgAA
HwAAAGNsaXBib2FyZC9kcmF3aW5ncy9kcmF3aW5nMS54bWzsV8tuGyEU3VfqPyC6aReOx68ktjqp
EreJKqVpZKcfcM0wHhQGKOBXvr4XmDhO2mbRVpUSxQsbhsvh3HMumHn/YV1LsuTWCa1y2tnLKOGK
6UKoeU6/XZ22DilxHlQBUiue0w139MPR61fvYTS3YCrBCCIoN4KcVt6bUbvtWMVrcHvacIVjpbY1
eOzaebuwsELkWra7WbbfrkEoenQH9RE8kIUVfwAlNbvmxRjUEhxCSjbafdJwlOzvkWGklmfWTM2l
DczZxfLSElHkFJVTUKNEtN0MNGHYbT+YNb8DWJe2DvG6LMk6p71uZ9gfULLB5nC/38sGCY6vPWFh
fNjZz0IAw4jh4GBwmDXrVV8fR2DVp8cxkGQig40dgs4Eemr5c8a97OA256vA70SvSXebfYgnfo0P
sa6iy86co0uOKD2uQM35sbV6VXEoXIhIMqGeaaEo2e2aLmDNVl90gfrCwuuI92+k26YNI2OdP+O6
JqGRU8uZjwvB8tz5xO82JGjitBTFqZAydkLV87G0ZAkyp359m9G9KKnIKvjWHSRF7iHY+Ww7P4uf
RpR7ELXw3BIp6pweboNgFHT8pIpYex6ETG1MTqpYf0HCwNOvp9HQ4EyxCU9m+IvyWo0pYxHjYYCN
StsbSla4xXPqvi/AckrkZ4VODTv9Pob52OkPDrrYsbsjs90RUAyhUA9KUnPssZel7M0xWnkqGmkT
j8BIOj/1G8ljMpFt8L8Gex4ZYmNyh8FOeBkNMOzSu6R+3BOYuzM7o8elfyQujuKURqaolcVVJVZq
TrlqfZviSXiDldrJMGM8o1JR87LEMkn1gczBC0X8xvASGNbqGKSYWZE2BYffjTC3M3Ilau7IBV+R
ia5BNTWAXAJ7fzTpvmValWL+7g2zG+M1EQ6ua0MMFhPbkF4WjhtMFb/jFK6KS7Aw+W0yAfd/pXFH
JhJM5gYCLw7/7HArOfvuDR55FVdeMCwvrfB44i1X4Z58cfqXe/7p7eWt0xW4itTF4MXZ5+YsXqvD
cR32b6/g7sXg52bw3OqFId0n9vcb7grbq+DC8amZ4H0mXXbTXREjwjtA+8E7Vfz/bt4Bw4vbbv/o
BwAAAP//AwBQSwMEFAAGAAgAAAAhAJxOXiHiBgAAOhwAABoAAABjbGlwYm9hcmQvdGhlbWUvdGhl
bWUxLnhtbOxZT28bRRS/I/EdRntv4/+NozpV7NgNtGmj2C3qcbwe704zu7OaGSf1DbVHJCREQRyo
xI0DAiq1EpfyaQJFUKR+Bd7M7K534jVJ2wgqaA7x7tvfvP/vzZvdy1fuRQwdEiEpjzte9WLFQyT2
+YTGQce7NRpcWPeQVDieYMZj0vHmRHpXNt9/7zLe8BlNxhyLySgkEUHAKJYbuOOFSiUba2vSBzKW
F3lCYng25SLCCm5FsDYR+AgERGytVqm01iJMY28TOCrNqM/gX6ykJvhMDDUbgmIcgfSb0yn1icFO
DqoaIeeyxwQ6xKzjAc8JPxqRe8pDDEsFDzpexfx5a5uX1/BGuoipFWsL6wbmL12XLpgc1IxMEYxz
odVBo31pO+dvAEwt4/r9fq9fzfkZAPZ9sNTqUuTZGKxXuxnPAsheLvPuVZqVhosv8K8v6dzudrvN
dqqLZWpA9rKxhF+vtBpbNQdvQBbfXMI3ulu9XsvBG5DFt5bwg0vtVsPFG1DIaHywhNYBHQxS7jlk
ytlOKXwd4OuVFL5AQTbk2aVFTHmsVuVahO9yMQCABjKsaIzUPCFT7ENO9nA0FhRrAXiD4MITS/Ll
EknLQtIXNFEd78MEx14B8vLZ9y+fPUHH958e3//p+MGD4/s/WkbOqh0cB8VVL7797M9HH6M/nnzz
4uEX5XhZxP/6wye//Px5ORDKZ2He8y8f//b08fOvPv39u4cl8C2Bx0X4iEZEohvkCO3zCAwzXnE1
J2PxaitGIabFFVtxIHGMtZQS/n0VOugbc8zS6Dh6dInrwdsC2kcZ8OrsrqPwMBQzRUskXwsjB7jL
OetyUeqFa1pWwc2jWRyUCxezIm4f48My2T0cO/HtzxLom1laOob3QuKoucdwrHBAYqKQfsYPCCmx
7g6ljl93qS+45FOF7lDUxbTUJSM6drJpsWiHRhCXeZnNEG/HN7u3UZezMqu3yaGLhKrArET5EWGO
G6/imcJRGcsRjljR4dexCsuUHM6FX8T1pYJIB4Rx1J8QKcvW3BRgbyHo1zB0rNKw77J55CKFogdl
PK9jzovIbX7QC3GUlGGHNA6L2A/kAaQoRntclcF3uVsh+h7igOOV4b5NiRPu07vBLRo4Ki0SRD+Z
iZJYXiXcyd/hnE0xMa0GmrrTqyMa/13jZhQ6t5Vwfo0bWuXzrx+V6P22tuwt2L3KambnRKNehTvZ
nntcTOjb35238SzeI1AQy1vUu+b8rjl7//nmvKqez78lL7owNGg9i9hB24zd0cqpe0oZG6o5I9el
Gbwl7D2TARD1OnO6JPkpLAnhUlcyCHBwgcBmDRJcfURVOAxxAkN71dNMApmyDiRKuITDoiGX8tZ4
GPyVPWo29SHEdg6J1S6fWHJdk7OzRs7GaBWYA20mqK4ZnFVY/VLKFGx7HWFVrdSZpVWNaqYpOtJy
k7WLzaEcXJ6bBsTcmzDUIBiFwMstON9r0XDYwYxMtN9tjLKwmCicZ4hkiCckjZG2ezlGVROkLFeW
DNF22GTQB8dTvFaQ1tZs30DaWYJUFNdYIS6L3ptEKcvgRZSA28lyZHGxOFmMjjpeu1lresjHSceb
wjkZLqMEoi71HIlZAG+YfCVs2p9azKbKF9FsZ4a5RVCFVx/W70sGO30gEVJtYxna1DCP0hRgsZZk
9a81wa3nZUBJNzqbFvV1SIZ/TQvwoxtaMp0SXxWDXaBo39nbtJXymSJiGE6O0JjNxD6G8OtUBXsm
VMLrDtMR9A28m9PeNo/c5pwWXfGNmMFZOmZJiNN2q0s0q2QLNw0p18HcFdQD20p1N8a9uimm5M/J
lGIa/89M0fsJvH2oT3QEfHjRKzDSldLxuFAhhy6UhNQfCBgcTO+AbIH3u/AYkgreSptfQQ71r605
y8OUNRwi1T4NkKCwH6lQELIHbclk3ynMquneZVmylJHJqIK6MrFqj8khYSPdA1t6b/dQCKluukna
BgzuZP6592kFjQM95BTrzelk+d5ra+CfnnxsMYNRbh82A03m/1zFfDxY7Kp2vVme7b1FQ/SDxZjV
yKoChBW2gnZa9q+pwitutbZjLVlca2bKQRSXLQZiPhAl8A4J6X+w/1HhM/sFQ2+oI74PvRXBxwvN
DNIGsvqCHTyQbpCWOIbByRJtMmlW1rXp6KS9lm3W5zzp5nJPOFtrdpZ4v6Kz8+HMFefU4nk6O/Ww
42tLW+lqiOzJEgXSNDvImMCUfcnaxQkaB9WOB1+TIND34Aq+R3lAq2laTdPgCj4ywbBkvwx1vPQi
o8BzS8kx9YxSzzCNjNLIKM2MAsNZ+g0mo7SgU+nPJvDZTv94KPtCAhNc+kUla6rO577NvwAAAP//
AwBQSwMEFAAGAAgAAAAhAJxmRkG7AAAAJAEAACoAAABjbGlwYm9hcmQvZHJhd2luZ3MvX3JlbHMv
ZHJhd2luZzEueG1sLnJlbHOEj80KwjAQhO+C7xD2btJ6EJEmvYjQq9QHCMk2LTY/JFHs2xvoRUHw
sjCz7DezTfuyM3liTJN3HGpaAUGnvJ6c4XDrL7sjkJSl03L2DjksmKAV201zxVnmcpTGKSRSKC5x
GHMOJ8aSGtHKRH1AVzaDj1bmIqNhQaq7NMj2VXVg8ZMB4otJOs0hdroG0i+hJP9n+2GYFJ69elh0
+UcEy6UXFqCMBjMHSldnnTUtXYGJhn39Jt4AAAD//wMAUEsBAi0AFAAGAAgAAAAhALvlSJQFAQAA
HgIAABMAAAAAAAAAAAAAAAAAAAAAAFtDb250ZW50X1R5cGVzXS54bWxQSwECLQAUAAYACAAAACEA
rTA/8cEAAAAyAQAACwAAAAAAAAAAAAAAAAA2AQAAX3JlbHMvLnJlbHNQSwECLQAUAAYACAAAACEA
mb/g1zwDAABYDgAAHwAAAAAAAAAAAAAAAAAgAgAAY2xpcGJvYXJkL2RyYXdpbmdzL2RyYXdpbmcx
LnhtbFBLAQItABQABgAIAAAAIQCcTl4h4gYAADocAAAaAAAAAAAAAAAAAAAAAJkFAABjbGlwYm9h
cmQvdGhlbWUvdGhlbWUxLnhtbFBLAQItABQABgAIAAAAIQCcZkZBuwAAACQBAAAqAAAAAAAAAAAA
AAAAALMMAABjbGlwYm9hcmQvZHJhd2luZ3MvX3JlbHMvZHJhd2luZzEueG1sLnJlbHNQSwUGAAAA
AAUABQBnAQAAtg0AAAAA
" o:spid="_x0000_s1026" style="height: 75.45pt; margin-left: 25.35pt; margin-top: 312.15pt; mso-height-percent: 200; mso-height-percent: 200; mso-height-relative: margin; mso-position-horizontal-relative: text; mso-position-horizontal: absolute; mso-position-vertical-relative: text; mso-position-vertical: absolute; mso-width-percent: 0; mso-width-percent: 0; mso-width-relative: margin; mso-wrap-distance-bottom: 0; mso-wrap-distance-left: 9pt; mso-wrap-distance-right: 9pt; mso-wrap-distance-top: 0; mso-wrap-style: square; position: absolute; v-text-anchor: top; visibility: visible; width: 308.35pt; z-index: 251659264;" type="#_x0000_t202">
<v:textbox>
<!--[if !mso]-->
<!--[endif]--></v:textbox></v:shape>
<v:textbox>
<!--[if !mso]-->
<!--[endif]--></v:textbox>
</v:shape><span style="font-family: 'Times New Roman', serif; font-size: 13.5pt;"> </span></span></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<br /></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<span style="font-family: Verdana, sans-serif; font-size: 13.5pt;">Phase1 negotiation will fail if the authentication key is
different or any of the parameters is different.</span></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<span style="font-family: Verdana, sans-serif; font-size: 13.5pt;">Once the phase1 negotiation is completed successfully, the state
for the peer will be QM_IDLE.</span><br />
<span style="font-family: Verdana, sans-serif; font-size: 13.5pt;">Any other state means phase1 negotiation failed.<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<br /></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<span style="font-family: Verdana, sans-serif; font-size: 13.5pt;">The following show command can be used for verifying the phase1
result,<o:p></o:p></span></div>
<table cellpadding="0" cellspacing="0" style="width: 100%px;">
<tbody>
<tr>
<td><!--[endif]-->
<br />
<div>
<div class="MsoNoSpacing">
<i style="background-color: #93c47d;">R2#sh crypto
isakmp sa<o:p></o:p></i></div>
<div class="MsoNoSpacing">
<i style="background-color: #93c47d;">IPv4 Crypto
ISAKMP SA<o:p></o:p></i></div>
<div class="MsoNoSpacing">
<i style="background-color: #93c47d;">dst src state conn-id status<o:p></o:p></i></div>
<div class="MsoNoSpacing">
<i style="background-color: #93c47d;">4.4.4.4 2.2.2.2 QM_IDLE 1003 ACTIVE<o:p></o:p></i></div>
</div>
<!--[if !mso]--></td>
</tr>
</tbody></table>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<v:shape fillcolor="black [3213]" id="_x0000_s1032" o:gfxdata="UEsDBBQABgAIAAAAIQC75UiUBQEAAB4CAAATAAAAW0NvbnRlbnRfVHlwZXNdLnhtbKSRvU7DMBSF
dyTewfKKEqcMCKEmHfgZgaE8wMW+SSwc27JvS/v23KTJgkoXFsu+P+c7Ol5vDoMTe0zZBl/LVVlJ
gV4HY31Xy4/tS3EvRSbwBlzwWMsjZrlprq/W22PELHjb51r2RPFBqax7HCCXIaLnThvSAMTP1KkI
+gs6VLdVdad08ISeCho1ZLN+whZ2jsTzgcsnJwldluLxNDiyagkxOquB2Knae/OLUsyEkjenmdzb
mG/YhlRnCWPnb8C898bRJGtQvEOiVxjYhtLOxs8AySiT4JuDystlVV4WPeM6tK3VaILeDZxIOSsu
ti/jidNGNZ3/J08yC1dNv9v8AAAA//8DAFBLAwQUAAYACAAAACEArTA/8cEAAAAyAQAACwAAAF9y
ZWxzLy5yZWxzhI/NCsIwEITvgu8Q9m7TehCRpr2I4FX0AdZk2wbbJGTj39ubi6AgeJtl2G9m6vYx
jeJGka13CqqiBEFOe2Ndr+B03C3WIDihMzh6RwqexNA281l9oBFTfuLBBhaZ4ljBkFLYSMl6oAm5
8IFcdjofJ0z5jL0MqC/Yk1yW5UrGTwY0X0yxNwri3lQgjs+Qk/+zfddZTVuvrxO59CNCmoj3vCwj
MfaUFOjRhrPHaN4Wv0VV5OYgm1p+LW1eAAAA//8DAFBLAwQUAAYACAAAACEAzBwNZkADAACaDAAA
HwAAAGNsaXBib2FyZC9kcmF3aW5ncy9kcmF3aW5nMS54bWzsV21v0zAQ/o7Ef7DM561d1u6lWoZK
2VDFBqXd+IqujtNYOHaw3Td+PWc7SwNj+wAIadIaqfX5Lo+fe+6cuGevN6UkK26s0CqlB/tdSrhi
OhNqkdLbm8u9E0qsA5WB1IqndMstfX3+8sUZDBYGqkIwggjKDiClhXPVoNOxrOAl2H1dcYW+XJsS
HJpm0ckMrBG5lJ2k2z3qlCAUPd9BvQUHZGnEH0BJzb7ybARqBRYhJRu0Z2qOkv09MgzU6p2pZtXE
eObsw2piiMhSisopKFEi2qkddRianV/uWuwANrkpfbzOc7JJ6WEvOe0i1DalJ8npUXLcj3B84whD
/1Ef55I+JQwjjk+ODg679XrFx8cRWHHxOAaSjGRw0CJoK09Pre5nnNxlfOPZvdEbkjS5+2jiNjiJ
XRVqbKsrrJElSo8KUAs+NEavCw6Z9RFRJFQzLhMEu1vReqz5+lpnqC4snQ54/0a4JmkYVMa6d1yX
xA9SajhzYSFYXVkX+d2FeEWsliK7FFIGw/c8H0lDViBT6jZ3Gf0UJRVZp/S0j/W7j2AW8+b+bvjU
ovwEUQrHDZGixP5ogmDgdbxQWeg8B0LGMSYnVeg+L6Ff0m1moZy+MtnWz8zxF+U1GlPGvsNHAQ4K
bb5TssYNnlL7bQmGUyLHCit1etDrYZgLRq9/nKBh2p552wOKIRTqQUkcjhxa3Zh9NcRSXopa2sjD
M5LWzdxW8pBMYOvrX4K5CgxxMN1hsDc8D1pWbOJsVD/sCMzdVi3vMHePxAUv3lLLFLQyuKrETk0p
V3u3M3wOfsdOPfC7E59Qsal5nmObxP5A5uCEIm5b8RwY9uoIpJgbETcFh4c8zLY8N6LklnzgazLV
Jai6B5CLZ+/Op8krWxBmtpXTRFj4WlbEgn/AYHr4HcK4yiZgYPpgAh7rf1HfkQkEY0E9geeqNlUd
T1Y9MopFHc+G768nZDZ8Lupvt/ST2aqZdaT9sYa1TX+scnw3w7RSeyIL00v7XPynXfzefria8ib7
4WrsT9dfxm+vLhqbEHyxHJLh6Gb8+eJpFd+/e5rjxNLyWTXFd2I8MMXzBkb4U2Tnl1N5eB/U/yL8
0b9tn/8AAAD//wMAUEsDBBQABgAIAAAAIQCcTl4h4gYAADocAAAaAAAAY2xpcGJvYXJkL3RoZW1l
L3RoZW1lMS54bWzsWU9vG0UUvyPxHUZ7b+P/jaM6VezYDbRpo9gt6nG8Hu9OM7uzmhkn9Q21RyQk
REEcqMSNAwIqtRKX8mkCRVCkfgXezOyud+I1SdsIKmgO8e7b37z/782b3ctX7kUMHRIhKY87XvVi
xUMk9vmExkHHuzUaXFj3kFQ4nmDGY9Lx5kR6Vzbff+8y3vAZTcYci8koJBFBwCiWG7jjhUolG2tr
0gcylhd5QmJ4NuUiwgpuRbA2EfgIBERsrVaptNYiTGNvEzgqzajP4F+spCb4TAw1G4JiHIH0m9Mp
9YnBTg6qGiHnsscEOsSs4wHPCT8akXvKQwxLBQ86XsX8eWubl9fwRrqIqRVrC+sG5i9dly6YHNSM
TBGMc6HVQaN9aTvnbwBMLeP6/X6vX835GQD2fbDU6lLk2RisV7sZzwLIXi7z7lWalYaLL/CvL+nc
7na7zXaqi2VqQPaysYRfr7QaWzUHb0AW31zCN7pbvV7LwRuQxbeW8INL7VbDxRtQyGh8sITWAR0M
Uu45ZMrZTil8HeDrlRS+QEE25NmlRUx5rFblWoTvcjEAgAYyrGiM1DwhU+xDTvZwNBYUawF4g+DC
E0vy5RJJy0LSFzRRHe/DBMdeAfLy2fcvnz1Bx/efHt//6fjBg+P7P1pGzqodHAfFVS++/ezPRx+j
P5588+LhF+V4WcT/+sMnv/z8eTkQymdh3vMvH//29PHzrz79/buHJfAtgcdF+IhGRKIb5Ajt8wgM
M15xNSdj8WorRiGmxRVbcSBxjLWUEv59FTroG3PM0ug4enSJ68HbAtpHGfDq7K6j8DAUM0VLJF8L
Iwe4yznrclHqhWtaVsHNo1kclAsXsyJuH+PDMtk9HDvx7c8S6JtZWjqG90LiqLnHcKxwQGKikH7G
Dwgpse4OpY5fd6kvuORThe5Q1MW01CUjOnayabFoh0YQl3mZzRBvxze7t1GXszKrt8mhi4SqwKxE
+RFhjhuv4pnCURnLEY5Y0eHXsQrLlBzOhV/E9aWCSAeEcdSfECnL1twUYG8h6NcwdKzSsO+yeeQi
haIHZTyvY86LyG1+0AtxlJRhhzQOi9gP5AGkKEZ7XJXBd7lbIfoe4oDjleG+TYkT7tO7wS0aOCot
EkQ/mYmSWF4l3Mnf4ZxNMTGtBpq606sjGv9d42YUOreVcH6NG1rl868flej9trbsLdi9ympm50Sj
XoU72Z57XEzo29+dt/Es3iNQEMtb1Lvm/K45e//55ryqns+/JS+6MDRoPYvYQduM3dHKqXtKGRuq
OSPXpRm8Jew9kwEQ9TpzuiT5KSwJ4VJXMghwcIHAZg0SXH1EVTgMcQJDe9XTTAKZsg4kSriEw6Ih
l/LWeBj8lT1qNvUhxHYOidUun1hyXZOzs0bOxmgVmANtJqiuGZxVWP1SyhRsex1hVa3UmaVVjWqm
KTrScpO1i82hHFyemwbE3Jsw1CAYhcDLLTjfa9Fw2MGMTLTfbYyysJgonGeIZIgnJI2Rtns5RlUT
pCxXlgzRdthk0AfHU7xWkNbWbN9A2lmCVBTXWCEui96bRCnL4EWUgNvJcmRxsThZjI46XrtZa3rI
x0nHm8I5GS6jBKIu9RyJWQBvmHwlbNqfWsymyhfRbGeGuUVQhVcf1u9LBjt9IBFSbWMZ2tQwj9IU
YLGWZPWvNcGt52VASTc6mxb1dUiGf00L8KMbWjKdEl8Vg12gaN/Z27SV8pkiYhhOjtCYzcQ+hvDr
VAV7JlTC6w7TEfQNvJvT3jaP3OacFl3xjZjBWTpmSYjTdqtLNKtkCzcNKdfB3BXUA9tKdTfGvbop
puTPyZRiGv/PTNH7Cbx9qE90BHx40Ssw0pXS8bhQIYculITUHwgYHEzvgGyB97vwGJIK3kqbX0EO
9a+tOcvDlDUcItU+DZCgsB+pUBCyB23JZN8pzKrp3mVZspSRyaiCujKxao/JIWEj3QNbem/3UAip
brpJ2gYM7mT+ufdpBY0DPeQU683pZPnea2vgn558bDGDUW4fNgNN5v9cxXw8WOyqdr1Znu29RUP0
g8WY1ciqAoQVtoJ2WvavqcIrbrW2Yy1ZXGtmykEUly0GYj4QJfAOCel/sP9R4TP7BUNvqCO+D70V
wccLzQzSBrL6gh08kG6QljiGwckSbTJpVta16eikvZZt1uc86eZyTzhba3aWeL+is/PhzBXn1OJ5
Ojv1sONrS1vpaojsyRIF0jQ7yJjAlH3J2sUJGgfVjgdfkyDQ9+AKvkd5QKtpWk3T4Ao+MsGwZL8M
dbz0IqPAc0vJMfWMUs8wjYzSyCjNjALDWfoNJqO0oFPpzybw2U7/eCj7QgITXPpFJWuqzue+zb8A
AAD//wMAUEsDBBQABgAIAAAAIQCcZkZBuwAAACQBAAAqAAAAY2xpcGJvYXJkL2RyYXdpbmdzL19y
ZWxzL2RyYXdpbmcxLnhtbC5yZWxzhI/NCsIwEITvgu8Q9m7SehCRJr2I0KvUBwjJNi02PyRR7Nsb
6EVB8LIws+w3s037sjN5YkyTdxxqWgFBp7yenOFw6y+7I5CUpdNy9g45LJigFdtNc8VZ5nKUxikk
UigucRhzDifGkhrRykR9QFc2g49W5iKjYUGquzTI9lV1YPGTAeKLSTrNIXa6BtIvoST/Z/thmBSe
vXpYdPlHBMulFxagjAYzB0pXZ501LV2BiYZ9/SbeAAAA//8DAFBLAQItABQABgAIAAAAIQC75UiU
BQEAAB4CAAATAAAAAAAAAAAAAAAAAAAAAABbQ29udGVudF9UeXBlc10ueG1sUEsBAi0AFAAGAAgA
AAAhAK0wP/HBAAAAMgEAAAsAAAAAAAAAAAAAAAAANgEAAF9yZWxzLy5yZWxzUEsBAi0AFAAGAAgA
AAAhAMwcDWZAAwAAmgwAAB8AAAAAAAAAAAAAAAAAIAIAAGNsaXBib2FyZC9kcmF3aW5ncy9kcmF3
aW5nMS54bWxQSwECLQAUAAYACAAAACEAnE5eIeIGAAA6HAAAGgAAAAAAAAAAAAAAAACdBQAAY2xp
cGJvYXJkL3RoZW1lL3RoZW1lMS54bWxQSwECLQAUAAYACAAAACEAnGZGQbsAAAAkAQAAKgAAAAAA
AAAAAAAAAAC3DAAAY2xpcGJvYXJkL2RyYXdpbmdzL19yZWxzL2RyYXdpbmcxLnhtbC5yZWxzUEsF
BgAAAAAFAAUAZwEAALoNAAAAAA==
" style="height: 61.95pt; margin-left: 19.5pt; margin-top: 7.5pt; mso-height-percent: 200; mso-height-percent: 200; mso-height-relative: margin; mso-position-horizontal-relative: text; mso-position-horizontal: absolute; mso-position-vertical-relative: text; mso-position-vertical: absolute; mso-width-percent: 0; mso-width-percent: 0; mso-width-relative: margin; mso-wrap-distance-bottom: 0; mso-wrap-distance-left: 9pt; mso-wrap-distance-right: 9pt; mso-wrap-distance-top: 0; mso-wrap-style: square; position: absolute; v-text-anchor: top; visibility: visible; width: 516.75pt; z-index: 251662336;" type="#_x0000_t202">
<v:textbox>
<!--[if !mso]-->
<!--[endif]--></v:textbox>
</v:shape><span style="font-family: 'Times New Roman', serif; font-size: 13.5pt;"> </span></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<span style="background-color: white; font-family: Verdana, sans-serif; font-size: 13.5pt;">Phase 1 negotiation happens in two modes</span></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<br /></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<span style="background: white; font-family: Verdana, sans-serif; font-size: 13.5pt;"><br /><b>
Main Mode: </b>TBU</span><span style="font-family: 'Times New Roman', serif; font-size: 13.5pt;"><o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<span style="background: white; font-family: Verdana, sans-serif; font-size: 13.5pt;"><br /><b>
Aggressive Mode:</b>TBU</span><span style="font-family: 'Times New Roman', serif; font-size: 13.5pt;"><o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<span style="background: white; font-family: Verdana, sans-serif; font-size: 13.5pt;"><br /><b>
Phase 2 IPSEC Configuration:</b><o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<br /></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<span style="background: white; font-family: Verdana, sans-serif; font-size: 13.5pt;">Phase2 kicks in once the phase1 negotiation is
done and secure tunnel is formed.</span><span style="font-family: 'Times New Roman', serif; font-size: 13.5pt;"><o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<span style="background: white; font-family: Verdana, sans-serif; font-size: 13.5pt;">In phase2, the routers will exchange the
symmetric keys for the session and establishes SA.<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<br /></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<span style="background: white; font-family: Verdana, sans-serif; font-size: 13.5pt;">For phase2 configuration, we need to setup the
following<o:p></o:p></span></div>
<div class="MsoListParagraphCxSpFirst" style="margin-bottom: 0.0001pt; text-indent: -0.25in;">
<br />
<ul style="text-align: left;">
<li><span style="font-family: Symbol; font-size: 13.5pt; text-indent: -0.25in;">·<span style="font-family: 'Times New Roman'; font-size: 7pt; font-stretch: normal;">
</span></span><i style="text-indent: -0.25in;"><span style="background: white; font-family: Verdana, sans-serif; font-size: 13.5pt;"><b>Create extended access-list- to match the interesting traffic.
IPsec tunnel setup will trigger when the traffic that matching the acl is seen.</b></span></i></li>
<li><b style="text-indent: -0.25in;"><span style="font-family: Symbol; font-size: 13.5pt;">·<span style="font-family: 'Times New Roman'; font-size: 7pt; font-stretch: normal;">
</span></span><i><span style="background: white; font-family: Verdana, sans-serif; font-size: 13.5pt;">Create IPSec transform set –this defines the encryption and
hashing methods to be used</span></i></b></li>
<li><b style="text-indent: -0.25in;"><span style="font-family: Symbol; font-size: 13.5pt;">·<span style="font-family: 'Times New Roman'; font-size: 7pt; font-stretch: normal;">
</span></span><i><span style="background: white; font-family: Verdana, sans-serif; font-size: 13.5pt;">Create Crypto Map- this connects the access-list, transform
set and the peer to which the tunnel must be established.</span></i></b></li>
<li><b style="text-indent: -0.25in;"><span style="font-family: Symbol; font-size: 13.5pt;">·<span style="font-family: 'Times New Roman'; font-size: 7pt; font-stretch: normal;">
</span></span></b><i style="text-indent: -0.25in;"><span style="background: white; font-family: Verdana, sans-serif; font-size: 13.5pt;"><b>Apply the crypto map to an interface—always outbound</b></span></i></li>
</ul>
<!--[if !supportLists]--></div>
<div class="MsoListParagraphCxSpMiddle" style="margin-bottom: 0.0001pt;">
<br /></div>
<div class="MsoListParagraphCxSpLast" style="margin-bottom: 0.0001pt;">
<br /></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<span style="background: white; font-family: Verdana, sans-serif; font-size: 13.5pt;">Create extended access-list as <o:p></o:p></span></div>
<table cellpadding="0" cellspacing="0" style="width: 100%px;">
<tbody>
<tr>
<td><!--[endif]-->
<br />
<div>
<div class="MsoNoSpacing">
<i style="background-color: orange;">R2(config)#ip
access-list extended 111<o:p></o:p></i></div>
<div class="MsoNoSpacing">
<i style="background-color: orange;">R2(config-ext-nacl)#permit
ip 1.1.1.1 0.0.0.0 5.5.5.5 0.0.0.0<o:p></o:p></i></div>
</div>
<!--[if !mso]--></td>
</tr>
</tbody></table>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<v:shape fillcolor="black [3213]" id="Text_x0020_Box_x0020_4" o:gfxdata="UEsDBBQABgAIAAAAIQC75UiUBQEAAB4CAAATAAAAW0NvbnRlbnRfVHlwZXNdLnhtbKSRvU7DMBSF
dyTewfKKEqcMCKEmHfgZgaE8wMW+SSwc27JvS/v23KTJgkoXFsu+P+c7Ol5vDoMTe0zZBl/LVVlJ
gV4HY31Xy4/tS3EvRSbwBlzwWMsjZrlprq/W22PELHjb51r2RPFBqax7HCCXIaLnThvSAMTP1KkI
+gs6VLdVdad08ISeCho1ZLN+whZ2jsTzgcsnJwldluLxNDiyagkxOquB2Knae/OLUsyEkjenmdzb
mG/YhlRnCWPnb8C898bRJGtQvEOiVxjYhtLOxs8AySiT4JuDystlVV4WPeM6tK3VaILeDZxIOSsu
ti/jidNGNZ3/J08yC1dNv9v8AAAA//8DAFBLAwQUAAYACAAAACEArTA/8cEAAAAyAQAACwAAAF9y
ZWxzLy5yZWxzhI/NCsIwEITvgu8Q9m7TehCRpr2I4FX0AdZk2wbbJGTj39ubi6AgeJtl2G9m6vYx
jeJGka13CqqiBEFOe2Ndr+B03C3WIDihMzh6RwqexNA281l9oBFTfuLBBhaZ4ljBkFLYSMl6oAm5
8IFcdjofJ0z5jL0MqC/Yk1yW5UrGTwY0X0yxNwri3lQgjs+Qk/+zfddZTVuvrxO59CNCmoj3vCwj
MfaUFOjRhrPHaN4Wv0VV5OYgm1p+LW1eAAAA//8DAFBLAwQUAAYACAAAACEA8gukjRcDAADbCAAA
HwAAAGNsaXBib2FyZC9kcmF3aW5ncy9kcmF3aW5nMS54bWzsVm1P2zAQ/j5p/8EyX8aHtmloClSk
CLqBJjFWtfADro7TWHPszDZ94dfv7KQvgGDSNk2atEZqfb7z4+eeOzs9O1+Vkiy4sUKrlHbbESVc
MZ0JNU/p/d1V64QS60BlILXiKV1zS8+H79+dwWBuoCoEI4ig7ABSWjhXDTodywpegm3riiv05dqU
4NA0805mYInIpezEUdTvlCAUHe6gPoID8mDEL0BJzb7xbARqARYhJRvszzQcJft9ZBioxbWpptXY
eObsdjE2RGQpReUUlCgR7TSOJgzNzrNV8x3AKjelj9d5TlYpjU+T+DihZI3FOEqifi+Jajy+coRh
QD/px8cxRjAM6fWO4qMmgBVffwLBik9vgyDNmg4O9ijayhNUi5c59zY533l6l3pFetvsfTRxK5zE
VEKVbXWDVbJE6VEBas4vjNHLgkNmfUQtE+pZbxMk2+xoPdZs+UVnqC88OB3w/pB026xhUBnrrrku
iR+k1HDmwk6wuLGuJrgJ8ZJYLUV2JaQMhm97PpKGLECm1K02KT2JkoosU4pFTmpJniCY+Wy7Pgqf
RpUnEKVw3BApypSebINg4IX8pLLQfA6ErMeYnFShAb2GnqdbTUM9fWmytZ+Z4S/qazSmjF2MtwEO
Cm0eKVniGU+p/f4AhlMiPyss1Wm318MwF4xechyjYfY9s30PKIZQqAcl9XDk0Irq7KsLrOWVaKSt
eXhG0rqpW0sekglsfQOUYG4CQxxMdhjskuehABUbO1urH84E5m6rPe9F7t6IC15c0sgUtDK4q8RW
TSlXrfspXoWP2KrdCDPGS6ruap7n2CZ1fyBzcEIRt654DgybdQRSzIxozjC85mF2z3MnSm7JLV+S
iS5BNT2AXDx7N5zEH5hWuZgfHoiKAGPc2pYU1hE8hFxlPCPdbtffOZgufodlOD8GA5NXE/LYfyuV
HZlAsC6wJ/C/yi+r3MKqthQweXhQcYOHn2DVu+3wkKgdHpK0w7Ox/63i+07dXkYPlk+rCZ6o+rqt
byuM8C+hzrPXeuie5m+I/++wbw9/AAAA//8DAFBLAwQUAAYACAAAACEAnE5eIeIGAAA6HAAAGgAA
AGNsaXBib2FyZC90aGVtZS90aGVtZTEueG1s7FlPbxtFFL8j8R1Ge2/j/42jOlXs2A20aaPYLepx
vB7vTjO7s5oZJ/UNtUckJERBHKjEjQMCKrUSl/JpAkVQpH4F3szsrnfiNUnbCCpoDvHu29+8/+/N
m93LV+5FDB0SISmPO171YsVDJPb5hMZBx7s1GlxY95BUOJ5gxmPS8eZEelc233/vMt7wGU3GHIvJ
KCQRQcAolhu444VKJRtra9IHMpYXeUJieDblIsIKbkWwNhH4CAREbK1WqbTWIkxjbxM4Ks2oz+Bf
rKQm+EwMNRuCYhyB9JvTKfWJwU4Oqhoh57LHBDrErOMBzwk/GpF7ykMMSwUPOl7F/Hlrm5fX8Ea6
iKkVawvrBuYvXZcumBzUjEwRjHOh1UGjfWk7528ATC3j+v1+r1/N+RkA9n2w1OpS5NkYrFe7Gc8C
yF4u8+5VmpWGiy/wry/p3O52u812qotlakD2srGEX6+0Gls1B29AFt9cwje6W71ey8EbkMW3lvCD
S+1Ww8UbUMhofLCE1gEdDFLuOWTK2U4pfB3g65UUvkBBNuTZpUVMeaxW5VqE73IxAIAGMqxojNQ8
IVPsQ072cDQWFGsBeIPgwhNL8uUSSctC0hc0UR3vwwTHXgHy8tn3L589Qcf3nx7f/+n4wYPj+z9a
Rs6qHRwHxVUvvv3sz0cfoz+efPPi4RfleFnE//rDJ7/8/Hk5EMpnYd7zLx//9vTx868+/f27hyXw
LYHHRfiIRkSiG+QI7fMIDDNecTUnY/FqK0YhpsUVW3EgcYy1lBL+fRU66BtzzNLoOHp0ievB2wLa
Rxnw6uyuo/AwFDNFSyRfCyMHuMs563JR6oVrWlbBzaNZHJQLF7Mibh/jwzLZPRw78e3PEuibWVo6
hvdC4qi5x3CscEBiopB+xg8IKbHuDqWOX3epL7jkU4XuUNTFtNQlIzp2smmxaIdGEJd5mc0Qb8c3
u7dRl7Myq7fJoYuEqsCsRPkRYY4br+KZwlEZyxGOWNHh17EKy5QczoVfxPWlgkgHhHHUnxApy9bc
FGBvIejXMHSs0rDvsnnkIoWiB2U8r2POi8htftALcZSUYYc0DovYD+QBpChGe1yVwXe5WyH6HuKA
45Xhvk2JE+7Tu8EtGjgqLRJEP5mJklheJdzJ3+GcTTExrQaautOrIxr/XeNmFDq3lXB+jRta5fOv
H5Xo/ba27C3YvcpqZudEo16FO9mee1xM6NvfnbfxLN4jUBDLW9S75vyuOXv/+ea8qp7PvyUvujA0
aD2L2EHbjN3Ryql7Shkbqjkj16UZvCXsPZMBEPU6c7ok+SksCeFSVzIIcHCBwGYNElx9RFU4DHEC
Q3vV00wCmbIOJEq4hMOiIZfy1ngY/JU9ajb1IcR2DonVLp9Ycl2Ts7NGzsZoFZgDbSaorhmcVVj9
UsoUbHsdYVWt1JmlVY1qpik60nKTtYvNoRxcnpsGxNybMNQgGIXAyy0432vRcNjBjEy0322MsrCY
KJxniGSIJySNkbZ7OUZVE6QsV5YM0XbYZNAHx1O8VpDW1mzfQNpZglQU11ghLovem0Qpy+BFlIDb
yXJkcbE4WYyOOl67WWt6yMdJx5vCORkuowSiLvUciVkAb5h8JWzan1rMpsoX0WxnhrlFUIVXH9bv
SwY7fSARUm1jGdrUMI/SFGCxlmT1rzXBredlQEk3OpsW9XVIhn9NC/CjG1oynRJfFYNdoGjf2du0
lfKZImIYTo7QmM3EPobw61QFeyZUwusO0xH0Dbyb0942j9zmnBZd8Y2YwVk6ZkmI03arSzSrZAs3
DSnXwdwV1APbSnU3xr26Kabkz8mUYhr/z0zR+wm8fahPdAR8eNErMNKV0vG4UCGHLpSE1B8IGBxM
74Bsgfe78BiSCt5Km19BDvWvrTnLw5Q1HCLVPg2QoLAfqVAQsgdtyWTfKcyq6d5lWbKUkcmogroy
sWqPySFhI90DW3pv91AIqW66SdoGDO5k/rn3aQWNAz3kFOvN6WT53mtr4J+efGwxg1FuHzYDTeb/
XMV8PFjsqna9WZ7tvUVD9IPFmNXIqgKEFbaCdlr2r6nCK261tmMtWVxrZspBFJctBmI+ECXwDgnp
f7D/UeEz+wVDb6gjvg+9FcHHC80M0gay+oIdPJBukJY4hsHJEm0yaVbWtenopL2WbdbnPOnmck84
W2t2lni/orPz4cwV59TieTo79bDja0tb6WqI7MkSBdI0O8iYwJR9ydrFCRoH1Y4HX5Mg0PfgCr5H
eUCraVpN0+AKPjLBsGS/DHW89CKjwHNLyTH1jFLPMI2M0sgozYwCw1n6DSajtKBT6c8m8NlO/3go
+0ICE1z6RSVrqs7nvs2/AAAA//8DAFBLAwQUAAYACAAAACEAnGZGQbsAAAAkAQAAKgAAAGNsaXBi
b2FyZC9kcmF3aW5ncy9fcmVscy9kcmF3aW5nMS54bWwucmVsc4SPzQrCMBCE74LvEPZu0noQkSa9
iNCr1AcIyTYtNj8kUezbG+hFQfCyMLPsN7NN+7IzeWJMk3ccaloBQae8npzhcOsvuyOQlKXTcvYO
OSyYoBXbTXPFWeZylMYpJFIoLnEYcw4nxpIa0cpEfUBXNoOPVuYio2FBqrs0yPZVdWDxkwHii0k6
zSF2ugbSL6Ek/2f7YZgUnr16WHT5RwTLpRcWoIwGMwdKV2edNS1dgYmGff0m3gAAAP//AwBQSwEC
LQAUAAYACAAAACEAu+VIlAUBAAAeAgAAEwAAAAAAAAAAAAAAAAAAAAAAW0NvbnRlbnRfVHlwZXNd
LnhtbFBLAQItABQABgAIAAAAIQCtMD/xwQAAADIBAAALAAAAAAAAAAAAAAAAADYBAABfcmVscy8u
cmVsc1BLAQItABQABgAIAAAAIQDyC6SNFwMAANsIAAAfAAAAAAAAAAAAAAAAACACAABjbGlwYm9h
cmQvZHJhd2luZ3MvZHJhd2luZzEueG1sUEsBAi0AFAAGAAgAAAAhAJxOXiHiBgAAOhwAABoAAAAA
AAAAAAAAAAAAdAUAAGNsaXBib2FyZC90aGVtZS90aGVtZTEueG1sUEsBAi0AFAAGAAgAAAAhAJxm
RkG7AAAAJAEAACoAAAAAAAAAAAAAAAAAjgwAAGNsaXBib2FyZC9kcmF3aW5ncy9fcmVscy9kcmF3
aW5nMS54bWwucmVsc1BLBQYAAAAABQAFAGcBAACRDQAAAAA=
" o:spid="_x0000_s1031" style="height: 34.95pt; margin-left: 15.75pt; margin-top: 14.25pt; mso-height-percent: 200; mso-height-percent: 200; mso-height-relative: margin; mso-position-horizontal-relative: text; mso-position-horizontal: absolute; mso-position-vertical-relative: text; mso-position-vertical: absolute; mso-width-percent: 0; mso-width-percent: 0; mso-width-relative: margin; mso-wrap-distance-bottom: 0; mso-wrap-distance-left: 9pt; mso-wrap-distance-right: 9pt; mso-wrap-distance-top: 0; mso-wrap-style: square; position: absolute; v-text-anchor: top; visibility: visible; width: 516.75pt; z-index: 251666432;" type="#_x0000_t202">
<v:textbox>
<!--[if !mso]-->
<!--[endif]--></v:textbox>
</v:shape><span style="background: white; font-family: Verdana, sans-serif; font-size: 13.5pt;"><o:p> </o:p></span></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<br /></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<br /></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<br /></div>
<br clear="ALL" />
<br />
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<span style="background: white; font-family: Verdana, sans-serif; font-size: 13.5pt;">Create IPSec transform set as<o:p></o:p></span></div>
<table cellpadding="0" cellspacing="0" style="width: 100%px;">
<tbody>
<tr>
<td><!--[endif]-->
<br />
<div>
<div class="MsoNoSpacing">
<i style="background-color: orange;">R2(config)#crypto
ipsec transform-set 3DES-SHA esp-3des esp-sha-hmac<o:p></o:p></i></div>
</div>
<!--[if !mso]--></td>
</tr>
</tbody></table>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<span style="background-color: orange;"><v:shape fillcolor="black [3213]" id="Text_x0020_Box_x0020_5" o:gfxdata="UEsDBBQABgAIAAAAIQC75UiUBQEAAB4CAAATAAAAW0NvbnRlbnRfVHlwZXNdLnhtbKSRvU7DMBSF
dyTewfKKEqcMCKEmHfgZgaE8wMW+SSwc27JvS/v23KTJgkoXFsu+P+c7Ol5vDoMTe0zZBl/LVVlJ
gV4HY31Xy4/tS3EvRSbwBlzwWMsjZrlprq/W22PELHjb51r2RPFBqax7HCCXIaLnThvSAMTP1KkI
+gs6VLdVdad08ISeCho1ZLN+whZ2jsTzgcsnJwldluLxNDiyagkxOquB2Knae/OLUsyEkjenmdzb
mG/YhlRnCWPnb8C898bRJGtQvEOiVxjYhtLOxs8AySiT4JuDystlVV4WPeM6tK3VaILeDZxIOSsu
ti/jidNGNZ3/J08yC1dNv9v8AAAA//8DAFBLAwQUAAYACAAAACEArTA/8cEAAAAyAQAACwAAAF9y
ZWxzLy5yZWxzhI/NCsIwEITvgu8Q9m7TehCRpr2I4FX0AdZk2wbbJGTj39ubi6AgeJtl2G9m6vYx
jeJGka13CqqiBEFOe2Ndr+B03C3WIDihMzh6RwqexNA281l9oBFTfuLBBhaZ4ljBkFLYSMl6oAm5
8IFcdjofJ0z5jL0MqC/Yk1yW5UrGTwY0X0yxNwri3lQgjs+Qk/+zfddZTVuvrxO59CNCmoj3vCwj
MfaUFOjRhrPHaN4Wv0VV5OYgm1p+LW1eAAAA//8DAFBLAwQUAAYACAAAACEACJCDp/gCAADzBgAA
HwAAAGNsaXBib2FyZC9kcmF3aW5ncy9kcmF3aW5nMS54bWy8VU1vGjEQvVfqf7DcS3sgCySQBGWJ
CPlopTRFkPyAwetlrXpt1zaw5Nd37N0ASZQc2qocYOwZP795Mx7OzqtSkhW3TmiV0s5BmxKumM6E
WqT04f66dUKJ86AykFrxlG64o+fDjx/OYLCwYArBCCIoN4CUFt6bQZI4VvAS3IE2XKEv17YEj0u7
SDILa0QuZdJtt/tJCULR4Q7qEjyQpRV/ACU1+8mzMagVOISUbLC/03CU7O+RYaBWN9bMzMQG5uxu
NbFEZClF5RSUKBFNGkcThsvkxanFDqDKbRnidZ6TKqXdk95xD6E2KUWr26vBeOUJQ2+/1++GTcLQ
3z3uHJ+0m9uKH++dZ8XV+whIsCaCxh45ZwI1tXqdLXKos70P3C50RRqqKEiIJr7CTeyoWF9nbrE+
jig9LkAt+MhavS44ZC5E1AI1Bxuxnm50AWu+/q4zVBaWXke8fyHaNmUYGOv8DdclCUZKLWc+XgOr
W+drdk8hQQ+npciuhZRxEbqdj6UlK5Ap9dVTPs+ipCLrlJ72sHavEexivj3fjp9GkmcQpfDcEilK
7IxtEAyCilcqiz3nQcjaxuSkilIGAcOVvprFYoa6ZJuwM8dfFNdqTBk7DocAGoW2j5Ss8Wmn1P1a
guWUyG8K63TaOTrCMB8XR9ibuLD7nvm+BxRDKNSDktoce1y16+zNCAt5LRppax6BkXR+5jeSx2Qi
21D9EuxtZIjGdIfBLngetTRs4l2tfnwNmLsze95R7t+Ji1480sgUtbJ4q8Q+TSlXrYcZTsBH7NNO
GzPG2VS3NM9zbJO6P5A5eKGI3xieA8NOHYMUcyua1wtveZjb89yLkjtyx9dkqktQTQ8gl8DeD6fd
z0yrXCy+fGJ2Y7wmwjjOiLegXBiyLcc9Oby8mrVmX0eEO9M6zBAwGK6AVlECC4MIxcDvCMpVNgEL
0zfTDTf/r0R3ZCJBLH8gu+3WpeMzM0XJ6/dYtzNGhBGVvBj38Wjz9xT+U/bXw98AAAD//wMAUEsD
BBQABgAIAAAAIQCcTl4h4gYAADocAAAaAAAAY2xpcGJvYXJkL3RoZW1lL3RoZW1lMS54bWzsWU9v
G0UUvyPxHUZ7b+P/jaM6VezYDbRpo9gt6nG8Hu9OM7uzmhkn9Q21RyQkREEcqMSNAwIqtRKX8mkC
RVCkfgXezOyud+I1SdsIKmgO8e7b37z/782b3ctX7kUMHRIhKY87XvVixUMk9vmExkHHuzUaXFj3
kFQ4nmDGY9Lx5kR6Vzbff+8y3vAZTcYci8koJBFBwCiWG7jjhUolG2tr0gcylhd5QmJ4NuUiwgpu
RbA2EfgIBERsrVaptNYiTGNvEzgqzajP4F+spCb4TAw1G4JiHIH0m9Mp9YnBTg6qGiHnsscEOsSs
4wHPCT8akXvKQwxLBQ86XsX8eWubl9fwRrqIqRVrC+sG5i9dly6YHNSMTBGMc6HVQaN9aTvnbwBM
LeP6/X6vX835GQD2fbDU6lLk2RisV7sZzwLIXi7z7lWalYaLL/CvL+nc7na7zXaqi2VqQPaysYRf
r7QaWzUHb0AW31zCN7pbvV7LwRuQxbeW8INL7VbDxRtQyGh8sITWAR0MUu45ZMrZTil8HeDrlRS+
QEE25NmlRUx5rFblWoTvcjEAgAYyrGiM1DwhU+xDTvZwNBYUawF4g+DCE0vy5RJJy0LSFzRRHe/D
BMdeAfLy2fcvnz1Bx/efHt//6fjBg+P7P1pGzqodHAfFVS++/ezPRx+jP5588+LhF+V4WcT/+sMn
v/z8eTkQymdh3vMvH//29PHzrz79/buHJfAtgcdF+IhGRKIb5Ajt8wgMM15xNSdj8WorRiGmxRVb
cSBxjLWUEv59FTroG3PM0ug4enSJ68HbAtpHGfDq7K6j8DAUM0VLJF8LIwe4yznrclHqhWtaVsHN
o1kclAsXsyJuH+PDMtk9HDvx7c8S6JtZWjqG90LiqLnHcKxwQGKikH7GDwgpse4OpY5fd6kvuORT
he5Q1MW01CUjOnayabFoh0YQl3mZzRBvxze7t1GXszKrt8mhi4SqwKxE+RFhjhuv4pnCURnLEY5Y
0eHXsQrLlBzOhV/E9aWCSAeEcdSfECnL1twUYG8h6NcwdKzSsO+yeeQihaIHZTyvY86LyG1+0Atx
lJRhhzQOi9gP5AGkKEZ7XJXBd7lbIfoe4oDjleG+TYkT7tO7wS0aOCotEkQ/mYmSWF4l3Mnf4ZxN
MTGtBpq606sjGv9d42YUOreVcH6NG1rl868flej9trbsLdi9ympm50SjXoU72Z57XEzo29+dt/Es
3iNQEMtb1Lvm/K45e//55ryqns+/JS+6MDRoPYvYQduM3dHKqXtKGRuqOSPXpRm8Jew9kwEQ9Tpz
uiT5KSwJ4VJXMghwcIHAZg0SXH1EVTgMcQJDe9XTTAKZsg4kSriEw6Ihl/LWeBj8lT1qNvUhxHYO
idUun1hyXZOzs0bOxmgVmANtJqiuGZxVWP1SyhRsex1hVa3UmaVVjWqmKTrScpO1i82hHFyemwbE
3Jsw1CAYhcDLLTjfa9Fw2MGMTLTfbYyysJgonGeIZIgnJI2Rtns5RlUTpCxXlgzRdthk0AfHU7xW
kNbWbN9A2lmCVBTXWCEui96bRCnL4EWUgNvJcmRxsThZjI46XrtZa3rIx0nHm8I5GS6jBKIu9RyJ
WQBvmHwlbNqfWsymyhfRbGeGuUVQhVcf1u9LBjt9IBFSbWMZ2tQwj9IUYLGWZPWvNcGt52VASTc6
mxb1dUiGf00L8KMbWjKdEl8Vg12gaN/Z27SV8pkiYhhOjtCYzcQ+hvDrVAV7JlTC6w7TEfQNvJvT
3jaP3OacFl3xjZjBWTpmSYjTdqtLNKtkCzcNKdfB3BXUA9tKdTfGvboppuTPyZRiGv/PTNH7Cbx9
qE90BHx40Ssw0pXS8bhQIYculITUHwgYHEzvgGyB97vwGJIK3kqbX0EO9a+tOcvDlDUcItU+DZCg
sB+pUBCyB23JZN8pzKrp3mVZspSRyaiCujKxao/JIWEj3QNbem/3UAipbrpJ2gYM7mT+ufdpBY0D
PeQU683pZPnea2vgn558bDGDUW4fNgNN5v9cxXw8WOyqdr1Znu29RUP0g8WY1ciqAoQVtoJ2Wvav
qcIrbrW2Yy1ZXGtmykEUly0GYj4QJfAOCel/sP9R4TP7BUNvqCO+D70VwccLzQzSBrL6gh08kG6Q
ljiGwckSbTJpVta16eikvZZt1uc86eZyTzhba3aWeL+is/PhzBXn1OJ5Ojv1sONrS1vpaojsyRIF
0jQ7yJjAlH3J2sUJGgfVjgdfkyDQ9+AKvkd5QKtpWk3T4Ao+MsGwZL8Mdbz0IqPAc0vJMfWMUs8w
jYzSyCjNjALDWfoNJqO0oFPpzybw2U7/eCj7QgITXPpFJWuqzue+zb8AAAD//wMAUEsDBBQABgAI
AAAAIQCcZkZBuwAAACQBAAAqAAAAY2xpcGJvYXJkL2RyYXdpbmdzL19yZWxzL2RyYXdpbmcxLnht
bC5yZWxzhI/NCsIwEITvgu8Q9m7SehCRJr2I0KvUBwjJNi02PyRR7Nsb6EVB8LIws+w3s037sjN5
YkyTdxxqWgFBp7yenOFw6y+7I5CUpdNy9g45LJigFdtNc8VZ5nKUxikkUigucRhzDifGkhrRykR9
QFc2g49W5iKjYUGquzTI9lV1YPGTAeKLSTrNIXa6BtIvoST/Z/thmBSevXpYdPlHBMulFxagjAYz
B0pXZ501LV2BiYZ9/SbeAAAA//8DAFBLAQItABQABgAIAAAAIQC75UiUBQEAAB4CAAATAAAAAAAA
AAAAAAAAAAAAAABbQ29udGVudF9UeXBlc10ueG1sUEsBAi0AFAAGAAgAAAAhAK0wP/HBAAAAMgEA
AAsAAAAAAAAAAAAAAAAANgEAAF9yZWxzLy5yZWxzUEsBAi0AFAAGAAgAAAAhAAiQg6f4AgAA8wYA
AB8AAAAAAAAAAAAAAAAAIAIAAGNsaXBib2FyZC9kcmF3aW5ncy9kcmF3aW5nMS54bWxQSwECLQAU
AAYACAAAACEAnE5eIeIGAAA6HAAAGgAAAAAAAAAAAAAAAABVBQAAY2xpcGJvYXJkL3RoZW1lL3Ro
ZW1lMS54bWxQSwECLQAUAAYACAAAACEAnGZGQbsAAAAkAQAAKgAAAAAAAAAAAAAAAABvDAAAY2xp
cGJvYXJkL2RyYXdpbmdzL19yZWxzL2RyYXdpbmcxLnhtbC5yZWxzUEsFBgAAAAAFAAUAZwEAAHIN
AAAAAA==
" o:spid="_x0000_s1030" style="height: 21.45pt; margin-left: 15pt; margin-top: 6.75pt; mso-height-percent: 200; mso-height-percent: 200; mso-height-relative: margin; mso-position-horizontal-relative: text; mso-position-horizontal: absolute; mso-position-vertical-relative: text; mso-position-vertical: absolute; mso-width-percent: 0; mso-width-percent: 0; mso-width-relative: margin; mso-wrap-distance-bottom: 0; mso-wrap-distance-left: 9pt; mso-wrap-distance-right: 9pt; mso-wrap-distance-top: 0; mso-wrap-style: square; position: absolute; v-text-anchor: top; visibility: visible; width: 516.75pt; z-index: 251670528;" type="#_x0000_t202">
<v:textbox>
<!--[if !mso]-->
<!--[endif]--></v:textbox>
</v:shape><span style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; font-family: Verdana, sans-serif; font-size: 13.5pt;"><o:p> </o:p></span></span></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<br /></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<br /></div>
<br clear="ALL" />
<br />
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<span style="background: white; font-family: Verdana, sans-serif; font-size: 12pt;">Esp-3des</span><span style="background: white; font-family: Wingdings; font-size: 12pt;">à</span><span style="background: white; font-family: Verdana, sans-serif; font-size: 12pt;">encryption<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<span style="background: white; font-family: Verdana, sans-serif; font-size: 12pt;">Esp-sha-hmac</span><span style="background: white; font-family: Wingdings; font-size: 12pt;">à</span><span style="background: white; font-family: Verdana, sans-serif; font-size: 12pt;">hashing<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<br /></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<span style="background: white; font-family: Verdana, sans-serif; font-size: 13.5pt;">Create Crypto map connecting the peer, transform
set and acl as<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<br /></div>
<table cellpadding="0" cellspacing="0" style="width: 100%px;">
<tbody>
<tr>
<td><!--[endif]-->
<br />
<div>
<div class="MsoNoSpacing">
<i style="background-color: orange;">R2(config)#crypto
map MAP9 90 ipsec-isakmp<o:p></o:p></i></div>
<div class="MsoNoSpacing">
<i style="background-color: orange;">% NOTE: This
new crypto map will remain disabled until a peer<o:p></o:p></i></div>
<div class="MsoNoSpacing">
<i style="background-color: orange;"> and a valid access list have been
configured.<o:p></o:p></i></div>
<div class="MsoNoSpacing">
<i style="background-color: orange;">R2(config-crypto-map)#set
peer 10.1.34.4<o:p></o:p></i></div>
<div class="MsoNoSpacing">
<i style="background-color: orange;">R2(config-crypto-map)#match
address 111<o:p></o:p></i></div>
<div class="MsoNoSpacing">
<i><span style="background-color: orange;">R2(config-crypto-map)#set
transform-set 3DES-SHA</span><o:p></o:p></i></div>
<div class="MsoNoSpacing">
<br /></div>
</div>
<!--[if !mso]--></td>
</tr>
</tbody></table>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<v:shape fillcolor="black [3213]" id="Text_x0020_Box_x0020_3" o:gfxdata="UEsDBBQABgAIAAAAIQC75UiUBQEAAB4CAAATAAAAW0NvbnRlbnRfVHlwZXNdLnhtbKSRvU7DMBSF
dyTewfKKEqcMCKEmHfgZgaE8wMW+SSwc27JvS/v23KTJgkoXFsu+P+c7Ol5vDoMTe0zZBl/LVVlJ
gV4HY31Xy4/tS3EvRSbwBlzwWMsjZrlprq/W22PELHjb51r2RPFBqax7HCCXIaLnThvSAMTP1KkI
+gs6VLdVdad08ISeCho1ZLN+whZ2jsTzgcsnJwldluLxNDiyagkxOquB2Knae/OLUsyEkjenmdzb
mG/YhlRnCWPnb8C898bRJGtQvEOiVxjYhtLOxs8AySiT4JuDystlVV4WPeM6tK3VaILeDZxIOSsu
ti/jidNGNZ3/J08yC1dNv9v8AAAA//8DAFBLAwQUAAYACAAAACEArTA/8cEAAAAyAQAACwAAAF9y
ZWxzLy5yZWxzhI/NCsIwEITvgu8Q9m7TehCRpr2I4FX0AdZk2wbbJGTj39ubi6AgeJtl2G9m6vYx
jeJGka13CqqiBEFOe2Ndr+B03C3WIDihMzh6RwqexNA281l9oBFTfuLBBhaZ4ljBkFLYSMl6oAm5
8IFcdjofJ0z5jL0MqC/Yk1yW5UrGTwY0X0yxNwri3lQgjs+Qk/+zfddZTVuvrxO59CNCmoj3vCwj
MfaUFOjRhrPHaN4Wv0VV5OYgm1p+LW1eAAAA//8DAFBLAwQUAAYACAAAACEAWbfei6QDAABVEgAA
HwAAAGNsaXBib2FyZC9kcmF3aW5ncy9kcmF3aW5nMS54bWzsWNuO2zYQfS/QfxgwKNA82JZvu2sj
2sBxdtMCm41hOx8wpiiLCEWqJH3L1/Rb+mUdUlqvkzQp0BYFNrAfbFIzGp45Zzgy9eLlvlSwFdZJ
o1PWbScMhOYmk3qdsvfL29YVA+dRZ6iMFik7CMdeXv/4wwscry1WheRAEbQbY8oK76txp+N4IUp0
bVMJTbbc2BI9Te26k1ncUeRSdXpJctEpUWp2/RjqNXqEjZX/IJQy/IPIpqi36Cik4uPTKw1Gxf99
ZBzr7RtbLaqZDcj5/XZmQWYpI+Y0lkQR6zSGxo2mnc/uWj8G2Oe2DP4mz2GfskEyGl4OGRxIjIvR
cDBM6nBi74GT/WJ40bvskQMPHv0kGVw1Hrx49+0QvLj5myAEs4ZDgxOIrgoA9fbLnPsPOS8Dvldm
D/1j9sEb/J4uEtCosqvuSCUH2kwL1GsxsdbsCoGZCx41TcRnvUyk7GFFF2Ktdm9NRvzixpsY7z+i
7pg1jivr/BthSgiDlFnBfVwJt3fO1wAfXAIlziiZ3Uql4iSUvZgqC1tUKfP7h5Q+8VIadikbDUnC
LyPY9ep4fxI/DSufhCilFxaULFN2dXTCcSDyRmex+DxKVY8pOaVjAQYOw5J+v4h6BmmyQ7iyol/i
1xpKmaqYugENCmM/MtjRHk+Z+22DVjBQv2qSatQdDMjNx8lgeNmjiT21rE4tqDmFIj4Y1MOpp1lS
Z19NSMtb2VBb4wiIlPMLf1AiJhPRhgIo0d5FhDSYP8bgr0Qeuaz4zLua/bgnKHdXnVgnuf+GX7TS
LQ1NkStLqyoq1ZQJ3Xq/oFb4kUq1m1DG1KTqqhZ5TmVS1wchRy81+EMlcuRUrFNUcmVls4nxaxbu
TixLWQoH92IHc1OibmqAsAT0/nre+5kbncv182fcHipviJgK3k5mIxglICsneEs6/FBWoe9QyvQd
bxU6m6HF+VeTCvH/r3QewUSAtcgBwFnpo9I/wf275c0YloWkrkn1cKL3jtoOWHrQUrllJPdKiQw2
2ksFCJUQ9iz+X7aDJ7PNofnQfy9SlJ4pkn45F85R73ceCtwKWAmhoe4GGyuy9ln0py36sbe36q3e
otb+/JkTPm5p6Cbtbrs/aA/OOn+POtM5iReAWWbDLu92u2eZv0eZw3b2FrULR+NWmPVf3yxai18m
Z72ftt5//P60FAzng+MxcOPEoprTWaY+6NbnRPIIx//OZy9U4n/25gVQeGtzOr/+EwAA//8DAFBL
AwQUAAYACAAAACEAnE5eIeIGAAA6HAAAGgAAAGNsaXBib2FyZC90aGVtZS90aGVtZTEueG1s7FlP
bxtFFL8j8R1Ge2/j/42jOlXs2A20aaPYLepxvB7vTjO7s5oZJ/UNtUckJERBHKjEjQMCKrUSl/Jp
AkVQpH4F3szsrnfiNUnbCCpoDvHu29+8/+/Nm93LV+5FDB0SISmPO171YsVDJPb5hMZBx7s1GlxY
95BUOJ5gxmPS8eZEelc233/vMt7wGU3GHIvJKCQRQcAolhu444VKJRtra9IHMpYXeUJieDblIsIK
bkWwNhH4CAREbK1WqbTWIkxjbxM4Ks2oz+BfrKQm+EwMNRuCYhyB9JvTKfWJwU4Oqhoh57LHBDrE
rOMBzwk/GpF7ykMMSwUPOl7F/Hlrm5fX8Ea6iKkVawvrBuYvXZcumBzUjEwRjHOh1UGjfWk7528A
TC3j+v1+r1/N+RkA9n2w1OpS5NkYrFe7Gc8CyF4u8+5VmpWGiy/wry/p3O52u812qotlakD2srGE
X6+0Gls1B29AFt9cwje6W71ey8EbkMW3lvCDS+1Ww8UbUMhofLCE1gEdDFLuOWTK2U4pfB3g65UU
vkBBNuTZpUVMeaxW5VqE73IxAIAGMqxojNQ8IVPsQ072cDQWFGsBeIPgwhNL8uUSSctC0hc0UR3v
wwTHXgHy8tn3L589Qcf3nx7f/+n4wYPj+z9aRs6qHRwHxVUvvv3sz0cfoz+efPPi4RfleFnE//rD
J7/8/Hk5EMpnYd7zLx//9vTx868+/f27hyXwLYHHRfiIRkSiG+QI7fMIDDNecTUnY/FqK0YhpsUV
W3EgcYy1lBL+fRU66BtzzNLoOHp0ievB2wLaRxnw6uyuo/AwFDNFSyRfCyMHuMs563JR6oVrWlbB
zaNZHJQLF7Mibh/jwzLZPRw78e3PEuibWVo6hvdC4qi5x3CscEBiopB+xg8IKbHuDqWOX3epL7jk
U4XuUNTFtNQlIzp2smmxaIdGEJd5mc0Qb8c3u7dRl7Myq7fJoYuEqsCsRPkRYY4br+KZwlEZyxGO
WNHh17EKy5QczoVfxPWlgkgHhHHUnxApy9bcFGBvIejXMHSs0rDvsnnkIoWiB2U8r2POi8htftAL
cZSUYYc0DovYD+QBpChGe1yVwXe5WyH6HuKA45Xhvk2JE+7Tu8EtGjgqLRJEP5mJklheJdzJ3+Gc
TTExrQaautOrIxr/XeNmFDq3lXB+jRta5fOvH5Xo/ba27C3YvcpqZudEo16FO9mee1xM6Nvfnbfx
LN4jUBDLW9S75vyuOXv/+ea8qp7PvyUvujA0aD2L2EHbjN3Ryql7Shkbqjkj16UZvCXsPZMBEPU6
c7ok+SksCeFSVzIIcHCBwGYNElx9RFU4DHECQ3vV00wCmbIOJEq4hMOiIZfy1ngY/JU9ajb1IcR2
DonVLp9Ycl2Ts7NGzsZoFZgDbSaorhmcVVj9UsoUbHsdYVWt1JmlVY1qpik60nKTtYvNoRxcnpsG
xNybMNQgGIXAyy0432vRcNjBjEy0322MsrCYKJxniGSIJySNkbZ7OUZVE6QsV5YM0XbYZNAHx1O8
VpDW1mzfQNpZglQU11ghLovem0Qpy+BFlIDbyXJkcbE4WYyOOl67WWt6yMdJx5vCORkuowSiLvUc
iVkAb5h8JWzan1rMpsoX0WxnhrlFUIVXH9bvSwY7fSARUm1jGdrUMI/SFGCxlmT1rzXBredlQEk3
OpsW9XVIhn9NC/CjG1oynRJfFYNdoGjf2du0lfKZImIYTo7QmM3EPobw61QFeyZUwusO0xH0Dbyb
0942j9zmnBZd8Y2YwVk6ZkmI03arSzSrZAs3DSnXwdwV1APbSnU3xr26Kabkz8mUYhr/z0zR+wm8
fahPdAR8eNErMNKV0vG4UCGHLpSE1B8IGBxM74Bsgfe78BiSCt5Km19BDvWvrTnLw5Q1HCLVPg2Q
oLAfqVAQsgdtyWTfKcyq6d5lWbKUkcmogroysWqPySFhI90DW3pv91AIqW66SdoGDO5k/rn3aQWN
Az3kFOvN6WT53mtr4J+efGwxg1FuHzYDTeb/XMV8PFjsqna9WZ7tvUVD9IPFmNXIqgKEFbaCdlr2
r6nCK261tmMtWVxrZspBFJctBmI+ECXwDgnpf7D/UeEz+wVDb6gjvg+9FcHHC80M0gay+oIdPJBu
kJY4hsHJEm0yaVbWtenopL2WbdbnPOnmck84W2t2lni/orPz4cwV59TieTo79bDja0tb6WqI7MkS
BdI0O8iYwJR9ydrFCRoH1Y4HX5Mg0PfgCr5HeUCraVpN0+AKPjLBsGS/DHW89CKjwHNLyTH1jFLP
MI2M0sgozYwCw1n6DSajtKBT6c8m8NlO/3go+0ICE1z6RSVrqs7nvs2/AAAA//8DAFBLAwQUAAYA
CAAAACEAnGZGQbsAAAAkAQAAKgAAAGNsaXBib2FyZC9kcmF3aW5ncy9fcmVscy9kcmF3aW5nMS54
bWwucmVsc4SPzQrCMBCE74LvEPZu0noQkSa9iNCr1AcIyTYtNj8kUezbG+hFQfCyMLPsN7NN+7Iz
eWJMk3ccaloBQae8npzhcOsvuyOQlKXTcvYOOSyYoBXbTXPFWeZylMYpJFIoLnEYcw4nxpIa0cpE
fUBXNoOPVuYio2FBqrs0yPZVdWDxkwHii0k6zSF2ugbSL6Ek/2f7YZgUnr16WHT5RwTLpRcWoIwG
MwdKV2edNS1dgYmGff0m3gAAAP//AwBQSwECLQAUAAYACAAAACEAu+VIlAUBAAAeAgAAEwAAAAAA
AAAAAAAAAAAAAAAAW0NvbnRlbnRfVHlwZXNdLnhtbFBLAQItABQABgAIAAAAIQCtMD/xwQAAADIB
AAALAAAAAAAAAAAAAAAAADYBAABfcmVscy8ucmVsc1BLAQItABQABgAIAAAAIQBZt96LpAMAAFUS
AAAfAAAAAAAAAAAAAAAAACACAABjbGlwYm9hcmQvZHJhd2luZ3MvZHJhd2luZzEueG1sUEsBAi0A
FAAGAAgAAAAhAJxOXiHiBgAAOhwAABoAAAAAAAAAAAAAAAAAAQYAAGNsaXBib2FyZC90aGVtZS90
aGVtZTEueG1sUEsBAi0AFAAGAAgAAAAhAJxmRkG7AAAAJAEAACoAAAAAAAAAAAAAAAAAGw0AAGNs
aXBib2FyZC9kcmF3aW5ncy9fcmVscy9kcmF3aW5nMS54bWwucmVsc1BLBQYAAAAABQAFAGcBAAAe
DgAAAAA=
" o:spid="_x0000_s1029" style="height: 102.45pt; margin-left: 24.75pt; margin-top: 7.5pt; mso-height-percent: 200; mso-height-percent: 200; mso-height-relative: margin; mso-position-horizontal-relative: text; mso-position-horizontal: absolute; mso-position-vertical-relative: text; mso-position-vertical: absolute; mso-width-percent: 0; mso-width-percent: 0; mso-width-relative: margin; mso-wrap-distance-bottom: 0; mso-wrap-distance-left: 9pt; mso-wrap-distance-right: 9pt; mso-wrap-distance-top: 0; mso-wrap-style: square; position: absolute; v-text-anchor: top; visibility: visible; width: 516.75pt; z-index: 251668480;" type="#_x0000_t202">
<v:textbox>
<!--[if !mso]-->
<!--[endif]--></v:textbox>
</v:shape><span style="background: white; font-family: Verdana, sans-serif; font-size: 13.5pt;"><o:p> </o:p></span></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<span style="background-color: white; font-family: Verdana, sans-serif; font-size: 13.5pt;">Apply the crypto map to an interface</span></div>
<table cellpadding="0" cellspacing="0" style="width: 100%px;">
<tbody>
<tr>
<td><!--[endif]-->
<br />
<div>
<div class="MsoNoSpacing">
<i style="background-color: orange;">R2(config)#int
s1/0<o:p></o:p></i></div>
<div class="MsoNoSpacing">
<i style="background-color: orange;">R2(config-if)#crypto
map MAP9<o:p></o:p></i></div>
</div>
<!--[if !mso]--></td>
</tr>
</tbody></table>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<v:shape fillcolor="black [3213]" id="Text_x0020_Box_x0020_6" o:gfxdata="UEsDBBQABgAIAAAAIQC75UiUBQEAAB4CAAATAAAAW0NvbnRlbnRfVHlwZXNdLnhtbKSRvU7DMBSF
dyTewfKKEqcMCKEmHfgZgaE8wMW+SSwc27JvS/v23KTJgkoXFsu+P+c7Ol5vDoMTe0zZBl/LVVlJ
gV4HY31Xy4/tS3EvRSbwBlzwWMsjZrlprq/W22PELHjb51r2RPFBqax7HCCXIaLnThvSAMTP1KkI
+gs6VLdVdad08ISeCho1ZLN+whZ2jsTzgcsnJwldluLxNDiyagkxOquB2Knae/OLUsyEkjenmdzb
mG/YhlRnCWPnb8C898bRJGtQvEOiVxjYhtLOxs8AySiT4JuDystlVV4WPeM6tK3VaILeDZxIOSsu
ti/jidNGNZ3/J08yC1dNv9v8AAAA//8DAFBLAwQUAAYACAAAACEArTA/8cEAAAAyAQAACwAAAF9y
ZWxzLy5yZWxzhI/NCsIwEITvgu8Q9m7TehCRpr2I4FX0AdZk2wbbJGTj39ubi6AgeJtl2G9m6vYx
jeJGka13CqqiBEFOe2Ndr+B03C3WIDihMzh6RwqexNA281l9oBFTfuLBBhaZ4ljBkFLYSMl6oAm5
8IFcdjofJ0z5jL0MqC/Yk1yW5UrGTwY0X0yxNwri3lQgjs+Qk/+zfddZTVuvrxO59CNCmoj3vCwj
MfaUFOjRhrPHaN4Wv0VV5OYgm1p+LW1eAAAA//8DAFBLAwQUAAYACAAAACEAXDyVOPsCAAClCAAA
HwAAAGNsaXBib2FyZC9kcmF3aW5ncy9kcmF3aW5nMS54bWzsVl1P2zAUfZ+0/2CZl/EASUtbSkWK
SjfQJGBVCz/g1nEaa46d2aZN+fW7dtIPQPCwTZMmrQ+pnXtzfO65x07OL6pCkiU3VmiV0NZxTAlX
TKdCLRL6cH911KfEOlApSK14Qtfc0ovhxw/nMFgYKHPBCCIoO4CE5s6VgyiyLOcF2GNdcoWxTJsC
HE7NIkoNrBC5kFE7jntRAULR4Q7qMzggj0b8ApTU7DtPx6CWYBFSssH+nYajZL+PDAO1vDblrJwY
z5zdLSeGiDShqJyCAiWiURNo0nAavXhqsQOoMlP4fJ1lpEpo+7TXbncpWSf0pN/pt+K4huOVIwzj
vW6vfeoTGGZ0OiftkyaB5d/eR2D5l/cxkGRNBgd7BG3p6anl64p7m4rvPbtLXZHetnafTVyFN9FV
oce2vMEeWaL0OAe14CNj9CrnkFqfUYuEatbLBME2K1qPNV/d6hTVhUenA96fEW5bNAxKY9011wXx
g4QazlxYCJY31tX8NileEaulSK+ElGHiPc/H0pAlyIS6alPRsyypyCqhZ13s32sEs5hvn4/DrxHl
GUQhHDdEiiKh/W0SDLyOX1QanOdAyHqMxUkV3Ocl9Eu6ahba6TuTrv2dOf6jvEZjyWhhPApwkGvz
RMkKN3hC7Y9HMJwS+VVhp85anQ6muTDpdE/bODH7kfl+BBRDKNSDkno4djiL6+rLEbbySjTS1jw8
I2ndzK0lD8UEtr7/BZibwBAH0x0Gu+RZ0LJkE2dr9cOOwNptuRcdZe6dvBDFRxqZglYGV5Xo1IRy
dfQww3PwCZ3qdyTBE6o2Nc8ytEntD2QOTiji1iXPgKFXxyDF3IhmB8NbEWb3Ivei4Jbc8RWZ6gJU
4wHk4tm74bT9iWmVicXhgVCO2FYU+9MFa8NryOEqnYCB6ZvsPdDf4r0jEwjW3fQE/rf0dUuPRHZ4
wMy6dBrtXpLb0eTs32qud+L2ZHm0fFZOcXvUZ2d99GCGf6FEL17QwR3NB4X/CtifD38CAAD//wMA
UEsDBBQABgAIAAAAIQCcTl4h4gYAADocAAAaAAAAY2xpcGJvYXJkL3RoZW1lL3RoZW1lMS54bWzs
WU9vG0UUvyPxHUZ7b+P/jaM6VezYDbRpo9gt6nG8Hu9OM7uzmhkn9Q21RyQkREEcqMSNAwIqtRKX
8mkCRVCkfgXezOyud+I1SdsIKmgO8e7b37z/782b3ctX7kUMHRIhKY87XvVixUMk9vmExkHHuzUa
XFj3kFQ4nmDGY9Lx5kR6Vzbff+8y3vAZTcYci8koJBFBwCiWG7jjhUolG2tr0gcylhd5QmJ4NuUi
wgpuRbA2EfgIBERsrVaptNYiTGNvEzgqzajP4F+spCb4TAw1G4JiHIH0m9Mp9YnBTg6qGiHnsscE
OsSs4wHPCT8akXvKQwxLBQ86XsX8eWubl9fwRrqIqRVrC+sG5i9dly6YHNSMTBGMc6HVQaN9aTvn
bwBMLeP6/X6vX835GQD2fbDU6lLk2RisV7sZzwLIXi7z7lWalYaLL/CvL+nc7na7zXaqi2VqQPay
sYRfr7QaWzUHb0AW31zCN7pbvV7LwRuQxbeW8INL7VbDxRtQyGh8sITWAR0MUu45ZMrZTil8HeDr
lRS+QEE25NmlRUx5rFblWoTvcjEAgAYyrGiM1DwhU+xDTvZwNBYUawF4g+DCE0vy5RJJy0LSFzRR
He/DBMdeAfLy2fcvnz1Bx/efHt//6fjBg+P7P1pGzqodHAfFVS++/ezPRx+jP5588+LhF+V4WcT/
+sMnv/z8eTkQymdh3vMvH//29PHzrz79/buHJfAtgcdF+IhGRKIb5Ajt8wgMM15xNSdj8WorRiGm
xRVbcSBxjLWUEv59FTroG3PM0ug4enSJ68HbAtpHGfDq7K6j8DAUM0VLJF8LIwe4yznrclHqhWta
VsHNo1kclAsXsyJuH+PDMtk9HDvx7c8S6JtZWjqG90LiqLnHcKxwQGKikH7GDwgpse4OpY5fd6kv
uORThe5Q1MW01CUjOnayabFoh0YQl3mZzRBvxze7t1GXszKrt8mhi4SqwKxE+RFhjhuv4pnCURnL
EY5Y0eHXsQrLlBzOhV/E9aWCSAeEcdSfECnL1twUYG8h6NcwdKzSsO+yeeQihaIHZTyvY86LyG1+
0AtxlJRhhzQOi9gP5AGkKEZ7XJXBd7lbIfoe4oDjleG+TYkT7tO7wS0aOCotEkQ/mYmSWF4l3Mnf
4ZxNMTGtBpq606sjGv9d42YUOreVcH6NG1rl868flej9trbsLdi9ympm50SjXoU72Z57XEzo29+d
t/Es3iNQEMtb1Lvm/K45e//55ryqns+/JS+6MDRoPYvYQduM3dHKqXtKGRuqOSPXpRm8Jew9kwEQ
9TpzuiT5KSwJ4VJXMghwcIHAZg0SXH1EVTgMcQJDe9XTTAKZsg4kSriEw6Ihl/LWeBj8lT1qNvUh
xHYOidUun1hyXZOzs0bOxmgVmANtJqiuGZxVWP1SyhRsex1hVa3UmaVVjWqmKTrScpO1i82hHFye
mwbE3Jsw1CAYhcDLLTjfa9Fw2MGMTLTfbYyysJgonGeIZIgnJI2Rtns5RlUTpCxXlgzRdthk0AfH
U7xWkNbWbN9A2lmCVBTXWCEui96bRCnL4EWUgNvJcmRxsThZjI46XrtZa3rIx0nHm8I5GS6jBKIu
9RyJWQBvmHwlbNqfWsymyhfRbGeGuUVQhVcf1u9LBjt9IBFSbWMZ2tQwj9IUYLGWZPWvNcGt52VA
STc6mxb1dUiGf00L8KMbWjKdEl8Vg12gaN/Z27SV8pkiYhhOjtCYzcQ+hvDrVAV7JlTC6w7TEfQN
vJvT3jaP3OacFl3xjZjBWTpmSYjTdqtLNKtkCzcNKdfB3BXUA9tKdTfGvboppuTPyZRiGv/PTNH7
Cbx9qE90BHx40Ssw0pXS8bhQIYculITUHwgYHEzvgGyB97vwGJIK3kqbX0EO9a+tOcvDlDUcItU+
DZCgsB+pUBCyB23JZN8pzKrp3mVZspSRyaiCujKxao/JIWEj3QNbem/3UAipbrpJ2gYM7mT+ufdp
BY0DPeQU683pZPnea2vgn558bDGDUW4fNgNN5v9cxXw8WOyqdr1Znu29RUP0g8WY1ciqAoQVtoJ2
WvavqcIrbrW2Yy1ZXGtmykEUly0GYj4QJfAOCel/sP9R4TP7BUNvqCO+D70VwccLzQzSBrL6gh08
kG6QljiGwckSbTJpVta16eikvZZt1uc86eZyTzhba3aWeL+is/PhzBXn1OJ5Ojv1sONrS1vpaojs
yRIF0jQ7yJjAlH3J2sUJGgfVjgdfkyDQ9+AKvkd5QKtpWk3T4Ao+MsGwZL8Mdbz0IqPAc0vJMfWM
Us8wjYzSyCjNjALDWfoNJqO0oFPpzybw2U7/eCj7QgITXPpFJWuqzue+zb8AAAD//wMAUEsDBBQA
BgAIAAAAIQCcZkZBuwAAACQBAAAqAAAAY2xpcGJvYXJkL2RyYXdpbmdzL19yZWxzL2RyYXdpbmcx
LnhtbC5yZWxzhI/NCsIwEITvgu8Q9m7SehCRJr2I0KvUBwjJNi02PyRR7Nsb6EVB8LIws+w3s037
sjN5YkyTdxxqWgFBp7yenOFw6y+7I5CUpdNy9g45LJigFdtNc8VZ5nKUxikkUigucRhzDifGkhrR
ykR9QFc2g49W5iKjYUGquzTI9lV1YPGTAeKLSTrNIXa6BtIvoST/Z/thmBSevXpYdPlHBMulFxag
jAYzB0pXZ501LV2BiYZ9/SbeAAAA//8DAFBLAQItABQABgAIAAAAIQC75UiUBQEAAB4CAAATAAAA
AAAAAAAAAAAAAAAAAABbQ29udGVudF9UeXBlc10ueG1sUEsBAi0AFAAGAAgAAAAhAK0wP/HBAAAA
MgEAAAsAAAAAAAAAAAAAAAAANgEAAF9yZWxzLy5yZWxzUEsBAi0AFAAGAAgAAAAhAFw8lTj7AgAA
pQgAAB8AAAAAAAAAAAAAAAAAIAIAAGNsaXBib2FyZC9kcmF3aW5ncy9kcmF3aW5nMS54bWxQSwEC
LQAUAAYACAAAACEAnE5eIeIGAAA6HAAAGgAAAAAAAAAAAAAAAABYBQAAY2xpcGJvYXJkL3RoZW1l
L3RoZW1lMS54bWxQSwECLQAUAAYACAAAACEAnGZGQbsAAAAkAQAAKgAAAAAAAAAAAAAAAAByDAAA
Y2xpcGJvYXJkL2RyYXdpbmdzL19yZWxzL2RyYXdpbmcxLnhtbC5yZWxzUEsFBgAAAAAFAAUAZwEA
AHUNAAAAAA==
" o:spid="_x0000_s1028" style="height: 34.95pt; margin-left: 14.25pt; margin-top: 12pt; mso-height-percent: 200; mso-height-percent: 200; mso-height-relative: margin; mso-position-horizontal-relative: text; mso-position-horizontal: absolute; mso-position-vertical-relative: text; mso-position-vertical: absolute; mso-width-percent: 0; mso-width-percent: 0; mso-width-relative: margin; mso-wrap-distance-bottom: 0; mso-wrap-distance-left: 9pt; mso-wrap-distance-right: 9pt; mso-wrap-distance-top: 0; mso-wrap-style: square; position: absolute; v-text-anchor: top; visibility: visible; width: 516.75pt; z-index: 251672576;" type="#_x0000_t202">
<v:textbox>
<!--[if !mso]-->
<!--[endif]--></v:textbox>
</v:shape><span style="background: white; font-family: Verdana, sans-serif; font-size: 13.5pt;"><o:p> </o:p></span></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<span style="background-color: white; font-family: Verdana, sans-serif; font-size: 13.5pt;">If we do a ping from R1 to R5,ipsec tunnel will
not be created because the acl wont match the traffic.</span></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<span style="background: white; font-family: Verdana, sans-serif; font-size: 13.5pt;">If we do a ping from loopback of R1 to loopback
of R5,ipsec tunnel will get established as this matches the acl 111.<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<br /></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<span style="background: white; font-family: Verdana, sans-serif; font-size: 13.5pt;">As only the traffic that matches the acl gets
encrypted and the rest is forwarded without security, this way of setting up
the ipsec tunnel comes <o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<span style="background: white; font-family: Verdana, sans-serif; font-size: 13.5pt;">under policy based ipsec vpn.<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<br /></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<span style="background: white; font-family: Verdana, sans-serif; font-size: 13.5pt;">Some show commands to verify the ipsec tunnel
creation<o:p></o:p></span></div>
<table cellpadding="0" cellspacing="0" style="width: 100%px;">
<tbody>
<tr>
<td><!--[endif]-->
<br />
<div>
<div class="MsoNoSpacing">
<span style="background-color: #93c47d;"><b><i><span style="color: red;">R4#sh crypto
isakmp sa </span>--></i></b><b><i><span style="color: red;"> gives phase1 negotiation result<o:p></o:p></span></i></b></span></div>
<div class="MsoNoSpacing">
<i style="background-color: #93c47d;">IPv4 Crypto
ISAKMP SA<o:p></o:p></i></div>
<div class="MsoNoSpacing">
<i style="background-color: #93c47d;">dst src state conn-id status<o:p></o:p></i></div>
<div class="MsoNoSpacing">
<i style="background-color: #93c47d;">10.1.34.4 10.1.23.2 QM_IDLE 1001 ACTIVE<o:p></o:p></i></div>
<div class="MsoNoSpacing">
<span style="background-color: #93c47d;"><br /></span></div>
<div class="MsoNoSpacing">
<i><span style="background-color: #93c47d;">IPv6 Crypto
ISAKMP SA</span><o:p></o:p></i></div>
<div class="MsoNoSpacing">
<br /></div>
<div class="MsoNoSpacing">
<span style="background-color: #93c47d;"><b><i><span style="color: red;">R4#sh crypto
ipsec sa </span>--></i></b><b><i><span style="color: red;">gives phase2 negotiation result<o:p></o:p></span></i></b></span></div>
<div class="MsoNoSpacing">
<span style="background-color: #93c47d;"><br /></span></div>
<div class="MsoNoSpacing">
<i style="background-color: #93c47d;">interface:
Serial1/0<o:p></o:p></i></div>
<div class="MsoNoSpacing">
<i style="background-color: #93c47d;"> Crypto map tag: MAP2, <b>local addr 10.1.34.4</b><o:p></o:p></i></div>
<div class="MsoNoSpacing">
<span style="background-color: #93c47d;"><br /></span></div>
<div class="MsoNoSpacing">
<i style="background-color: #93c47d;"> protected vrf: (none)<o:p></o:p></i></div>
<div class="MsoNoSpacing">
<i style="background-color: #93c47d;"> local
ident (addr/mask/prot/port): (5.5.5.5/255.255.255.255/0/0)<o:p></o:p></i></div>
<div class="MsoNoSpacing">
<i style="background-color: #93c47d;"> remote ident (addr/mask/prot/port):
(1.1.1.1/255.255.255.255/0/0)<o:p></o:p></i></div>
<div class="MsoNoSpacing">
<i style="background-color: #93c47d;"> current_peer 10.1.23.2 port 500<o:p></o:p></i></div>
<div class="MsoNoSpacing">
<i style="background-color: #93c47d;"> PERMIT, flags={origin_is_acl,}<o:p></o:p></i></div>
<div class="MsoNoSpacing">
<i style="background-color: #93c47d;"> #pkts encaps: 4, #pkts encrypt: 4,
#pkts digest: 4 <span style="color: red;"><b>-->These counters should go on increasing</b></span><o:p></o:p></i></div>
<div class="MsoNoSpacing">
<i style="background-color: #93c47d;"> #pkts decaps: 4, #pkts decrypt: 4,
#pkts verify: 4<o:p></o:p></i></div>
<div class="MsoNoSpacing">
<i style="background-color: #93c47d;"> #pkts compressed: 0, #pkts
decompressed: 0<o:p></o:p></i></div>
<div class="MsoNoSpacing">
<i style="background-color: #93c47d;"> #pkts not compressed: 0, #pkts compr.
failed: 0<o:p></o:p></i></div>
<div class="MsoNoSpacing">
<i style="background-color: #93c47d;"> #pkts not decompressed: 0, #pkts
decompress failed: 0<o:p></o:p></i></div>
<div class="MsoNoSpacing">
<i style="background-color: #93c47d;"> #send errors 0, #recv errors 0<o:p></o:p></i></div>
<div class="MsoNoSpacing">
<span style="background-color: #93c47d;"><br /></span></div>
<div class="MsoNoSpacing">
<i style="background-color: #93c47d;"> local crypto endpt.: <b>10.1.34.4</b>, remote
crypto endpt.: <b>10.1.23.2</b><o:p></o:p></i></div>
<div class="MsoNoSpacing">
<i style="background-color: #93c47d;"> path mtu 1500, ip mtu 1500, ip mtu idb
Serial1/0<o:p></o:p></i></div>
<div class="MsoNoSpacing">
<i style="background-color: #93c47d;"> current outbound spi:
0x10E1542D(283202605)<o:p></o:p></i></div>
<div class="MsoNoSpacing">
<i style="background-color: #93c47d;"> PFS (Y/N): N, DH group: none<o:p></o:p></i></div>
<div class="MsoNoSpacing">
<span style="background-color: #93c47d;"><br /></span></div>
<div class="MsoNoSpacing">
<i style="background-color: #93c47d;"> inbound esp sas:<o:p></o:p></i></div>
<div class="MsoNoSpacing">
<i style="background-color: #93c47d;"> spi: 0x396B966C(963352172)<o:p></o:p></i></div>
<div class="MsoNoSpacing">
<i style="background-color: #93c47d;"> transform: esp-3des esp-md5-hmac ,<o:p></o:p></i></div>
<div class="MsoNoSpacing">
<i style="background-color: #93c47d;"> in use settings <b><span style="color: red;">={Tunnel, }</span></b><o:p></o:p></i></div>
<div class="MsoNoSpacing">
<i style="background-color: #93c47d;"> conn id: 1, flow_id: 1,
sibling_flags 80000040, crypto map: MAP2<o:p></o:p></i></div>
<div class="MsoNoSpacing">
<i style="background-color: #93c47d;"> sa timing: remaining key lifetime
(k/sec): (4259623/3582)<o:p></o:p></i></div>
<div class="MsoNoSpacing">
<i style="background-color: #93c47d;"> IV size: 8 bytes<o:p></o:p></i></div>
<div class="MsoNoSpacing">
<i style="background-color: #93c47d;"> replay detection support: Y<o:p></o:p></i></div>
<div class="MsoNoSpacing">
<i style="background-color: #93c47d;"> Status: ACTIVE(ACTIVE)<o:p></o:p></i></div>
<div class="MsoNoSpacing">
<span style="background-color: #93c47d;"><br /></span></div>
<div class="MsoNoSpacing">
<i style="background-color: #93c47d;"> inbound ah sas:<o:p></o:p></i></div>
<div class="MsoNoSpacing">
<span style="background-color: #93c47d;"><br /></span></div>
<div class="MsoNoSpacing">
<i style="background-color: #93c47d;"> inbound pcp sas:<o:p></o:p></i></div>
<div class="MsoNoSpacing">
<span style="background-color: #93c47d;"><br /></span></div>
<div class="MsoNoSpacing">
<i style="background-color: #93c47d;"> outbound esp sas:<o:p></o:p></i></div>
<div class="MsoNoSpacing">
<i style="background-color: #93c47d;"> spi: 0x10E1542D(283202605)<o:p></o:p></i></div>
<div class="MsoNoSpacing">
<i style="background-color: #93c47d;"> transform: esp-3des esp-md5-hmac ,<o:p></o:p></i></div>
<div class="MsoNoSpacing">
<i style="background-color: #93c47d;"> in use settings ={Tunnel, }<o:p></o:p></i></div>
<div class="MsoNoSpacing">
<i style="background-color: #93c47d;"> conn id: 2, flow_id: 2,
sibling_flags 80000040, crypto map: MAP2<o:p></o:p></i></div>
<div class="MsoNoSpacing">
<i style="background-color: #93c47d;"> sa timing: remaining key lifetime
(k/sec): (4259623/3582)<o:p></o:p></i></div>
<div class="MsoNoSpacing">
<i style="background-color: #93c47d;"> IV size: 8 bytes<o:p></o:p></i></div>
<div class="MsoNoSpacing">
<i style="background-color: #93c47d;"> replay detection support: Y<o:p></o:p></i></div>
<div class="MsoNoSpacing">
<i style="background-color: #93c47d;"> Status: ACTIVE(ACTIVE)<o:p></o:p></i></div>
<div class="MsoNoSpacing">
<span style="background-color: #93c47d;"><br /></span></div>
<div class="MsoNoSpacing">
<i style="background-color: #93c47d;"> outbound ah sas:<o:p></o:p></i></div>
<div class="MsoNoSpacing">
<span style="background-color: #93c47d;"><br /></span></div>
<div class="MsoNoSpacing">
<i style="background-color: #93c47d;"> outbound pcp sas:<o:p></o:p></i></div>
<div class="MsoNoSpacing">
<i><span style="background-color: #93c47d;">R4#</span><o:p></o:p></i></div>
</div>
<!--[if !mso]--></td>
</tr>
</tbody></table>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<v:shape fillcolor="black [3213]" id="Text_x0020_Box_x0020_7" o:gfxdata="UEsDBBQABgAIAAAAIQC75UiUBQEAAB4CAAATAAAAW0NvbnRlbnRfVHlwZXNdLnhtbKSRvU7DMBSF
dyTewfKKEqcMCKEmHfgZgaE8wMW+SSwc27JvS/v23KTJgkoXFsu+P+c7Ol5vDoMTe0zZBl/LVVlJ
gV4HY31Xy4/tS3EvRSbwBlzwWMsjZrlprq/W22PELHjb51r2RPFBqax7HCCXIaLnThvSAMTP1KkI
+gs6VLdVdad08ISeCho1ZLN+whZ2jsTzgcsnJwldluLxNDiyagkxOquB2Knae/OLUsyEkjenmdzb
mG/YhlRnCWPnb8C898bRJGtQvEOiVxjYhtLOxs8AySiT4JuDystlVV4WPeM6tK3VaILeDZxIOSsu
ti/jidNGNZ3/J08yC1dNv9v8AAAA//8DAFBLAwQUAAYACAAAACEArTA/8cEAAAAyAQAACwAAAF9y
ZWxzLy5yZWxzhI/NCsIwEITvgu8Q9m7TehCRpr2I4FX0AdZk2wbbJGTj39ubi6AgeJtl2G9m6vYx
jeJGka13CqqiBEFOe2Ndr+B03C3WIDihMzh6RwqexNA281l9oBFTfuLBBhaZ4ljBkFLYSMl6oAm5
8IFcdjofJ0z5jL0MqC/Yk1yW5UrGTwY0X0yxNwri3lQgjs+Qk/+zfddZTVuvrxO59CNCmoj3vCwj
MfaUFOjRhrPHaN4Wv0VV5OYgm1p+LW1eAAAA//8DAFBLAwQUAAYACAAAACEA1y+sUcUHAAA5dQAA
HwAAAGNsaXBib2FyZC9kcmF3aW5ncy9kcmF3aW5nMS54bWzsXe9u2zYQ/z5g73BQv6SA4z/yn8RC
nSJ1ky5Yknlx2qGfAlqibSISxZG0Y7fYp73InmUvtFfYUZIt103adcvqSaODJBJJU+T97o7k3ZF6
9nwRhTCnUrGY95xGte4A5X4cMD7pOa+vT/cPHVCa8ICEMac9Z0mV8/zo22+eEW8iiZgyH7AGrjzS
c6ZaC69WU/6URkRVY0E55o1jGRGNt3JSCyS5w5qjsObW651aRBh3jvKqXhJNYCbZ36gqjP1bGvQJ
nxOFVYa+t5mStTH0/3nNxOPzV1IMxUCalvuX84EEFvQcpBwnEZLIqWUZWTG8rW19a5JXsBjLyJSP
x2NY9By30a0ftB1Y9pyDDhIprYwuNPiY22l33AMXs33M7x4euN3DrIQ//eFTFfjTk89UgU1Mm4IX
G81TwjSOzz/u78Gqv9emdS/iBRyse25Kg15gIvJUgrAS54iQAh73p4RP6LGU8d2UkkCZEimJkJbp
YxJyrZ6oTF2ju4s4QNqSmY6T+h6FbOs+E09IpV/ROAJz0XMk9XXyHDI/Vzpt3qqIIYiKQxacsjBM
bgzD034oYU7CnqMXqw59UCrkcIegtRG+j2uQk9H6+/Xkk9HkgyoipqmEkEU953BdiHiGjCc8SNhO
Exam19i5kCesZyhoHqkXwwRNA0ywNCkj/I/UlTF2GfkX9QBeTGP5zoE7lO6eo36eEUkdCM84AtVt
tFpYTCc3rfaBizdyM2e0mUO4j1UhPRxIL/sa7+pp78UxInnKMtKm7TAtCpUe6mVIk84krTXwR0Se
Jy3Ei6u8Dv8FHSe0FP5Aq5T6iTxg35XYyD0e60+US3LxKxmZElpJfGqIjNpzKN9/PUQl+A4ZtYEC
CSPDsYBKKuPsD1hhE8jTUwPSfUDS8RgZLOUs7DPRjINeCjomPjJ5n4RsJFkqTZQ8lOOrjZxrFlEF
l/QOruKI8Oyh2AvTb3101XqipuDLpdAxMEVuIwGKAH6MbkLi4N+036Z8CTqPDLCMNujzEw47ZlBT
25T549ffSkoCA+kKf5iwOfKHmBJFG8DpJNYMuS7mIKmahXqLBJQHAyLJ1YNCYLjkazFx3piETVOl
YBrwn9MMa53wtUizxvdsMG9BPxXvs+Hx9xcDGB5bUO8dFr5Q3e8O1EBpo6HXHyX99bW5wHm5pnmK
H3O+z4IkeaYs+MUGv1GvNqrNVrWVApzcus2qm+H948XN2cvzkxx9wLlJA47712dvTiz2xcb+9+0p
ST4EPjAptePxfTP13aluHI87djxeLc4edfm1O1CtWOKi+r6F9hfOqIq/gBaK+nb9nFgW/h/r543l
s2uXz7nZzWr2r2DFy2d/1gDykIGTcTSNG/OpB0MqGQkbtbpdBj3GaL27+ZZZ3GY2rYgI0GTiwcXx
wK0A+vZICCQIJC57s3WyRbvYaNvZ9ePMrncqrwJdiejZogHM5diDPY5BA0+tZBZbMlENpwoX4xwo
17BnFC8Gb6jbmsG7JmKpnyLY7WryU3Pb7erGb61eq1seeJSV805lW9IIhfszPNDA0Rh/LA/8a+EH
O+UBfyYlqoAbQTEQJfdJGA0A7bqdcRdfygEGJ1cXZ9cVGIdkonrvY8kmjN8wdUP8sPKLHcwLP5jD
E3GL4VIY50mE8qBVyRNMBMFGSsAmVJkEi3pZUA/oFuqYsIU6hgGy8dKibmIIH8HdsdMBOxNtP44E
RnopGnhQX8k7Ir+ZbGW8LGjzGMPFN6FdIZ4kVmGMQcIJJ1jIywT5ljyvQM+TLfB+SRxWxjT+RKFj
CChupJAqUeq4aWG+vreiXWzRtubwMsy+MsNptvEC5VXoqpf7rCoYfp8Y1e4rYKI9rRQXW4qNngZB
9BQiPYMGmsgqwMTHNywYWb91mQZnyCylEM/0KJ7hQK0Ew7XXolE/abRb7ss997Dp1t1OvW19IyVY
ZsPgdAh7b2uX6Ai7rMDL72Ai45nwcMMrp1aLF1uL27lYKeZijKeamCqz+VV5ViyLLZbJ5Go1rja7
nRfdTqe/1+00m223ceDacbUM4yqCrCXhyhwj4gGK7n4zwJ3M5iIK2vvTiPhQsZJcBkkGwGMQZoqC
ohpPRJgo2MK1jCcz9N5fzzinYQWsa70k+spsxMYwKbTzmCCK+O4mu1ZsFCJb3ySBFZCe4NJCg0Bm
/MEY5zS+eYvr8/B/u/nTkOYvHtOyW7ermZvgASuaRYi4Z8x8eNYVXsItXeIJPmOKORT2bmu4k8zE
TrbcdrfjNmvN9qGduJRitYEMcPYGFHuHW1IOYbTU1J7JUBIFL6kIyRICqjHW3Ryio2bChEB68Nbq
7nLMRId4tsoMg+PSAzX20n92RVlwAbaGvFIMrStDHplaOx5uwi86plYqi46gWe2g8SY1rwvfmtfN
eUxFB9WKZdERTMRyHYBg3V6PeQrwrs1LNpzELLVRQkt3GE0itfjHur3Maerr87NLjPS228v6hESp
YgFRmNc+ITy9Zu0TwmvrE7rXXlhapW59Qk62Nsohvm+PZZ5boh07ZmS3PqEM/5Lhan1C2btmyjsh
tz6hMi63rJmrXGYu6xR6xHdd7c7KZcWyXGJpvULlsD7jm+SKFeOEVuL8hYcYXT4UVxi1lb7SMX0j
YmJHxtnr1ktDk/ls9pJT82bSzfujPwEAAP//AwBQSwMEFAAGAAgAAAAhAJxOXiHiBgAAOhwAABoA
AABjbGlwYm9hcmQvdGhlbWUvdGhlbWUxLnhtbOxZT28bRRS/I/EdRntv4/+NozpV7NgNtGmj2C3q
cbwe704zu7OaGSf1DbVHJCREQRyoxI0DAiq1EpfyaQJFUKR+Bd7M7K534jVJ2wgqaA7x7tvfvP/v
zZvdy1fuRQwdEiEpjzte9WLFQyT2+YTGQce7NRpcWPeQVDieYMZj0vHmRHpXNt9/7zLe8BlNxhyL
ySgkEUHAKJYbuOOFSiUba2vSBzKWF3lCYng25SLCCm5FsDYR+AgERGytVqm01iJMY28TOCrNqM/g
X6ykJvhMDDUbgmIcgfSb0yn1icFODqoaIeeyxwQ6xKzjAc8JPxqRe8pDDEsFDzpexfx5a5uX1/BG
uoipFWsL6wbmL12XLpgc1IxMEYxzodVBo31pO+dvAEwt4/r9fq9fzfkZAPZ9sNTqUuTZGKxXuxnP
AsheLvPuVZqVhosv8K8v6dzudrvNdqqLZWpA9rKxhF+vtBpbNQdvQBbfXMI3ulu9XsvBG5DFt5bw
g0vtVsPFG1DIaHywhNYBHQxS7jlkytlOKXwd4OuVFL5AQTbk2aVFTHmsVuVahO9yMQCABjKsaIzU
PCFT7ENO9nA0FhRrAXiD4MITS/LlEknLQtIXNFEd78MEx14B8vLZ9y+fPUHH958e3//p+MGD4/s/
WkbOqh0cB8VVL7797M9HH6M/nnzz4uEX5XhZxP/6wye//Px5ORDKZ2He8y8f//b08fOvPv39u4cl
8C2Bx0X4iEZEohvkCO3zCAwzXnE1J2PxaitGIabFFVtxIHGMtZQS/n0VOugbc8zS6Dh6dInrwdsC
2kcZ8OrsrqPwMBQzRUskXwsjB7jLOetyUeqFa1pWwc2jWRyUCxezIm4f48My2T0cO/HtzxLom1la
Oob3QuKoucdwrHBAYqKQfsYPCCmx7g6ljl93qS+45FOF7lDUxbTUJSM6drJpsWiHRhCXeZnNEG/H
N7u3UZezMqu3yaGLhKrArET5EWGOG6/imcJRGcsRjljR4dexCsuUHM6FX8T1pYJIB4Rx1J8QKcvW
3BRgbyHo1zB0rNKw77J55CKFogdlPK9jzovIbX7QC3GUlGGHNA6L2A/kAaQoRntclcF3uVsh+h7i
gOOV4b5NiRPu07vBLRo4Ki0SRD+ZiZJYXiXcyd/hnE0xMa0GmrrTqyMa/13jZhQ6t5Vwfo0bWuXz
rx+V6P22tuwt2L3KambnRKNehTvZnntcTOjb35238SzeI1AQy1vUu+b8rjl7//nmvKqez78lL7ow
NGg9i9hB24zd0cqpe0oZG6o5I9elGbwl7D2TARD1OnO6JPkpLAnhUlcyCHBwgcBmDRJcfURVOAxx
AkN71dNMApmyDiRKuITDoiGX8tZ4GPyVPWo29SHEdg6J1S6fWHJdk7OzRs7GaBWYA20mqK4ZnFVY
/VLKFGx7HWFVrdSZpVWNaqYpOtJyk7WLzaEcXJ6bBsTcmzDUIBiFwMstON9r0XDYwYxMtN9tjLKw
mCicZ4hkiCckjZG2ezlGVROkLFeWDNF22GTQB8dTvFaQ1tZs30DaWYJUFNdYIS6L3ptEKcvgRZSA
28lyZHGxOFmMjjpeu1lresjHScebwjkZLqMEoi71HIlZAG+YfCVs2p9azKbKF9FsZ4a5RVCFVx/W
70sGO30gEVJtYxna1DCP0hRgsZZk9a81wa3nZUBJNzqbFvV1SIZ/TQvwoxtaMp0SXxWDXaBo39nb
tJXymSJiGE6O0JjNxD6G8OtUBXsmVMLrDtMR9A28m9PeNo/c5pwWXfGNmMFZOmZJiNN2q0s0q2QL
Nw0p18HcFdQD20p1N8a9uimm5M/JlGIa/89M0fsJvH2oT3QEfHjRKzDSldLxuFAhhy6UhNQfCBgc
TO+AbIH3u/AYkgreSptfQQ71r605y8OUNRwi1T4NkKCwH6lQELIHbclk3ynMquneZVmylJHJqIK6
MrFqj8khYSPdA1t6b/dQCKluuknaBgzuZP6592kFjQM95BTrzelk+d5ra+CfnnxsMYNRbh82A03m
/1zFfDxY7Kp2vVme7b1FQ/SDxZjVyKoChBW2gnZa9q+pwitutbZjLVlca2bKQRSXLQZiPhAl8A4J
6X+w/1HhM/sFQ2+oI74PvRXBxwvNDNIGsvqCHTyQbpCWOIbByRJtMmlW1rXp6KS9lm3W5zzp5nJP
OFtrdpZ4v6Kz8+HMFefU4nk6O/Ww42tLW+lqiOzJEgXSNDvImMCUfcnaxQkaB9WOB1+TIND34Aq+
R3lAq2laTdPgCj4ywbBkvwx1vPQio8BzS8kx9YxSzzCNjNLIKM2MAsNZ+g0mo7SgU+nPJvDZTv94
KPtCAhNc+kUla6rO577NvwAAAP//AwBQSwMEFAAGAAgAAAAhAJxmRkG7AAAAJAEAACoAAABjbGlw
Ym9hcmQvZHJhd2luZ3MvX3JlbHMvZHJhd2luZzEueG1sLnJlbHOEj80KwjAQhO+C7xD2btJ6EJEm
vYjQq9QHCMk2LTY/JFHs2xvoRUHwsjCz7DezTfuyM3liTJN3HGpaAUGnvJ6c4XDrL7sjkJSl03L2
DjksmKAV201zxVnmcpTGKSRSKC5xGHMOJ8aSGtHKRH1AVzaDj1bmIqNhQaq7NMj2VXVg8ZMB4otJ
Os0hdroG0i+hJP9n+2GYFJ69elh0+UcEy6UXFqCMBjMHSldnnTUtXYGJhn39Jt4AAAD//wMAUEsB
Ai0AFAAGAAgAAAAhALvlSJQFAQAAHgIAABMAAAAAAAAAAAAAAAAAAAAAAFtDb250ZW50X1R5cGVz
XS54bWxQSwECLQAUAAYACAAAACEArTA/8cEAAAAyAQAACwAAAAAAAAAAAAAAAAA2AQAAX3JlbHMv
LnJlbHNQSwECLQAUAAYACAAAACEA1y+sUcUHAAA5dQAAHwAAAAAAAAAAAAAAAAAgAgAAY2xpcGJv
YXJkL2RyYXdpbmdzL2RyYXdpbmcxLnhtbFBLAQItABQABgAIAAAAIQCcTl4h4gYAADocAAAaAAAA
AAAAAAAAAAAAACIKAABjbGlwYm9hcmQvdGhlbWUvdGhlbWUxLnhtbFBLAQItABQABgAIAAAAIQCc
ZkZBuwAAACQBAAAqAAAAAAAAAAAAAAAAADwRAABjbGlwYm9hcmQvZHJhd2luZ3MvX3JlbHMvZHJh
d2luZzEueG1sLnJlbHNQSwUGAAAAAAUABQBnAQAAPxIAAAAA
" o:spid="_x0000_s1027" style="height: 777.45pt; margin-left: 9.75pt; margin-top: 6pt; mso-height-percent: 200; mso-height-percent: 200; mso-height-relative: margin; mso-position-horizontal-relative: text; mso-position-horizontal: absolute; mso-position-vertical-relative: text; mso-position-vertical: absolute; mso-width-percent: 0; mso-width-percent: 0; mso-width-relative: margin; mso-wrap-distance-bottom: 0; mso-wrap-distance-left: 9pt; mso-wrap-distance-right: 9pt; mso-wrap-distance-top: 0; mso-wrap-style: square; position: absolute; v-text-anchor: top; visibility: visible; width: 516.75pt; z-index: 251674624;" type="#_x0000_t202">
<v:textbox>
<!--[if !mso]-->
<!--[endif]--></v:textbox>
</v:shape><span style="background: white; font-family: Verdana, sans-serif; font-size: 13.5pt;"><o:p> </o:p></span><br />
<span style="background: white; font-family: Verdana, sans-serif; font-size: 13.5pt;"><o:p><br /></o:p></span></div>
<br />
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<span style="background: white; font-family: Verdana, sans-serif; font-size: 13.5pt;">If we want to set the tunnel using the loopback
interfaces,<o:p></o:p></span></div>
<table cellpadding="0" cellspacing="0" style="width: 100%px;">
<tbody>
<tr>
<td><!--[endif]-->
<br />
<div>
<div class="MsoNoSpacing">
<i>Change the
pre-shared key IP association<o:p></o:p></i></div>
<div class="MsoNoSpacing">
<i>Change the peer
address in the crypto map and add the following command<o:p></o:p></i></div>
<div class="MsoNoSpacing">
<br /></div>
<div class="MsoNoSpacing">
<i><span style="background-color: orange;">R4(config)#crypto
map MAP9 local-address loopback 0</span><o:p></o:p></i></div>
<div class="MsoNoSpacing">
<br /></div>
</div>
<!--[if !mso]--></td>
</tr>
</tbody></table>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<v:shape fillcolor="black [3213]" id="Text_x0020_Box_x0020_8" o:gfxdata="UEsDBBQABgAIAAAAIQC75UiUBQEAAB4CAAATAAAAW0NvbnRlbnRfVHlwZXNdLnhtbKSRvU7DMBSF
dyTewfKKEqcMCKEmHfgZgaE8wMW+SSwc27JvS/v23KTJgkoXFsu+P+c7Ol5vDoMTe0zZBl/LVVlJ
gV4HY31Xy4/tS3EvRSbwBlzwWMsjZrlprq/W22PELHjb51r2RPFBqax7HCCXIaLnThvSAMTP1KkI
+gs6VLdVdad08ISeCho1ZLN+whZ2jsTzgcsnJwldluLxNDiyagkxOquB2Knae/OLUsyEkjenmdzb
mG/YhlRnCWPnb8C898bRJGtQvEOiVxjYhtLOxs8AySiT4JuDystlVV4WPeM6tK3VaILeDZxIOSsu
ti/jidNGNZ3/J08yC1dNv9v8AAAA//8DAFBLAwQUAAYACAAAACEArTA/8cEAAAAyAQAACwAAAF9y
ZWxzLy5yZWxzhI/NCsIwEITvgu8Q9m7TehCRpr2I4FX0AdZk2wbbJGTj39ubi6AgeJtl2G9m6vYx
jeJGka13CqqiBEFOe2Ndr+B03C3WIDihMzh6RwqexNA281l9oBFTfuLBBhaZ4ljBkFLYSMl6oAm5
8IFcdjofJ0z5jL0MqC/Yk1yW5UrGTwY0X0yxNwri3lQgjs+Qk/+zfddZTVuvrxO59CNCmoj3vCwj
MfaUFOjRhrPHaN4Wv0VV5OYgm1p+LW1eAAAA//8DAFBLAwQUAAYACAAAACEAOvbsFlcDAABeDgAA
HwAAAGNsaXBib2FyZC9kcmF3aW5ncy9kcmF3aW5nMS54bWzsV9tOGzEQfa/Uf7Dcl/YBsqQJJBEL
grQgJKBRAh8w8XqzFl57a5tc+Jp+S7+sY3tz4VqprSohkYfE3hmPz5wz43j3D+elJFNurNAqpTvb
CSVcMZ0JNUnp9dXJVocS60BlILXiKV1wSw8P3r/bh97EQFUIRjCCsj1IaeFc1Ws0LCt4CXZbV1yh
LdemBIdTM2lkBmYYuZSNZpLsNkoQih6sQ30BB+TWiD8IJTW74Vkf1BQshpSst/mkxijZ30eGnpqe
mmpUDYxHzi6nA0NEllJkTkGJFNFGbajdcNp4sGqyDjDPTen9dZ6TeUqb3XZzr03JAsVIOp+7rXYS
4/G5Iwwddtu7zb0mejB06bb32p3agRXffhOCFV9fDoIwIxwcbEC0lQeopo9zxuKIOV95eMd6Tjqr
7L03cXN8iKkElW11jipZonS/ADXhR8boWcEhs94j0oR8xm0CZcsdrY81nl3oDPmFW6dDvH9E3Spr
6FXGulOuS+IHKTWcubATTM+tiwCXLp4Sq6XIToSUYeLLnvelIVOQKXXzZUr3vKQiM68bKvg4gpmM
V+uT8KlZuReiFI4bIkWZ0s7KCXqeyK8qC8XnQMg4xuSkCgXoOfRbuvko6OmlyRb+yRh/kV+jMWWs
YjwNcFBoc0fJDHs8pfb7LRhOiTxTKFV3p9VCNxcmrfZeEydm0zLetIBiGAr5oCQO+w5nScy+OkIt
T0RNbcThEUnrRm4heUgmoPUFUII5DwhxMFzHYMc8D1xWbOBsZD/0BOZuqw3rUe5e8AtWXFLTFLgy
uKvEUk0pV1vXIzwK77BUdxLMGA+pWNU8z7FMYn0gcnBCEbeoeA4Mi7UPUoyNqHsYnrMwu2G5EiW3
5JLPyFCXoOoaQCwevTuIzUNcwbFM+ZYtUJuM3PAFORsQsFYzgSC08qcOJozfYSFX2QAMDJ9NyUf/
X8mswQSAUWIP4E3nJ3Xm2PGQZYZbS3x9ofbMLCqnsSkqbKzMW8PjXEup/Z8sYbrE6sneyuDJY+HV
tPvPH28Kvm4Fh62PTKtcTD592Gjai6NBl+AlFeTWsrOl1tUY2A1J3iR/3ZK/tqb1V4XVffDW8lE1
xEtNvPHGCyN6+PeAxoM3q/D3Xb8J+te3zfnBLwAAAP//AwBQSwMEFAAGAAgAAAAhAJxOXiHiBgAA
OhwAABoAAABjbGlwYm9hcmQvdGhlbWUvdGhlbWUxLnhtbOxZT28bRRS/I/EdRntv4/+NozpV7NgN
tGmj2C3qcbwe704zu7OaGSf1DbVHJCREQRyoxI0DAiq1EpfyaQJFUKR+Bd7M7K534jVJ2wgqaA7x
7tvfvP/vzZvdy1fuRQwdEiEpjzte9WLFQyT2+YTGQce7NRpcWPeQVDieYMZj0vHmRHpXNt9/7zLe
8BlNxhyLySgkEUHAKJYbuOOFSiUba2vSBzKWF3lCYng25SLCCm5FsDYR+AgERGytVqm01iJMY28T
OCrNqM/gX6ykJvhMDDUbgmIcgfSb0yn1icFODqoaIeeyxwQ6xKzjAc8JPxqRe8pDDEsFDzpexfx5
a5uX1/BGuoipFWsL6wbmL12XLpgc1IxMEYxzodVBo31pO+dvAEwt4/r9fq9fzfkZAPZ9sNTqUuTZ
GKxXuxnPAsheLvPuVZqVhosv8K8v6dzudrvNdqqLZWpA9rKxhF+vtBpbNQdvQBbfXMI3ulu9XsvB
G5DFt5bwg0vtVsPFG1DIaHywhNYBHQxS7jlkytlOKXwd4OuVFL5AQTbk2aVFTHmsVuVahO9yMQCA
BjKsaIzUPCFT7ENO9nA0FhRrAXiD4MITS/LlEknLQtIXNFEd78MEx14B8vLZ9y+fPUHH958e3//p
+MGD4/s/WkbOqh0cB8VVL7797M9HH6M/nnzz4uEX5XhZxP/6wye//Px5ORDKZ2He8y8f//b08fOv
Pv39u4cl8C2Bx0X4iEZEohvkCO3zCAwzXnE1J2PxaitGIabFFVtxIHGMtZQS/n0VOugbc8zS6Dh6
dInrwdsC2kcZ8OrsrqPwMBQzRUskXwsjB7jLOetyUeqFa1pWwc2jWRyUCxezIm4f48My2T0cO/Ht
zxLom1laOob3QuKoucdwrHBAYqKQfsYPCCmx7g6ljl93qS+45FOF7lDUxbTUJSM6drJpsWiHRhCX
eZnNEG/HN7u3UZezMqu3yaGLhKrArET5EWGOG6/imcJRGcsRjljR4dexCsuUHM6FX8T1pYJIB4Rx
1J8QKcvW3BRgbyHo1zB0rNKw77J55CKFogdlPK9jzovIbX7QC3GUlGGHNA6L2A/kAaQoRntclcF3
uVsh+h7igOOV4b5NiRPu07vBLRo4Ki0SRD+ZiZJYXiXcyd/hnE0xMa0GmrrTqyMa/13jZhQ6t5Vw
fo0bWuXzrx+V6P22tuwt2L3KambnRKNehTvZnntcTOjb35238SzeI1AQy1vUu+b8rjl7//nmvKqe
z78lL7owNGg9i9hB24zd0cqpe0oZG6o5I9elGbwl7D2TARD1OnO6JPkpLAnhUlcyCHBwgcBmDRJc
fURVOAxxAkN71dNMApmyDiRKuITDoiGX8tZ4GPyVPWo29SHEdg6J1S6fWHJdk7OzRs7GaBWYA20m
qK4ZnFVY/VLKFGx7HWFVrdSZpVWNaqYpOtJyk7WLzaEcXJ6bBsTcmzDUIBiFwMstON9r0XDYwYxM
tN9tjLKwmCicZ4hkiCckjZG2ezlGVROkLFeWDNF22GTQB8dTvFaQ1tZs30DaWYJUFNdYIS6L3ptE
KcvgRZSA28lyZHGxOFmMjjpeu1lresjHScebwjkZLqMEoi71HIlZAG+YfCVs2p9azKbKF9FsZ4a5
RVCFVx/W70sGO30gEVJtYxna1DCP0hRgsZZk9a81wa3nZUBJNzqbFvV1SIZ/TQvwoxtaMp0SXxWD
XaBo39nbtJXymSJiGE6O0JjNxD6G8OtUBXsmVMLrDtMR9A28m9PeNo/c5pwWXfGNmMFZOmZJiNN2
q0s0q2QLNw0p18HcFdQD20p1N8a9uimm5M/JlGIa/89M0fsJvH2oT3QEfHjRKzDSldLxuFAhhy6U
hNQfCBgcTO+AbIH3u/AYkgreSptfQQ71r605y8OUNRwi1T4NkKCwH6lQELIHbclk3ynMquneZVmy
lJHJqIK6MrFqj8khYSPdA1t6b/dQCKluuknaBgzuZP6592kFjQM95BTrzelk+d5ra+CfnnxsMYNR
bh82A03m/1zFfDxY7Kp2vVme7b1FQ/SDxZjVyKoChBW2gnZa9q+pwitutbZjLVlca2bKQRSXLQZi
PhAl8A4J6X+w/1HhM/sFQ2+oI74PvRXBxwvNDNIGsvqCHTyQbpCWOIbByRJtMmlW1rXp6KS9lm3W
5zzp5nJPOFtrdpZ4v6Kz8+HMFefU4nk6O/Ww42tLW+lqiOzJEgXSNDvImMCUfcnaxQkaB9WOB1+T
IND34Aq+R3lAq2laTdPgCj4ywbBkvwx1vPQio8BzS8kx9YxSzzCNjNLIKM2MAsNZ+g0mo7SgU+nP
JvDZTv94KPtCAhNc+kUla6rO577NvwAAAP//AwBQSwMEFAAGAAgAAAAhAJxmRkG7AAAAJAEAACoA
AABjbGlwYm9hcmQvZHJhd2luZ3MvX3JlbHMvZHJhd2luZzEueG1sLnJlbHOEj80KwjAQhO+C7xD2
btJ6EJEmvYjQq9QHCMk2LTY/JFHs2xvoRUHwsjCz7DezTfuyM3liTJN3HGpaAUGnvJ6c4XDrL7sj
kJSl03L2DjksmKAV201zxVnmcpTGKSRSKC5xGHMOJ8aSGtHKRH1AVzaDj1bmIqNhQaq7NMj2VXVg
8ZMB4otJOs0hdroG0i+hJP9n+2GYFJ69elh0+UcEy6UXFqCMBjMHSldnnTUtXYGJhn39Jt4AAAD/
/wMAUEsBAi0AFAAGAAgAAAAhALvlSJQFAQAAHgIAABMAAAAAAAAAAAAAAAAAAAAAAFtDb250ZW50
X1R5cGVzXS54bWxQSwECLQAUAAYACAAAACEArTA/8cEAAAAyAQAACwAAAAAAAAAAAAAAAAA2AQAA
X3JlbHMvLnJlbHNQSwECLQAUAAYACAAAACEAOvbsFlcDAABeDgAAHwAAAAAAAAAAAAAAAAAgAgAA
Y2xpcGJvYXJkL2RyYXdpbmdzL2RyYXdpbmcxLnhtbFBLAQItABQABgAIAAAAIQCcTl4h4gYAADoc
AAAaAAAAAAAAAAAAAAAAALQFAABjbGlwYm9hcmQvdGhlbWUvdGhlbWUxLnhtbFBLAQItABQABgAI
AAAAIQCcZkZBuwAAACQBAAAqAAAAAAAAAAAAAAAAAM4MAABjbGlwYm9hcmQvZHJhd2luZ3MvX3Jl
bHMvZHJhd2luZzEueG1sLnJlbHNQSwUGAAAAAAUABQBnAQAA0Q0AAAAA
" o:spid="_x0000_s1026" style="height: 75.45pt; margin-left: 15.75pt; margin-top: 12pt; mso-height-percent: 200; mso-height-percent: 200; mso-height-relative: margin; mso-position-horizontal-relative: text; mso-position-horizontal: absolute; mso-position-vertical-relative: text; mso-position-vertical: absolute; mso-width-percent: 0; mso-width-percent: 0; mso-width-relative: margin; mso-wrap-distance-bottom: 0; mso-wrap-distance-left: 9pt; mso-wrap-distance-right: 9pt; mso-wrap-distance-top: 0; mso-wrap-style: square; position: absolute; v-text-anchor: top; visibility: visible; width: 516.75pt; z-index: 251676672;" type="#_x0000_t202">
<v:textbox>
<!--[if !mso]-->
<!--[endif]--></v:textbox>
</v:shape><span style="background: white; font-family: Verdana, sans-serif; font-size: 13.5pt;"><o:p> </o:p></span></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<span style="background: white; font-family: Verdana, sans-serif; font-size: 13.5pt;"><b>Misc:</b></span></div>
<br /></div>
Anonymoushttp://www.blogger.com/profile/16547104544524126934noreply@blogger.com0