Archive for May, 2010

1st multicast ping succeeds, the rest fail?

ive ran into this on a couple labs ive done. just seeing if anyone has an idea. Separate MPLS VPN sites learn the RP through the MPLS cloud, i throw ip igmp x.x.x.x on an interface, the 1st ping will respond, but any pings after that fail.

i cant seem to find any RPF failures. i dont have any configs off-hand, but was just curious is anyone else has ran to this before.

Blogs and organic groups at http://www.ccie.net

_______________________________________________________________________ Subscription information may be found at: http://www.groupstudy.com/list/CCIELab.html

IPSEC transport mode & crypto map local address…???

Thanks Piort,

Right, this comes to where my little mix up is at. Now, GETVPN is a not exactly our native L2L VPN, is it?

In other words, we use a crypto map to configure GDOI on the GM. This kinda makes the local router prone to not able to run transport mode, doesnt it?

See my point?

On Mon, May 31, 2010 at 10:21 PM, Piotr Matusiak wrote:

> Hi Sadiq, > > > 1. LAN to LAN IPSec VPN using crypto-ACL: no matter what mode is > configured, Tunnel Mode will be used. If you use GRE tunnels (DMVPN or > GREoverIPSec), you can use Tunnel or Transport mode. Transport mode would > save 20 bytes and is recommended for DMVPN as it works better with NAT. > > 2. GETVPN should be configured using Tunnel Mode to take advantage of > header authentication. ESP does not authenticate outer IP Header in > transport mode. > > HTH, > — > Piotr Matusiak > CCIE #19860 (R&S, Security) > Technical Instructor > website: www.MicronicsTraining.com > blog: www.ccie1.com > > If you can’t explain it simply, you don’t understand it well enough – > Albert Einstein > > > 2010/5/31 Sadiq Yakasai > >> Right, I may be on too much coffee these days but something just stumbled >> on >> to me: >> >> Generally speaking, when a transform set is confirgured for transport mode >> (esp, ah, does not matter, or does it?), the crypto map local address >> should >> not have any effect. This is so because the packets source/dest is >> actually >> mainted on the “transported” packets right? >> >> One more quick question, is GETVPN implicitly always in transport mode? >> What >> if I dont configure the transform set on the KS to be transport mode? >> >> Long answer I know is to lab this up, which I will anyway. But just though >> I >> should put it out to the gurus! >> >> As usual, thanks. >> >> Sadiq >> >> — >> CCIE #19963 >> >> >> Blogs and organic groups at http://www.ccie.net >> >> _______________________________________________________________________ >> Subscription information may be found at: >> http://www.groupstudy.com/list/CCIELab.html >> >> >> >> >> >> >> >> >

IPSEC transport mode & crypto map local address…???

Hi Sadiq,

1. LAN to LAN IPSec VPN using crypto-ACL: no matter what mode is configured, Tunnel Mode will be used. If you use GRE tunnels (DMVPN or GREoverIPSec), you can use Tunnel or Transport mode. Transport mode would save 20 bytes and is recommended for DMVPN as it works better with NAT.

2. GETVPN should be configured using Tunnel Mode to take advantage of header authentication. ESP does not authenticate outer IP Header in transport mode.

HTH,

IPSEC transport mode & crypto map local address…???

Right, I may be on too much coffee these days but something just stumbled on to me:

Generally speaking, when a transform set is confirgured for transport mode (esp, ah, does not matter, or does it?), the crypto map local address should not have any effect. This is so because the packets source/dest is actually mainted on the “transported” packets right?

One more quick question, is GETVPN implicitly always in transport mode? What if I dont configure the transform set on the KS to be transport mode?

Long answer I know is to lab this up, which I will anyway. But just though I should put it out to the gurus!

As usual, thanks.

Sadiq

GNS3, Loopback interface, Win2k Sp4

Dear All,

I have been trying to solve this small yet i cannot resolve problem

for cisco simulation i have been using gns3 but until now … i never been able to successfully implement the communication between PC loopback interface with the router inside the gns3. I am using win2k sp4 ………… ( i have no problems using the same version of gns3 in win xp )

so I guess … gns3 in win2k sp4 is not getting along with loopback interface ? To save my time ……. I throw this here to confirm my conclusion. is there anyone here has the same problem ? or is there anyone here successfully use the loopback interface to be able to communicate router inside gns3 ?

thanks for your response

cheers, taufik

Blogs and organic groups at http://www.ccie.net

_______________________________________________________________________ Subscription information may be found at: http://www.groupstudy.com/list/CCIELab.html

Frame-Relay fragmentation size

Hi all,

I have conflicting information for calculating the frame-relay fragmentation size.

In the one corner, the formula is frag_size = bandwidth/8*10ms, so for a link speed of 768k and 10-ms serialisation delay, the fragment size is 960 bytes.

In the other corner is the Doc-CD http://www.cisco.com/en/US/docs/ios/wan/command/reference/wan_f1.html#wp1014445 under the command “frame-relay fragment” where the recommended fragment size for 10-ms serialisation delay and lowest link speed of 768 kps is 1000 bytes (table 15).

In the lab which should I use to be safe?

regards Andy

Blogs and organic groups at http://www.ccie.net

_______________________________________________________________________ Subscription information may be found at: http://www.groupstudy.com/list/CCIELab.html

Capability VRF Lite

Hi

I have been studying the use of the capability vrf-lite command and I was wondering whether there is any difference/issue when configuring this on the PE or CE.

For example my PE is redistributing BGP into OSPF and sending OSPF routes to CE with down bit set. So I configured capability vrf-lite command on PE and this solved the problem. But I read somewhere that this should be configured on the CE.

Blogs and organic groups at http://www.ccie.net

_______________________________________________________________________ Subscription information may be found at: http://www.groupstudy.com/list/CCIELab.html

INTER_AS option C

ce1—-pe1——rr1——-asbr1———asbr2——-rr2——pe2——-ce2

between asbr === ebgp+ ipv4 label

PE2#trace vrf 123 Protocol [ip]: ip Target IP address: 150.1.7.7 Source address: Numeric display [n]: y

Tracing the route to 150.1.7.7

1 150.1.56.5 [MPLS: Labels 19/16/20 Exp 0] 284 msec 272 msec 248 msec 2 150.1.45.4 [MPLS: Labels 16/20 Exp 0] 180 msec 200 msec 200 msec 3 150.1.24.2 [MPLS: Labels 17/20 Exp 0] 232 msec 304 msec 292 msec 4 150.1.12.1 [MPLS: Labels 25/20 Exp 0] 248 msec 216 msec 184 msec 5 10.1.37.3 [MPLS: Label 20 Exp 0] 152 msec 196 msec 200 msec 6 10.1.37.7 188 msec * 244 msec

20 is VPN label 16 is PE1 label 19 will it be local igp label to reach the RR or the reach the ASBR2 label ?????????? thats what is my doubt is

prakash kalsaria http://prakashkalsaria.wordpress.com

Blogs and organic groups at http://www.ccie.net

_______________________________________________________________________ Subscription information may be found at: http://www.groupstudy.com/list/CCIELab.html

NAT with redundancy

Hi there , It is a requirement to have one outside global ip to access a internal server but if the internal server is down , have to translate the same outside global ip to another internal (secondary) server.

Can any one help me , how could it be achievable using NAT.

Regards, Anbu

Blogs and organic groups at http://www.ccie.net

_______________________________________________________________________ Subscription information may be found at: http://www.groupstudy.com/list/CCIELab.html

Do we have to expect ODAP in R7S lab ?

Do we have to expect ODAP in R7S lab ?

Blogs and organic groups at http://www.ccie.net

_______________________________________________________________________ Subscription information may be found at: http://www.groupstudy.com/list/CCIELab.html