Jump to content
certDude865c

[CCIE-RS] Actual Facts on 3rd CFG

Recommended Posts

NAT on R71 - you are missing deny from 10.7/16 to 10/8.

NAT on R70 - while having that static statements doesn't hurt anything, it's kinda pointless, since on R24 is dynamic crypto-map, you can't dial the VPN from the other side anyway.

 

And btw guys, I got a feeling that we are running round 2 or something, all this stuff was actually discussed already, in this very topic (or the next one "Failed H3"). Just search.

 

Why would you do any NAT behind R71 0/0 interface?

It is OK, if there is a requirement saying something like Users behind R71 must be able to connect to NAS for example, otherwise this NAT is unnecessary.

Share this post


Link to post
Share on other sites

You are right, there is no other way. This will as well mean to advertise this network in BGP.

Yes. Funny thing: I set SW100 to be the only mapping agent. During playing with that I realized that R13 (and whole DC) is actually also receiving info about DC RP (10.250.250.250) from R30 (I am using multicast boundary on R30/31, seems it filters 224.0.1.39, but it actually doesn't filter 224.0.1.40). So, despite the fact that R10/11 doens't have info about DC RP from the SW100 (because RPF check fail due to prefix-suppression), it actually have info about RP SW100/101 from R30 as mapping agent. After you remove the group 224.0.1.40 from the game, it stops working, as R10/11 has no RP, until the net 10.1.113.0/24 is known from BGP.

 

Jeeez, I have to say this mcast taks has lots of caveats and compared to mcast stuff in H1/2 is totaly different level.

Edited by Dworkin

Share this post


Link to post
Share on other sites

Why would you do any NAT behind R71 0/0 interface?

It is OK, if there is a requirement saying something like Users behind R71 must be able to connect to NAS for example, otherwise this NAT is unnecessary.

You are right, I would swear someone mentioned the double NAT is present in home office, but maybe that was just because this scenario is in TS2.

Share this post


Link to post
Share on other sites

hi guys. sorry for this noob request.

Can someone share their boundary router configs each AS with the aggregates? or the whole bgp section (or maybe just DC1 and DC2 boundary routers. i know its too much. thanks in advanced

Edited by xxlowell

Share this post


Link to post
Share on other sites

You are right, I would swear someone mentioned the double NAT is present in home office, but maybe that was just because this scenario is in TS2.

I test it and No need to do any natting on R71. User 7 was able to reach 10.0.0.0 network throw ipsec vpn and I match the output.

Share this post


Link to post
Share on other sites

Yes. Funny thing: I set SW100 to be the only mapping agent. During playing with that I realized that R13 (and whole DC) is actually also receiving info about DC RP (10.250.250.250) from R30 (I am using multicast boundary on R30/31, seems it filters 224.0.1.39, but it actually doesn't filter 224.0.1.40). So, despite the fact that R10/11 doens't have info about DC RP from the SW100 (because RPF check fail due to prefix-suppression), it actually have info about RP SW100/101 from R30 as mapping agent. After you remove the group 224.0.1.40 from the game, it stops working, as R10/11 has no RP, until the net 10.1.113.0/24 is known from BGP.

 

Jeeez, I have to say this mcast taks has lots of caveats and compared to mcast stuff in H1/2 is totaly different level.

 

 

Isn't tasks ask to not let announcement not discovery ? so .40 should be fine in my opinion.

Share this post


Link to post
Share on other sites

This will as well mean to advertise this network in BGP.

 

totally unnecessary

Share this post


Link to post
Share on other sites

Yes. Funny thing: I set SW100 to be the only mapping agent. During playing with that I realized that R13 (and whole DC) is actually also receiving info about DC RP (10.250.250.250) from R30 (I am using multicast boundary on R30/31, seems it filters 224.0.1.39, but it actually doesn't filter 224.0.1.40). So, despite the fact that R10/11 doens't have info about DC RP from the SW100 (because RPF check fail due to prefix-suppression), it actually have info about RP SW100/101 from R30 as mapping agent. After you remove the group 224.0.1.40 from the game, it stops working, as R10/11 has no RP, until the net 10.1.113.0/24 is known from BGP.

 

Jeeez, I have to say this mcast taks has lots of caveats and compared to mcast stuff in H1/2 is totaly different level.

 

It all depends on how you've configured your multicast boundary and multicast ACL in section 2.11....

Share this post


Link to post
Share on other sites

totally unnecessary

It is necessary, unless I am missing something. R10/11 install summary route 10.1/16 to null, and thanks to prefix suppresion will have no specific route to 10.1.113.0/24. RPF check needs to be passed to MA as well as RP.

I tried that, without the network in BGP it doesn't work.

Share this post


Link to post
Share on other sites

Isn't tasks ask to not let announcement not discovery ? so .40 should be fine in my opinion.

For this particular task it's ok, but R13 can actually have the information source R30, and not required SW100. So you need to block it.

Share this post


Link to post
Share on other sites

It is necessary, unless I am missing something. R10/11 install summary route 10.1/16 to null, and thanks to prefix suppresion will have no specific route to 10.1.113.0/24. RPF check needs to be passed to MA as well as RP.

I tried that, without the network in BGP it doesn't work.

 

Lab it....

Share this post


Link to post
Share on other sites

It is necessary, unless I am missing something. R10/11 install summary route 10.1/16 to null, and thanks to prefix suppresion will have no specific route to 10.1.113.0/24. RPF check needs to be passed to MA as well as RP.

I tried that, without the network in BGP it doesn't work.

agree with you

Share this post


Link to post
Share on other sites

Lab it....

 

Using R30 as a MA is an option yes, but we can only speculate over this as we are not aware what the requirement for filtering of AutoRP from HQ to DC is actually saying.

If it says filter AutoRP, for me it means x.x.x.39 and 40 to be filtered, if it says filter only group announced in HQ is different story.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


×
×
  • Create New...