Jump to content
Sign in to follow this  
balnazar33

H3 Config / Connectivity from USER7 and SW600 to Partner

Recommended Posts

Should SW600 and USER7 have access to Partner 100.100.100.100

 

SW600#traceroute 100.100.100.100

Type escape sequence to abort.

Tracing the route to 100.100.100.100

VRF info: (vrf in name/id, vrf out name/id)

1 10.6.1.1 0 msec 0 msec 1 msec

2 200.99.60.1 1 msec 1 msec 1 msec

3 200.99.60.1 !H * !H

 

 

User7#traceroute 100.100.100.100 numeric

Type escape sequence to abort.

Tracing the route to 100.100.100.100

VRF info: (vrf in name/id, vrf out name/id)

1 10.7.100.1 1 msec 0 msec 1 msec

2 192.168.0.1 1 msec 1 msec 1 msec

3 201.99.70.1 1 msec 2 msec 1 msec

4 201.99.25.2 2 msec 2 msec 2 msec

5 10.2.125.2 2 msec 2 msec 2 msec

6 10.2.22.1 3 msec 2 msec 2 msec

7 10.2.11.1 2 msec 3 msec 2 msec

8 101.21.0.1 4 msec 3 msec 3 msec

9 101.41.0.2 3 msec 3 msec 4 msec

10 10.4.11.2 8 msec 4 msec 3 msec

11 10.4.43.1 5 msec 4 msec 4 msec

12 * * *

 

I believe that this is not supposed to be required on the real exam as USER7 and SW600 are behind tunnels and R24 and R14 are controlling what to go over the tunnel (both DMVPN and L2L correct?

Share this post


Link to post
Share on other sites

Why is R60 sending it towards As19999?

Does R60 has a 10.7.0.0 route? It must be advertised from R14 on the DMVPN

 

R 10.7.0.0 is either Redistributed (if origin incomplete is required) or aggregated on R24, sent to its RR, received by 22, sent to 65001 to all routers including 14.

Share this post


Link to post
Share on other sites

Trace goes via the AS because it does not match the crypto map ACL; packets are NATed instead. So the session between R71 and 24 will not come up to have the traffic routed through the internal network.

If you want to be able to ping 100.100.100.100 from User7, add a permit statement matching the flow between U7 and the partner Loopback on top of your ACL used to match traffic for your crypto session. And also deny it in the ACL used for static inside NAT translations.

 

When it comes to SW600 to 100.100.100.100 , the case is slightly different. Your static route via ISP has a better AD and will suppress the default route prefix received from R14. Combining that with the PBR on R60 E0/0, the next hop for anything not in your SW600 / R60 routing table will be the ISP (not R14's Tu0 IP).

If you want to have access to partner's 100.100.100.100 network from SW600/R60, you need to leak it from R14 within the same prefix you are using to leak the 7 /16s within 10.0.0.0/13

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Sign in to follow this  

×
×
  • Create New...