Jump to content

Search the Community

Showing results for tags 'FLEXVPN'.



More search options

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


Forums

  • ANNOUNCEMENTS
    • ANNOUNCEMENTS
  • CERTIFICATION - - - - - NO REQUESTS IN THESE FORUMS - - - - -
    • CISCO SYSTEMS
    • COMPTIA
    • LINUX
    • MICROSOFT
    • ORACLE
    • PROJECT MANAGEMENT
    • SECURITY CERTIFICATIONS
    • SUN MICROSYSTEMS
    • WIRELESS
    • OTHER CERTIFICATIONS
  • CISCO TECHNICAL SECTION
    • CISCO LABS
    • GNS3
    • NETWORK INFRASTRUCTURE
    • SECURITY
    • WIRELESS
    • SERVICE PROVIDERS
    • COLLABORATION, VOICE AND VIDEO
    • DATA CENTER
    • SMALL BUSINESS
  • MICROSOFT TECHNICAL SECTION
  • OTHER TECHNICAL SECTION
  • TRAINING OFFERS & REQUESTS
  • CERTCOLLECTION MALL
  • GENERAL FORUMS
  • COMMUNITY CENTER

Find results in...

Find results that contain...


Date Created

  • Start

    End


Last Updated

  • Start

    End


Filter by number of...

Joined

  • Start

    End


Group


AIM


MSN


Website URL


ICQ


Yahoo


Jabber


Skype


Location


Interests

Found 1 result

  1. Hello everyone, Am I the only one suspicious regarding this Task? As I am studying mode careful the paper, this question is the most vague one. In theory, by Cisco terminology and if you Google "Cisco FLEXVPN HUB & Spoke" topology you will realize that most of the solutions combine two things 1) IKEv2 2 )Virtual-Template. There is no way to configure the Tunnel number (i.e Tu34 and Tu35) with Virtual-Template. Hence, the requirement of this task is a FLEXVPN HUB & Spoke using SVTI. "Everything clear so far". But in my understanding there are two specific requirements on this question which none of the available solutions suggest. I will suggest my solution on this Task and please comment and share your thoughts. Requirement 1 Tu34 should secure the traffic between 192.168.10.0/24 and host 10.100.6.1 Tu35 should secure the traffic between 192.168.11.0/24 and host 10.100.7.1 This requirement can easily accomplished be applying the following configuration on R9 : ! ip route 10.100.6.1 255.255.255.255 Gi2.1 ip route 10.100.7.1 255.255.255.255 Gi2.2 ! router eigrp 34 no auto passive-interface default no passive-interface Tunnel34 net 172.16.2.0 0.0.0.255 net 10.100.6.1 0.0.0.0 net 192.168.9.9 0.0.0.0 ! router eigrp 35 no auto passive-interface default no passive-interface Tunnel35 net 172.16.3.0 0.0.0.255 net 10.100.7.1 0.0.0.0 net 192.168.9.9 0.0.0.0 Also, I prefer to use differnt IPsec profiles for each Spoke instead of using the "shared" option which is more related to DMVPN topologies. For the IKEv2 profile you can use either one (match identity remote address address 0.0.0.0) or two (match identity remote address 20.1.4.10 255.255.255.255 & match identity remote address 20.1.5.11 255.255.255.255). Hence, my configuration looks like this: ! int tu34 ip add 172.16.2.9 255.255.255.0 tu sou Gi3 tu des 20.1.4.10 tu mod ipsec ipv4 tu pro ipsec IPSEC-PROF-SPOKE1 ! int tu35 ip add 172.16.3.9 255.255.255.0 tu sou Gi3 tu des 20.1.5.11 tu mod ipsec ipv4 tu pro ipsec IPSEC-PROF-SPOKE2 The verification of the requirement will look like this: R10#sh ip route | i D D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP D 10.100.6.1 [90/26880256] via 172.16.2.9, 00:03:18, Tunnel34 D 192.168.9.9 [90/27008000] via 172.16.2.9, 00:03:18, Tunnel34 R10# --- R11#sh ip route | i D D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP D 10.100.7.1 [90/26880256] via 172.16.3.9, 00:06:16, Tunnel35 D 192.168.9.9 [90/27008000] via 172.16.3.9, 00:06:16, Tunnel35 R11# Now the madness... Requirement 2 Loopback1 interfaces on R9, R10 and R11 should be included in the EIGRP routing domain. This requirement is more complicated and even more vague !! Especially, because the Loopback1 of the Spokes are within the same subnet which we need to advertise to the HUB. In theory, we can accomplish that by combining a summary-address under the EIGRP process and a leak-map. The leak-map will be responsible to leak to R9 the /32 address of the Loopback1 of R10,R11 The summary-address will be responsible to advertise each /24 subset to the HUB. The main problem with the solution is that the Loopbacks on R10,R11 should be configured as /32. But in the exam, the Loopback interfaces are pre-configured as /24 !! Do we know if we are able to change the pre-configuration of the Loopbacks ? If yes, then the solution will be as follows: On R10 ---------- ! interface Loopback1 ip address 192.168.10.10 255.255.255.255 ! ip access-list standard LOOP0 permit 192.168.10.10 ! route-map LEAK-LOOP0 permit 10 match ip address LOOP0 ! router eigrp 34 no auto passive-interface default no passive-interface Tunnel34 network 172.16.2.0 0.0.0.255 network 192.168.10.10 0.0.0.0 ! interface Tu34 ip summary-address eigrp 34 192.168.10.0 255.255.255.0 leak-map LEAK-LOOP0 end On R11 ---------- ! ip access-list standard LOOP0 permit 192.168.11.11 ! route-map LEAK-LOOP0 permit 10 match ip address LOOP0 ! router eigrp 35 no auto passive-interface default no passive-interface Tunnel35 network 172.16.3.0 0.0.0.255 network 192.168.11.11 0.0.0.0 ! interface Tu35 ip summary-address eigrp 35 192.168.11.0 255.255.255.0 leak-map LEAK-LOOP0 end The verification of the requirement will look like this: R9#sh ip route | i D D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP D 192.168.[b]10.0/24[/b] [90/27008000] via 172.16.2.10, 00:01:03, Tunnel34 D 192.168.[b]10.10/32[/b] [90/27008000] via 172.16.2.10, 00:01:03, Tunnel34 D 192.168.[b]11.0/24[/b] [90/27008000] via 172.16.3.11, 00:00:13, Tunnel35 D 192.168.[b]11.11/32[/b] [90/27008000] via 172.16.3.11, 00:00:13, Tunnel35 R9# --- R10#sh ip route | i D D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP D 10.100.6.1 [90/26880256] via 172.16.2.9, 00:00:43, Tunnel34 D 192.168.9.9 [90/27008000] via 172.16.2.9, 00:00:43, Tunnel34 [b]D 192.168.10.0/24 is a summary, 00:00:24, Null0[/b] R10# --- R11#sh ip route | i D D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP D 10.100.7.1 [90/26880256] via 172.16.3.9, 00:11:08, Tunnel35 D 192.168.9.9 [90/27008000] via 172.16.3.9, 00:11:08, Tunnel35 [b]D 192.168.11.0/24 is a summary, 00:01:22, Null0[/b] R11# PS: I am very confident for the Requirement#1 but I am not sure for the Requirement#2 Personally, I will ask the proctor if I can amend the subnet mask of Loopback1 in the Spokes from /24 to /32 and act accordingly. This is NOT 100% the solution, only me point of view. Use this solution with your own risk
×
×
  • Create New...