Kevin Dorrell, CCIE #20765

30 Apr 2008

NMC Lab 18

Filed under: General, Security — dorreke @ 20:48

This lab is the most difficult I ever tried.  I suppose it didn’t help that I failed to do a proper read-through before I started, so I missed the VPN requirement 18.7.6, which actually changes the whole approach to the redistribution.  So I went steaming through the first 6 sections in under two hours, then came to a screaching halt at the VPN section, and ended up taking  a further two hours over it.

18.8 – Security.  IPsec VPN is something I have not done before.  I really don’t think (please God !!) I am going to get it in the exam, ‘cos I’m not taking CCIE security.  If I do then I’m sunk.  I’m just going to type in the solution in the AK, and hope something sticks for now.  Just look at those routes disappear as soon as I set the tunnel mode to ipsec ipv4, and come back again as soon as I attach the profile.  Magic!  Haven’t a clue (yet) what it means.

R2(ipsec-profile)#int Tu25
R2(config-if)#tunnel mode ipsec ipv4
*Apr  8 17:21:14.271: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel25, changed state to down
*Apr  8 17:21:14.271: is_up: 0 state: 4 sub state: 1 line: 0 has_route: True
*Apr  8 17:21:14.275: RT: del via, rip metric [120/1]
*Apr  8 17:21:14.275: RT: delete subnet route to
*Apr  8 17:21:14.275: RT: NET-RED
*Apr  8 17:21:14.275: RT: interface Tunnel25 removed from routing table
*Apr  8 17:21:14.279: RT: del via, connected metric [0/0]
*Apr  8 17:21:14.279: RT: delete subnet route to
*Apr  8 17:21:14.279: RT: NET-RED
R2(config-if)#tunnel protection ipsec profile VPN
*Apr  8 17:22:12.082: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
*Apr  8 17:22:14.061: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel25, changed state to up
*Apr  8 17:22:14.065: is_up: 1 state: 4 sub state: 1 line: 0 has_route: False
*Apr  8 17:22:14.065: RT: SET_LAST_RDB for
  NEW rdb: is directly connected
*Apr  8 17:22:14.065: RT: add via, connected metric [0/0]
*Apr  8 17:22:14.065: RT: NET-RED
*Apr  8 17:22:14.073: RT: interface Tunnel25 added to routing table
*Apr  8 17:22:14.185: RT: SET_LAST_RDB for
  NEW rdb: via
*Apr  8 17:22:14.185: RT: add via, rip metric [120/1]
*Apr  8 17:22:14.189: RT: NET-RED

So, on to IPv6, only to find that once again I should have read ahead.  The Frame Relay and OSPF sections give you two possible topologies for the R1 connection: physical interface with inverse-arp switched off for those DLCIs you don’t want to use, or a multipoint interface s0/0.124 with interface-dlci statements for the DLCIs you do want to use.  I chose the first solution.  But the IPv6 wording talks about the IPv6 address on R1-S0/0.124.  Humph!


Leave a Comment »

No comments yet.

RSS feed for comments on this post. TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Create a free website or blog at

%d bloggers like this: