IPSEC VTI stands for IPSEC Virtual Tunnel Interface.
Besides traditionnal IPSEC configuration with cyrpto map, VTI allows to use an interface. It is useful to apply some policies as we can do as other : service-policy, …
For this example, I will use the previous topology with four routers (R1, R2, R3, R4) : see the blog post below for a diagram.
I will implement a IPSEC VTI tunnel between R2 and R4.
How can DMVPN can make some QOS per spoke ?
It is what we will configure today :
Here is the network :
I will not explain how NHRP works in detail here.
R1, R2, R3, R4 use IS-IS (for fun) as IGP.
router isis
net 49.MAC_ADD.00
interface etc x/y
ip router isis
Now, here it comes DMVPN configurations :
R4#show run int tun 0
Building configuration...
Current configuration : 351 bytes
!
interface Tunnel0
bandwidth 1000
ip address 77.0.0.4 255.255.255.0
no ip redirects
ip nhrp authentication 1111
ip nhrp map multicast dynamic
ip nhrp map group toto service-policy output pm
ip nhrp network-id 1111
ip nhrp redirect
load-interval 30
qos pre-classify
tunnel source Loopback0
tunnel mode gre multipoint
tunnel key 1111
end
R4#
And for R3 :
Désolé pour les lecteurs anglophones, cela sera un article pour une fois en français et loin des sphères concernant Cisco et la certification CCIE.
“Les grandes grandes vacances” est un dessin animé réalisé par la maison de production “Les armateurs”.
Cette série animée traite de la seconde guerre mondiale et de la résistance française. Le fait que les évènements se passent près de Dieppe en Normandie, rajoute à mon intérêt.
Thank you He.net to have send my IPv6 Sage certified T-Shirt. I really like it. Great quality and thank you to make all of you’ve done for v6 :)
For those of you whom are using this excellent opensource diagram software, since OS X Yosemite it seems it lacks one line to work correctly. You must edit : ‘/Applications/Dia.app/Contents/Ressources/bin/dia’ and add at line 39 : “export DISPLAY=:O” such as :
[…]
fi fi export DISPLAY=:0 osascript -e ’tell app “XQuartz” to launch’ for i in `seq 1 30`; do
[…]
Now it must work correctly :)
If you read/see videos about OSPF, it will be said that you can only filter on INBOUND or 1/0 on OUTBOUND (via ip ospf database-filter all out / neighbor x.x.x.x database-filter all out). You will say to me, no problem I can filter by means of “area range xxxxx not-advertise” (LSA Type 3) or “summary-address xxxx no-advertise” (LSA Type 5). Ok, now let’s say, I want with distribute-list and ACL, you filter out some routes ?
During these holidays on this beginning of may has been used for work at home and in our garden. Nevertheless, some work has been done on OSPF during these last two weeks. CCIE studies has been indeed slower than in April. It will be at 100% in beginning of the next week.
I have found again this networking game. The first time I play with it was in 2009. It was fun to take some hours to play with it.
It is not hosted by Cisco, so if you want to retrieve the archive you can download it here for those of you that were not in this industry or not know this cisco networking game.
This is possible to run the two address-families under the same OSPF process since Cisco IOS Software Release 15.1(3)S.
You can do this as : R9(config)# ipv6 unicast-routing R9(config)# ipv6 cef
Then : R9(config)# router ospfv3 1 R9(config-router)#address-family ipv4 unicast R9(config-router-af)#router-id 10.1.9.9 R9(config-router-af)#redistribute connected R9(config-router-af)#exit-a
And then configure the OSPF link by means of configuration on the interface : R9(config-router-af)#int ser 3/0 R9(config-if)#ospfv3 1 ipv4 area 236 *May 13 20:31:14.956: %OSPFv3-5-ADJCHG: Process 1, IPv4, Nbr 10.1.6.6 on Serial3/0 from LOADING to FULL, Loading Done R9(config-if)#ospfv3 1 ipv6 area 236 R9(config-if)#
For those of you who know the excellent web-iou, you will not be surprised that this new project from Andrea is really exciting and amazing.
Please see all the platform you can simulate with :
