GroupStudy.com - CCIE, CCNA, CCNP and other Cisco Certifications

Home

BookStore

StudyNotes

Links

[Chronological Index] [Thread Index] [Top] [Date Prev][Date Next] [Thread Prev][Thread Next]

Subject: RE: NLI's Security CCIE Boot Camp
From: Peng Zheng <pzheng830@xxxxxxxxx>
Date: Sun, 1 Dec 2002 08:40:03 -0800 (PST)
In-reply-to: <05338F857BC0D511BCB30002A507E6C502842098@nzaklmail.nz.logi c al.com>

Yes. Traffic is routed over the tunnel interface.  For
192.168 net, it's using OSPF, it works well. For the
tunnel, it use 10.4.1.*, but tunnel source and tunnel
destination are 192.168.4.3 and 192.168.1.13.  

But line protocol for the tunnel on R13 is down. I can
not figure out what is the problem.


--- Justin Menga <Justin.Menga@xxxxxxxxxxxxxx> wrote:
> Well, if that traffic is routed over the tunnel
> interface, then the traffic
> will automatically be encrypted as the tunnel is
> encrypted.
> 
> Your physical topology is: 
> 
> 10.3.1.*   192.168.4.3       192.168.1.13  10.2.1.*
> ---------R3-------------R5-------------R13--------
> 
> But your logical topology with the tunnel is most
> likely something like
> 10.3.1.*   10.1.1.1              10.1.1.2   10.2.1.*
> ---------R3----------GRE Tunnel----------R13--------
> 
> 
> Here 10.1.1.x is used for the GRE tunnel.  If you
> have a static route on R3
> (this could also be learned via a dynamic protocol
> running across the
> tunnel):
> 
> ip route 10.2.1.0 255.255.255.0 10.1.1.2
> 
> Then, traffic is routed across the tunnel and
> encrypted.
> 
> 
> If however you have the following route:
> 
> ip route 10.2.1.0 255.255.255.0 192.168.4.5 (R5)
> 
> Then traffic is not routed across the tunnel and is
> not encrypted.
> 
> Regards,
> Justin
> 
> -----Original Message-----
> From: Peng Zheng [mailto:pzheng830@xxxxxxxxx] 
> Sent: Saturday, November 30, 2002 5:59 AM
> To: Justin Menga; security@xxxxxxxxxxxxxx
> Subject: RE: NLI's Security CCIE Boot Camp
> 
> 
> In beginning, they asked to configure a tunnel and
> encrypt the tunnel.  
> 
> But they also said: ping from a switch in 10.2.1.*
> to
> R3's LAN interface, 10.3.1.3, make sure the packet
> is encrypted.
> 
> So I think the traffic is required to protect is
> from
> 10.2.1.* to 10.3.1.*.
> 
> 
> 
> --- Justin Menga <Justin.Menga@xxxxxxxxxxxxxx>
> wrote:
> > Hi
> > 
> > It depends on what is being encrypted.  The answer
> > to me indicates only IP
> > traffic sourced from R3 to R13 and vice versa is
> to
> > be encrypted.  The most
> > likely use of this would be for some type of
> > router-to-router communication,
> > such as a GRE tunnel or a BGP session.  In this
> mode
> > of operation, a
> > transform set operating in transport mode is
> > normally configured, as nothing
> > is actually tunneled.  If however traffic behind
> R3
> > to traffic behind R13
> > needs to be encrypted (your ACLs reference
> 10.4.1.0,
> > where is this?), then
> > your ACLs are correct.
> > 
> > If the question just says: "IPsec need to be
> > configure between R3 and R13."
> > then if there was some router-to-router
> > communications configured, such as
> > BGP or GRE, then I'd assume it just means to
> protect
> > that.   Given in your
> > previous email that you indicate a tunnel exists
> > between R3 and R13, I'm
> > guessing  GRE tunnel exists between the two.  A
> > better solution would be:
> > 
> > access-list 101 permit gre host 192.168.4.3 host
> > 192.168.1.13
> > 
> > Regards,
> > Justin
> > 
> > -----Original Message-----
> > From: Peng Zheng [mailto:pzheng830@xxxxxxxxx]
> > Sent: Friday, November 29, 2002 8:38 PM
> > To: security@xxxxxxxxxxxxxx
> > Subject: NLI's Security CCIE Boot Camp
> > 
> > 
> > Hi,
> > 
> > In solution for LAB 1 NLI's Security CCIE Boot
> Camp
> > Lab Subscription, for Router to Router VPN.
> > 
> > 10.3.1.*   192.168.4.3       192.168.1.13 
> 10.2.1.*
> > ---------R3-------------R5-------------R13--------
> > 
> > IPsec need to be configure between R3 and R13. 
> For
> > encrypted traffic, the access-list on R3 and R13
> is:
> > 
> > access-list 101 permit ip host 192.168.4.3 host
> > 192.168.1.13
> > 
> > and
> > 
> > access-list 101 permit ip host 192.168.1.13 host
> > 192.168.4.3
> > 
> > 
> > I think it should be:
> > 
> > access-list 101 permit ip 10.4.1.0 0.0.0.255
> > 10.2.1.0
> > 0.0.0.255
> > 
> > and
> > 
> > access-list 101 permit ip 10.2.1.0 0.0.0.255
> > 10.4.1.0
> > 0.0.0.255
> > 
> > Which one is correct?
> > 
> > Thanks for help.
> > 
> > Best Wishes,
> > Peng Zheng
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > __________________________________________________
> > Do you Yahoo!?
> > Yahoo! Mail Plus - Powerful. Affordable. Sign up
> > now.
> > http://mailplus.yahoo.com
> 
> 
> __________________________________________________
> Do you Yahoo!?
> Yahoo! Mail Plus - Powerful. Affordable. Sign up
> now.
> http://mailplus.yahoo.com


__________________________________________________
Do you Yahoo!?
Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
http://mailplus.yahoo.com

Prev by Date: 515 sample configuaration ?
Next by Date: passed written....
Previous by thread: RE: NLI's Security CCIE Boot Camp
Next by thread: RE: CCIE Security
Index(es):
- Date
- Thread