CCIE Training

Time is a valuable resource in the lab.   In a lab task, if asked to configure a policy-map named “BOB”, it doesn’t get the same point value if we happen to accidentally name it “bob”, especially  if they are looking to see if you configured what they asked for.

The challenge is, that when reviewing a lab task, and we discover that we need to change a name, it could be a hassle, as we need to remove the policy-map, recreate the policy map, and then put it in place again.

So if you are down to the last minute, here is a time saving solution, that can assist with that process.

IOS allows us to rename a policy-map, and the IOS will swap out the name in other areas of the configuration that reference that policy map.

Here is an example, of a policy map from Volume 2, lab 5.

Rack1R5#show run policy-map
Building configuration...

Current configuration : 352 bytes
!
policy-map TRANSIT_RATE_LIMIT
class FRAGMENTS
   police rate 1000000 pps burst 200000 packets
policy-map type port-filter HOST_PORT_FILTER
class CLOSED_PORTS
   drop
policy-map CEF_EXCEPTION_RATE_LIMIT
class class-default
   police rate 100 pps burst 20 packets
policy-map HOST_RATE_LIMIT
class ICMP
   police rate 10 pps burst 5 packets
!
end

Rack1R5#show run | begin control
control-plane host
service-policy input HOST_RATE_LIMIT
service-policy type port-filter input HOST_PORT_FILTER
!
control-plane transit
service-policy input TRANSIT_RATE_LIMIT
!
control-plane cef-exception
service-policy input CEF_EXCEPTION_RATE_LIMIT

Let’s say that after reviewing our configuration, we discovered that the policy-map for the cef-exception sub interface of the control plane should have been named “NEW-NAME-CEF”.

To change it everywhere in the configuration, instead of creating it new, and replacing it, we could simply do this:

Rack1R5(config)#policy-map CEF_EXCEPTION_RATE_LIMIT
Rack1R5(config-pmap)#rename NEW-NAME-CEF

Now, when we look at the configuration, we can see that not only the name has changed for the policy-map, but it also updated our control-plane configuration to reflect the new name there as well:

Rack1R5#show run policy-map
Building configuration...

Current configuration : 340 bytes
!
policy-map TRANSIT_RATE_LIMIT
class FRAGMENTS
   police rate 1000000 pps burst 200000 packets
policy-map type port-filter HOST_PORT_FILTER
class CLOSED_PORTS
   drop
policy-map NEW-NAME-CEF
class class-default
   police rate 100 pps burst 20 packets
policy-map HOST_RATE_LIMIT
class ICMP
   police rate 10 pps burst 5 packets
!
end

Rack1R5#show run | begin control
control-plane host
service-policy input HOST_RATE_LIMIT
service-policy type port-filter input HOST_PORT_FILTER
!
control-plane transit
service-policy input TRANSIT_RATE_LIMIT
!
control-plane cef-exception
service-policy input NEW-NAME-CEF
!
!

Best wishes on your studies, and may your policy-maps be named correctly the first time around.

Keith

The author and poet Maya Angelou said “Words mean more than what is set down on paper. It takes the human voice to infuse them with deeper meaning.”. Well that is certainly what we have attempted to do with the CCIE Voice Deep Dive self-paced Class on Demand series – that is to bring the human instructional voice element to infuse deeper meaning to what is already fantastic Cisco Documentation. Anyone that has set out and determined to undertake the task of studying for and ultimately passing any CCIE Lab exam, knows that at some point during your studies, the words on paper (Cisco Docs, RFCs, books) – while a absolute phenomenal source of information – can at times seem to loose their impact. Perhaps you have been studying too long, read one too many docs, have the time pressure of your family and friends waiting for you to return to be a part of their life, or perhaps you are just starting out on your adventure and don’t know where to begin. Whatever stage you are at or whatever the case may be, it is certainly helpful to have a tutor and mentor there beside you at times, assisting you in understanding what each complex technology’s documentation is trying to teach you, in possibly a deeper and more insightful way than you can manage on your own.

Wait no longer for such help to arrive! INE is happy to announce that each Live-Online Deep Dive course that we have taught has been recorded, and you have the ability to access these extensive repositories of knowledge at any time.

Here are a couple of great demo’s of just a portion of the latest Deep Dive session we held on Globalization & Localization in order to whet your appetite:

Demo 1: Globalization Prezi – Theory and Reasons

Demo 2: Inbound Calling Party Localization

For each complex topic we have held — or will soon hold (listings to follow below) — a separate online class where we dive down deep and explore all the concepts, practical application and troubleshooting associated with each technology topic. We then allow you to purchase each module individually (if you like) so that you can either try small sections of the product, or so that those who only need to plug in small gaps of knowledge can do so at a very deep, intense level – either one without committing to purchase the entire product series.

The general format for each Class-on-Demand Deep Dive module spends between 4-7 hours on the given topic for that day, and during that time follows this outlined training methodology:

• Collectively discuss and teach all concepts involved in the technology
• Whiteboard concepts to further deepen every participant’s understanding
• Define a specific set of tasks to be accomplished
• Demonstrate how the tasks and concepts are implemented and properly configured
• Test the configuration thoroughly
• Vary the configuration to understand how different permutations effect the outcome
• Debug and trace the working configuration to understand what should be seen
• Break the configuration and troubleshoot with debugs and traces to contrast from the working set

Thus far, we have held 10 online sessions – each with a median recorded runtime of 6 hours. We have almost 60 hours of Class on Demand content, and we’ve only just begun! We conservatively estimate that by the time we complete our more than 30 planned modules, that we will have at over 200 hours of Deep Dive recordings.

Below is a detailed index from the 10 currently available sessions:

Module 1 :: Network Infrastructure with LAN Quality of Service

• Catalyst 3560/3750 Classification and Marking
• Catalyst 3560/3750 Conditional Trust
• Catalyst 3560/3750 Ingress Interface Mapping
• Catalyst 3560/3750 Ingress Interface Queuing
• Catalyst 3560/3750 Ingress Interface Expedite Queue
• Catalyst 3560/3750 L2 CoS to L3 DSCP Mapping
• Catalyst 3560/3750 Egress Interface Mapping
• Catalyst 3560/3750 Egress Interface Queuing
• Catalyst 3560/3750 Interface Queue Memory Allocation
• Catalyst 3560/3750 Egress Queue-Set Templates
• Catalyst 3560/3750 Weighted Tail Drop (WTD) Buffer Allocation
• Catalyst 3560/3750 Egress Interface Expedite Queue
• Catalyst 3560/3750 Egress Interface Sharing
• Catalyst 3560/3750 Egress Interface Shaping
• Catalyst 3560/3750 Scavenger Traffic Policing

Module 02 :: CUOS GUI and CLI Admin

• CUCM WebUI: Service Activation and Stop/Start/Reset
• CUCM WebUI: Bulk Administration Tool (Import/Export, Phone Reports, etc)
• CUCM WebUI: DB Replication Status
• CUCM WebUI: Trace Files
• CUOS CLU: TFTP Files Management
• CUOS CLU: Status and Hostname
• CUOS CLU: DB Replication Assurance
• CUOS CLU: DB Replication Repair and Cluster Reset
• CUOS CLU: Trace Files
• CUOS CLU: RIS DB Search
• CUOS CLU: Performance Monitor (PerfMon)
• RTMT: Trace Files
• RTMT: Performance Monitor (PerfMon)

Module 03 :: CUCM System and Phone – SCCP and SIP Fundamentals

• CUCM Services
• UC Servers and Groups
• Date/Time with NTP Reference
• Regions and Codecs
• Location-Based Call Admission Control
• SRST References
• Device Pools
• System Parameters
• Enterprise Parameters
• Phone Button Templates
• Softkey Templates
• SCCP Phone Basics
• SIP Phone Basics

Module 04 :: Users, Credentials, Multi-Level Roles and LDAP Internetworking

• CUCM User Credentials and Policies
• LDAP Synchronization for CUCM and Unity Connection
• LDAP Authentication for CUCM and Unity Connection
• CUCM End Users
• CUCM User Roles
• CUCM Multi-Level Administration
• CUCM Device/Phone/Line User Association
• UCCX and CUP Basic Users

Module 05 :: Call Features – In-Depth

• SCCP and SIP Phone Display
• Phone Firmware
• Phone Logging
• Ring Settings
• Basic and Advanced Call Forwarding Display
• Auto-Answer Options
• CallBack (Camp-On)
• Intercom
• Advanced Call Hold Options
• Call Park
• Directed Call Park
• Advanced Call Park Settings
• Call Pickup
• Group Call Pickup
• Other Call Pickup
• Directed Call Pickup
• Call Pickup Attributes
• Shared Line
• Barge and cBarge (Conference Barge)
• Privacy
• Built-In IP Phone Bridge

Module 06 :: Media Resources – MTPs, Conf Bridges, Annunciator and Music on Hold

• IOS Software MTP
• IOS Conference Bridge
• IOS Transcoding
• Media Preference and Redundancy
• Meet-Me Conferencing
• Ad-Hoc Conferencing
• Annunciator
• Unicast Music on Hold
• Traditional Multicast Music on Hold
• Alternate Multicast Music on Hold

Module 07 :: Expert Gateways & Trunks

• ISDN Switch Types and Advanced CNAM options
• ISDN Information Elements
• SIP Trunks – Fundamental and Advanced Options
• H.323 Gateways – Fundamental and Advanced Options
• MGCP Gateways – Fundamental and Advanced Options

Module 08 :: Expert H.323 Gatekeeper

• Provisioning IOS H.323 Gatekeeper
• Registering CUCM with H.323 Gatekeeper
• Registering CUCME with H.323 Gatekeeper
• Routing Calls from CUCME to CUCM via Gatekeeper in Multiple Zones with Dynamic E.164 Aliases
• Routing Calls from CUCM to CUCME via Gatekeeper in Multiple Zones with Multiple Tech Prefixes
• Routing Calls from CUCME to CUCM via Gatekeeper in Multiple Zones with Multiple Tech Prefixes
• Routing Calls from CUCME to CUCM via Gatekeeper in Multiple Zones with Static E.164 Aliases
• Routing Calls from CUCM to CUCME and Back via Gatekeeper in One Zone with One Tech Prefix
• Gatekeeper Call Admission Control
• Routing Calls from CUCM to CUCME and Back via Alternate Gatekeeper Clustering in Multiple Zones with Multiple Tech Prefixes using GUP

Module 09 :: Dial Plan – Line Device Approach and the Not-So-Basic Fundamentals

• Class of Service: Calling Search Spaces and Partitions
• Gateways, Route Groups, Local Route Groups/Device Pools
• Route Lists and Standard Local Route Groups
• Route Patterns and Translation Patterns
• Digit Manipulation: Calling & Called Party Transformations and IOS Dial Peers
• Private Line Automatic Ringdown (PLAR)

Module 10 :: Dial Plan – Globalization & Localization of both the Calling and the Called Numbers, and with Mapping the Global Number to the Local Variant

• Inbound PSTN Calls (Ingress from PSTN, Egress to Phones): Calling Party Globalization :: GW Incoming Calling Party Settings
• Inbound PSTN Calls (Ingress from PSTN, Egress to Phones): Calling Party Localization :: Phone Calling Party Transformations
• Outbound PSTN Calls (Ingress from Phones, Egress to PSTN): Called Party Globalization :: PSTN Patterns – a.k.a. “Translation Patterns are the *New* Route Patterns”
• Outbound PSTN Calls (Ingress from Phones, Egress to PSTN): Called Party Localization :: Digit Manipulation: Calling & Called Party Transformations and IOS Voice Translation Rules & Dial Peers
• Mapping the Global Number to the Local Variant :: + Dialing and One-Button Missed Call DialBack

So stay tuned to this blog as we will shortly post the upcoming modules soon to be held online and recorded.

Thank you to all those who have submitted questions and comments to our blog.  We will be taking time each week to post answers to your questions and to post some of these comments.  If you have a question for one of our CCIE Instructors please email them to blog@ine.com.

Question #1

Can anyone please advise what is the recommended laptop hardware configuration for CCIE R&S Lab prep. I have read many blogs, posts and advices but unable to figure out the appropriate answer. While advising,please consider the GNS3 is the only option I have.
Many thanks in advance,
Asif Irfan

If you are looking for an appropriate hardware to run complete IEWB-RS topology (6 routers, 4 switches, 3 backbone routers) than your minimum would be Core 2 Duo 2,5Ghz with 2 Gb of RAM. That the bare minimum, and you should look toward expanding memory at least to 3-4Gb to have more room for other applications (if you have any). The largest benefit of this solution is it’s low cost, as Core 2 Duo processors are now “past generation”. If you could, you may get two Core 2 Duo laptops, each with 2Gb of RAM and run Dynamips on both systems in distributed fashion. This is still a budget solution.

If you are not restrictred by your budget, look for quad-core processors, such as I7 and memory base of at least 4Gb. This is enough to run the whole IEWB-RS topology, provided that you are using optimal IdlePC values.

Here are some hints to improve Dynamips performace (aside from tuning IdlePC)

1) Shutdown all currently unused routers, e.g. backbones, if you are working through IGP. Only bring them up for testing temporarily.
2) When you’re done with layer 2 scenarios, reconfigure your switched in a hub-and-spoke topology (start) say with SW1 being the center switch. After this, disable STP for all VLANs. This will save you a lot of CPU cycles “wasted” on Spanning-Tree processing.
3) Linke I said before, try using distributed systems, running dynamips on multiple “less powerfule” laptops.

Answered by: Petr Lapukhov CCIE #16379

Question #2

Hi,
I would like to know the difference between maximum-path ibgp and maximum-path ibgp import command under a address-family.
Thanks
naman

Hello Naman.

Both commands are used for equal or unequal cost load sharing for iBGP sessions.

The import keyword is used when you are configuring the command under a VRF. Here are examples of usage from the Cisco Command Reference.

The following example configuration installs three parallel iBGP paths in a non-MPLS topology:
Router(config)# router bgp 100
Router(config-router)# maximum-paths ibgp 3

The following example configuration installs two parallel routes in the VRF table:
Router(config)# router bgp 100
Router(config-router)# address-family ipv4 vrf vrf-B
Router(config-router-af)# maximum-paths ibgp 2 import 2
Router(config-router-af)# end

Thanks so much for using blog.ine.com!

Answered by: Anthony Sequeira CCIE #15626

Question #3

Dear Valuable Technical Teachers and Friends,

First of all , i wish and thank you for your great support to those who are
all preparing Network studies. I’ve completed my CCNA two years back.Now am
preparing for next step. At this point, i have bit confusion of deciding
whether can i do CCNP or CCIE(R&S). I would like to reach a top level in
Cisco Networking technology.So am requesting your suggestions, which is best
for me.

Also can you suggest any good simulators to improve my practical skills.

–
Thanks,
K.Saleem Jaffer

Thanks for the question.   Having the CCIE certification makes for an excellent stepping stone in a technical career.   An important aspect to successfully passing the CCIE lab exam, is a very solid understanding of all the technologies involved.    A great way to prepare for this is through the CCNP level of studies.   If a person chooses that path, they would do well to take time to learn the technologies while studying CCNP, and not have the feeling of just learning enough to pass a CCNP written exam.  By truly  learning the core technologies in CCNP, it will serve as a springboard into the CCIE studies.   Many candidates waste large amounts of time in complex configurations, because they are lacking the basic understanding of the protocols and technologies that make up the scenario.    I would recommend a 1-2 yr plan, that begins with CCNP, carries into CCIE studies, and end with you attaining your CCIE.    Best wishes in your studies and journey.

Keith Barker CCIE #6783

Comment:

INE,

I absolutely love your version 4 COD videos for the R&S track. I love them
so much that I am dying to get more. When do you believe the videos will
get posted. Been stuck at EIGRP for over 2 weeks now. Would like to see
these added at a quicker pace.

My current study plan is to read about a technology, watch the videos for
that technology and then do the volume 1 labs for that technology. This is
working very well for me and want to continue without having to watch
previous versions of the COD.

The reason I like the version 4 COD classes is they seem more scripted. I
am watching the MPLS videos from the 10 day bootcamp and I see the
instructor looking around for the right command to show something. I find
this confusing and distracting from learning the material. The scriptedness
and complete mastery of what we are doing and what you are trying to show in
version 4 is great and want more of it.

Also, from a technology viewpoint I find it much easier to pause the v4
videos and write down the configurations or configure the dynamips session I
am using to follow along, than with the v3 technology. The v4 seems like it
downloads the entire video and you can pause, move forwards and backwards
and the screen doesn’t “refresh”. The v3 technology blanks the screen and
then kind of fastforwards the screen for a little bit while the audio is
normal pace when you move around. Another reason I want more v4!

Also, one tiny suggestion. I like being able to forecast how much time I
need to spend watching the vidoes. I don’t see any time counter on the v4
or listing of how long the video is. Would love to see a time value in
parentheses after the title of each video to be able to know how much time
to allot to each video.

Keep up the good work, my CCIE journey would be perilous without you guys.

Thanks,

Thomas Holincheck

Keep submitting your questions and comments!

In a word, “Way to GO” (without the spaces, that would be one word ). I am impressed at all the feedback and ideas we received regarding the IKE phase 1 riddle we posed last week. You can read the original post here. Ideas were creative and varied.

As my friend and co-worker Marvin Greenlee says, “If there are 2 different ways to configure something, as a CCIE candidate, you had better be prepared to know all 3 “.  If you would like to see “a solution”, read on.

Ideas sent in included unique identities, isakmp profiles, DMVPN, GETVPN, virtual tunnel interfaces, key-rings, and a few even included full configurations regarding their ideas.  Excellent work and effort to all!

So a huge thanks goes out to Nick, Igor, Fedia, Jeff, AJN, MG, Paul A and Paul S!  Read below to find out which one of you won the tokens!

There are more than 1 way of solving this IKE challenge. My intention was to assist those getting ready for the lab with the absolute best preparation, and that preparation is practicing it. My feeling is that unless we have gone through the debugs for IKE phase 1, and IKE phase 2, and pushed through the CA authentication and enrollment process, we aren’t ready to face the lab. When we are to the point that we can look at the debugs, and say, “Yup, that’s the problem, and here’s why” that is a good indication we are getting close to ready for that topic.

Here is the solution I put together for this task. I chose what I felt would be a fairly straight forward solution, separating the termination points, logically, for the different sets of traffic, and placing keys and IKE phase 1 policies strategically. One of the items, that I failed to remember while putting this solution together, was to match the EasyVPN group name on the server, with the OU name in the client certificate. I appreciate the opportunity to “remember” and to sharpen my skills too!

Here is the diagram again. Below it, the final solutions and verifications.

Here are the configurations for the routers, beginning with R1, which is the EasyVPN server. Both R1 and R2 authenticated and enrolled with R3 who acted as a CA server for this IPSec “get-together”.

R1#show run brief
version 12.4
hostname R1
!
aaa new-model
!
aaa authentication login Method-2 local
aaa authorization network Method-1 local
clock timezone PST -8
clock summer-time PDT recurring
ip cef
!
no ip domain lookup
ip domain name ine.com
!
crypto pki trustpoint CA-R3
 enrollment url http://3.3.3.3:80
 fqdn R1.ine.com
 subject-name O=ine, OU=vpn_group, CN=R1, C=us, ST=nv
 revocation-check none
!
username admin privilege 15 password 0 cisco
!
crypto isakmp policy 1
 encr 3des
 group 2
!
crypto isakmp policy 2
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key cisco address 2.2.2.2
!
crypto isakmp client configuration group vpn_group
 pool MyPOOL
 acl 100
 save-password
 netmask 255.255.255.0
!
crypto isakmp profile IKE-PROF-1
   match identity group vpn_group
   client authentication list Method-2
   isakmp authorization list Method-1
   client configuration address respond
   virtual-template 1
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto ipsec profile IPSec-PROF-1
 set transform-set ESP-3DES-SHA
 set isakmp-profile IKE-PROF-1
!
crypto map MYMAP 1 ipsec-isakmp
 set peer 2.2.2.2
 set transform-set ESP-3DES-SHA
 match address 101
!
interface Loopback0
 ip address 1.1.1.1 255.255.255.0
!
interface Loopback4
 ip address 4.0.0.1 255.255.255.0
!
interface Loopback5
 ip address 5.0.0.1 255.255.255.0
!
interface FastEthernet0/0
 ip address 10.12.0.1 255.255.255.0
 crypto map MYMAP
!
!
interface Virtual-Template1 type tunnel
 ip unnumbered Loopback0
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile IPSec-PROF-1
!
router rip
 version 2
 network 1.0.0.0
 network 4.0.0.0
 network 5.0.0.0
 network 10.0.0.0
 no auto-summary
!
ip local pool MyPOOL 4.0.0.51 4.0.0.100
!
!
access-list 100 permit ip 4.0.0.0 0.0.0.255 any
access-list 101 permit ip 5.0.0.0 0.0.0.255 7.0.0.0 0.0.0.255

line con 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
line aux 0
line vty 0 4
 privilege level 15
!
ntp authentication-key 1 md5 0822455D0A16 7
! Note: the trusted-key statement isn't needed on the server, but there is a bug
! that on some IOS versions causes to not function if it is not there.
ntp trusted-key 1
ntp source Loopback0
ntp master 5
!
end

R1#

What a fun read that was. Now for R2.

R2#show run brief
version 12.4
hostname R2
clock timezone PST -8
clock summer-time PDT recurring
ip cef
!
no ip domain lookup
ip domain name ine.com
!
crypto pki trustpoint CA-R3
 enrollment url http://3.3.3.3:80
 fqdn R2.ine.com
 subject-name O=ine, OU=vpn_group, CN=R2, C=us, ST=nv
 revocation-check none
!
username admin privilege 15 password 0 cisco
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key cisco address 10.12.0.1
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto ipsec client ezvpn EZVPN_CLIENT
 connect auto
 mode network-extension
 peer 1.1.1.1
 virtual-interface 1
 username admin password cisco
 xauth userid mode local
!
crypto map MYMAP local-address Loopback0
crypto map MYMAP 1 ipsec-isakmp
 set peer 10.12.0.1
 set transform-set ESP-3DES-SHA
 match address 100
!
interface Loopback0
 ip address 2.2.2.2 255.255.255.0
!
interface Loopback6
 ip address 6.0.0.2 255.255.255.0
 crypto ipsec client ezvpn EZVPN_CLIENT inside
!
interface Loopback7
 ip address 7.0.0.2 255.255.255.0
!
interface FastEthernet0/0
 ip address 10.12.0.2 255.255.255.0
 crypto map MYMAP
 crypto ipsec client ezvpn EZVPN_CLIENT
!
interface Serial0/1
 no ip address
 encapsulation frame-relay
 no frame-relay inverse-arp
!
interface Serial0/1.23 point-to-point
 ip address 10.23.0.2 255.255.255.0
 frame-relay interface-dlci 203
!
interface Virtual-Template1 type tunnel
 no ip address
 tunnel mode ipsec ipv4
!
router rip
 version 2
 network 2.0.0.0
 network 6.0.0.0
 network 7.0.0.0
 network 10.0.0.0
 no auto-summary
!
access-list 100 permit ip 7.0.0.0 0.0.0.255 5.0.0.0 0.0.0.255
!
line con 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
line aux 0
line vty 0 4
 privilege level 15
 no login
!
ntp authentication-key 1 md5 05080F1C2243 7
ntp authenticate
ntp trusted-key 1
ntp clock-period 17179982
ntp server 1.1.1.1
!
end

R2#

Let’s start the verification process on R1. We will clear the tunnels, and initiate traffic from R2 from network 4 to 6, and then from network 5 to 7. Because R2 is an EasyVPN remote, it will be initiating the tunnel back for the network 6 to 4 encryption with EasyVPN (nothing to to with IPv6 tunnels)

R1#clear crypto isakmp
%LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access2, changed state to down
R1#clear crypto sa
%LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access2, changed state to up
R1#ping 6.0.0.2 source 4.0.0.1 repeat 15

Type escape sequence to abort.
Sending 15, 100-byte ICMP Echos to 6.0.0.2, timeout is 2 seconds:
Packet sent with a source address of 4.0.0.1
!!!!!!!!!!!!!!!
Success rate is 100 percent (15/15), round-trip min/avg/max = 72/179/252 ms
R1#ping 7.0.0.2 source 5.0.0.1 repeat 75

Type escape sequence to abort.
Sending 75, 100-byte ICMP Echos to 7.0.0.2, timeout is 2 seconds:
Packet sent with a source address of 5.0.0.1
.!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!
Success rate is 98 percent (74/75), round-trip min/avg/max = 28/154/292 ms
R1#show crypto ipsec sa

interface: FastEthernet0/0
    Crypto map tag: MYMAP, local addr 10.12.0.1

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (5.0.0.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (7.0.0.0/255.255.255.0/0/0)
   current_peer 2.2.2.2 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 74, #pkts encrypt: 74, #pkts digest: 74
    #pkts decaps: 74, #pkts decrypt: 74, #pkts verify: 74
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 1, #recv errors 0

     local crypto endpt.: 10.12.0.1, remote crypto endpt.: 2.2.2.2
     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
     current outbound spi: 0xEB4512D2(3947172562)

     inbound esp sas:
      spi: 0xE00894E5(3758658789)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 37, flow_id: SW:37, crypto map: MYMAP
        sa timing: remaining key lifetime (k/sec): (4398286/3579)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0xEB4512D2(3947172562)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 38, flow_id: SW:38, crypto map: MYMAP
        sa timing: remaining key lifetime (k/sec): (4398286/3579)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:

interface: Virtual-Access2
    Crypto map tag: Virtual-Access2-head-0, local addr 1.1.1.1

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   current_peer 10.12.0.2 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 17, #pkts encrypt: 17, #pkts digest: 17
    #pkts decaps: 15, #pkts decrypt: 15, #pkts verify: 15
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 1, #recv errors 0

     local crypto endpt.: 1.1.1.1, remote crypto endpt.: 10.12.0.2
     path mtu 1514, ip mtu 1514, ip mtu idb Loopback0
     current outbound spi: 0xB923167D(3106084477)

     inbound esp sas:
      spi: 0x44649B73(1147444083)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 35, flow_id: SW:35, crypto map: Virtual-Access2-head-0
        sa timing: remaining key lifetime (k/sec): (4575108/3520)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0xB923167D(3106084477)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 36, flow_id: SW:36, crypto map: Virtual-Access2-head-0
        sa timing: remaining key lifetime (k/sec): (4575107/3520)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:

R1#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id slot status
1.1.1.1         10.12.0.2       QM_IDLE           1015    0 ACTIVE
2.2.2.2         10.12.0.1       QM_IDLE           1016    0 ACTIVE


R1#show crypto isakmp sa detail
Codes: C - IKE configuration mode, D - Dead Peer Detection
       K - Keepalives, N - NAT-traversal
       X - IKE Extended Authentication
       psk - Preshared key, rsig - RSA signature
       renc - RSA encryption
IPv4 Crypto ISAKMP SA

C-id  Local           Remote          I-VRF    Status Encr Hash Auth DH Lifetime Cap.

1015  1.1.1.1         10.12.0.2                ACTIVE 3des sha  rsig 2  23:58:18 CX
       Engine-id:Conn-id =  SW:15

1016  10.12.0.1       2.2.2.2                  ACTIVE 3des sha  psk  2  23:59:24
       Engine-id:Conn-id =  SW:16
R1#

Now we will look at R2, using the same process. Clear the SAs, then send interesting traffic.

R2#clear crypto isakmp
%CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client)  User=admin  Group=  Server_public_addr=1.1.1.1  c
%LINK-3-UPDOWN: Interface Virtual-Access1, changed state to down
R2#clear crypto sa
R2#
%LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access1, changed state to down
R2#
%CRYPTO-6-EZVPN_CONNECTION_UP: (Client)  User=admin  Group=  Server_public_addr=1.1.1.1
R2#
%LINK-3-UPDOWN: Interface Virtual-Access1, changed state to up
R2#
%LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access1, changed state to up
R2#ping 4.0.0.1 source 6.0.0.2 repeat 32

Type escape sequence to abort.
Sending 32, 100-byte ICMP Echos to 4.0.0.1, timeout is 2 seconds:
Packet sent with a source address of 6.0.0.2
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Success rate is 100 percent (32/32), round-trip min/avg/max = 128/171/256 ms
R2#ping 5.0.0.1 source 7.0.0.2 repeat 99

Type escape sequence to abort.
Sending 99, 100-byte ICMP Echos to 5.0.0.1, timeout is 2 seconds:
Packet sent with a source address of 7.0.0.2
.!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Success rate is 98 percent (98/99), round-trip min/avg/max = 16/133/352 ms
R2#show crypto ipsec client ezvpn
Easy VPN Remote Phase: 6

Tunnel name : SDM_EZVPN_CLIENT_1
Inside interface list: Loopback6
Outside interface: Virtual-Access1 (bound to FastEthernet0/0)
Current State: IPSEC_ACTIVE
Last Event: MTU_CHANGED
Save Password: Allowed
Split Tunnel List: 1
       Address    : 4.0.0.0
       Mask       : 255.255.255.0
       Protocol   : 0x0
       Source Port: 0
       Dest Port  : 0
Current EzVPN Peer: 1.1.1.1

R2#show crypto ipsec sa

interface: Virtual-Access1
    Crypto map tag: Virtual-Access1-head-0, local addr 10.12.0.2

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   current_peer 1.1.1.1 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 32, #pkts encrypt: 32, #pkts digest: 32
    #pkts decaps: 35, #pkts decrypt: 35, #pkts verify: 35
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 10.12.0.2, remote crypto endpt.: 1.1.1.1
     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
     current outbound spi: 0xB7873D1E(3079093534)

     inbound esp sas:
      spi: 0xE8738BE2(3899886562)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 39, flow_id: SW:39, crypto map: Virtual-Access1-head-0
        sa timing: remaining key lifetime (k/sec): (4595984/3495)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0xB7873D1E(3079093534)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 40, flow_id: SW:40, crypto map: Virtual-Access1-head-0
        sa timing: remaining key lifetime (k/sec): (4595985/3495)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:

interface: FastEthernet0/0
    Crypto map tag: MYMAP, local addr 2.2.2.2

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (7.0.0.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (5.0.0.0/255.255.255.0/0/0)
   current_peer 10.12.0.1 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 98, #pkts encrypt: 98, #pkts digest: 98
    #pkts decaps: 98, #pkts decrypt: 98, #pkts verify: 98
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 1, #recv errors 0

     local crypto endpt.: 2.2.2.2, remote crypto endpt.: 10.12.0.1
     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
     current outbound spi: 0x419146C7(1100039879)

     inbound esp sas:
      spi: 0xEFAA9897(4020934807)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 41, flow_id: SW:41, crypto map: MYMAP
        sa timing: remaining key lifetime (k/sec): (4378766/3562)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0x419146C7(1100039879)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 42, flow_id: SW:42, crypto map: MYMAP
        sa timing: remaining key lifetime (k/sec): (4378766/3562)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:

R2# show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id slot status
1.1.1.1         10.12.0.2       QM_IDLE           1017    0 ACTIVE
10.12.0.1       2.2.2.2         QM_IDLE           1018    0 ACTIVE


R2# show crypto isakmp sa detail
Codes: C - IKE configuration mode, D - Dead Peer Detection
       K - Keepalives, N - NAT-traversal
       X - IKE Extended Authentication
       psk - Preshared key, rsig - RSA signature
       renc - RSA encryption
IPv4 Crypto ISAKMP SA

C-id  Local           Remote          I-VRF    Status Encr Hash Auth DH Lifetime Cap.

1017  10.12.0.2       1.1.1.1                  ACTIVE 3des sha  rsig 2  23:57:32 CX
       Engine-id:Conn-id =  SW:17

1018  2.2.2.2         10.12.0.1                ACTIVE 3des sha  psk  2  23:59:12
       Engine-id:Conn-id =  SW:18

Thanks again to all who posted ideas.

I did a drawing from all the people who contributed, and the winner of the 50 rack tokens to our preferred rack vendor Graded Labs goes to Nick! Congratulations Nick, please email me privately and send me the email address that you use for your INE account, and I will have the tokens credited to your account. Again, thanks to all for all your contributions!

Keep up the great studies, hang in there, and never surrender.

P.S.  Bob says “thank you” 

Best wishes,

Keith

Hello everyone, We are excited to announce that our CCIE Voice Core Knowledge Simulator has been released! You can try out a sample here. So far, the first 100 questions have been released, and will be followed shortly by additional updates. The simulation is designed to help prepare candidates for the newly added “open ended” section of [...]

New questions are arriving in all Core Knowledge simulation products!

Answer this latest batch of Core Knowledge questions correctly, and win the latest hot-selling Cisco Press book.

INE releases the new Service Provider Core Knowledge Simulation.

Embedded Event Manager: not just for breakfast anymore. Learn how to configure an applet that is triggered locally on the router from interface thresholds...

Test your MPLS troubleshooting skills, and find the 1 configuration issue! On your mark, get set....