iscw challenge lab 3-11

liven

there are 4 devices connected by serial links and also by fast eth to simulate a wan cloud.


Supposed to configure VTI vpns that are preferred over the vpns on the serial links....

besides using the protect on the VTIs is there any way to make traffic "prefer" the vti vpns over say a site to site ipsec tunnel?

Has anyone done this lab? Am I reading to much into it?

networker050184

I don't remember this lab exactly, but you use the metric of your routing protocol or statics with higher/lower AD to prefer one route over another. Basic routing, don't put too much into it.

jason_lunde

I will get back to you. I was going to look at this lab tonight anyways.....more to follow

SysAdmin4066

Thats my next lab. I think it's just simple routing, the real lesson here is the backup VTI.

jason_lunde

Did you guys get a routing table that looks like this on the routers (this is just from R1)

172.17.0.0/16 is variably subnetted, 12 subnets, 2 masks
D       172.17.34.4/32 [90/3193856] via 172.17.12.2, 00:05:09, Serial0/0
D       172.17.34.3/32 [90/298268416] via 172.17.12.2, 00:04:56, Serial0/0
D       172.17.34.0/24 [90/3193856] via 172.17.12.2, 00:05:09, Serial0/0
D       172.17.23.2/32 [90/297756416] via 172.17.3.1, 00:05:11, Tunnel13
D       172.17.23.3/32 [90/2681856] via 172.17.12.2, 00:05:32, Serial0/0
D       172.17.23.0/24 [90/2681856] via 172.17.12.2, 00:05:11, Serial0/0
D       172.17.4.0/24 [90/3321856] via 172.17.12.2, 00:05:08, Serial0/0
D       172.17.3.0/24 [90/2809856] via 172.17.12.2, 00:05:11, Serial0/0
D       172.17.2.0/24 [90/2297856] via 172.17.12.2, 00:05:11, Serial0/0");

What confuses me....it may be an easy answer and Im just off my routing game...but, why are the /32 routes getting stuck in there? The only thing advertised into eigrp was:
no auto
network 172.17.0.0 0.0.255.255

Shouldnt it just be getting the /24 routes like
D 172.17.34.0/24 [90/3193856] via 172.17.12.2, 00:05:09, Serial0/0
D 172.17.23.0/24 [90/2681856] via 172.17.12.2, 00:05:11, Serial0/0

which are the P2P links between routers 2,3,and 4?

Sorry if I am missing something easy Heres a diagram:

networker050184

Look into PPP peer neighbor-route.

jason_lunde

networker050184 wrote: »

Look into PPP peer neighbor-route.

dude.....thank you!

jason_lunde

Ya, you were right, they did want the ipsec vti tunnels preferred. I ended up having to mess with the tunnel interfaces bandwidth and delay metrics to get them preferred over the serial links. I was referencing a cisco article while doing it, and it basically said to make certain that by messin with those, you dont knock the other routes (serial links in this case) out of the topology table by way of the feasibility condition.

liven

jason_lunde wrote: »

Ya, you were right, they did want the ipsec vti tunnels preferred. I ended up having to mess with the tunnel interfaces bandwidth and delay metrics to get them preferred over the serial links. I was referencing a cisco article while doing it, and it basically said to make certain that by messin with those, you dont knock the other routes (serial links in this case) out of the topology table by way of the feasibility condition.

Did you use VTI tunnels for all 6 tunnels?

jason_lunde

liven wrote: »

Did you use VTI tunnels for all 6 tunnels?

I did 4 tunnels...over the fast Ethernet "wan" cloud:
R1-->R2
R1-->R3
R4-->R2
R4-->R3

cisco_trooper

Perhaps I'm blind, but I don't see this lab. What resource are you using for these labs? I'm getting ready to embark on the ISCW.

jason_lunde

We are referring to the Cisco ISCW lab portfolio. It is the challenge lab, 3-11, at the end of the ipsec section.

liven

jason_lunde wrote: »

I did 4 tunnels...over the fast Ethernet "wan" cloud:
R1-->R2
R1-->R3
R4-->R2
R4-->R3

Ok I feel dumb because this is definitely only 4 tunnels... However the tunnel from

R1 -> R2
R4 -> R3

Are over the serial links...

Or at least that is the only thing that makes sense to me.

I am using VTI tunnels for those.

I still need to tweak metrics to make the tunnels over the "WAN" cloud preferred.

jason_lunde

liven wrote: »

Ok I feel dumb because this is definitely only 4 tunnels... However the tunnel from

R1 -> R2
R4 -> R3

Are over the serial links...

Or at least that is the only thing that makes sense to me.

I am using VTI tunnels for those.

I still need to tweak metrics to make the tunnels over the "WAN" cloud preferred.

ya I did all the tunnels over the ethernet segment. I treated the serial links as dedicated leased lines.

networker050184

jason_lunde wrote: »

ya I did all the tunnels over the ethernet segment. I treated the serial links as dedicated leased lines.

That is what the lab is getting at. The serial connections are "leased lines" and do not need a tunnel. The ethernet segment represents a "back up internet connection." All traffic should flow over the leased lines and only traverse the internet tunnels when the leased line goes down. Your routing protocol will be used to track the status of the leased line. When that relationship goes down the traffic will take the only other alternate route which is over the tunnel.