Tim's Technology Journey Wiki

User Tools

Site Tools

Trace: 001 000 ch10
cisco:books:ccnp_300-730:ch3:001

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
cisco:books:ccnp_300-730:ch3:001 [2025/08/31 17:07] Namecisco:books:ccnp_300-730:ch3:001 [2025/08/31 17:54] (current) Name
Line 447: Line 447:
 r2-spoke#ping 12.1.1.1</code> r2-spoke#ping 12.1.1.1</code>
   * The spoke is not generating the same style output as the hub. Lets verify the crypto configuration on the interface first.   * The spoke is not generating the same style output as the hub. Lets verify the crypto configuration on the interface first.
-<code>r2-spoke#show run int e 0/0+<code>r2-spoke#show run int g1
 Building configuration... Building configuration...
  
-Current configuration : 98 bytes+Current configuration : 138 bytes
 ! !
-interface Ethernet0/0+interface GigabitEthernet1
  ip address 12.1.1.2 255.255.255.0  ip address 12.1.1.2 255.255.255.0
- duplex auto+ negotiation auto 
 + no mop enabled 
 + no mop sysid
  crypto map svpn-map  crypto map svpn-map
 end</code> end</code>
   * The interface configuration looks correct. Next is to verify the crypto configuration and double-check the mapping.   * The interface configuration looks correct. Next is to verify the crypto configuration and double-check the mapping.
 <code>r2-spoke#show run | s crypto <code>r2-spoke#show run | s crypto
 +! Ignore the PKI cert info at the top.
 crypto ikev2 proposal rook-proposal  crypto ikev2 proposal rook-proposal 
  encryption aes-cbc-256  encryption aes-cbc-256
Line 488: Line 491:
  permit ip host 12.1.1.1 host 12.1.1.2<code>  permit ip host 12.1.1.1 host 12.1.1.2<code>
   * At first glance, it seems the ACL is correct, but the permit line is subtly backwards. Flip the hosts around and test again.   * At first glance, it seems the ACL is correct, but the permit line is subtly backwards. Flip the hosts around and test again.
-<code></code> +  * The next step is for demonstration purposes to show what happens when the access-list in-use is attempted to be edited. 
- +<code>2-spoke#conf t 
- +Enter configuration commands, one per line.  End with CNTL/Z. 
- +r2-spoke(config)#ip access-list extended castle-acl 
- +r2-spoke(config-ext-nacl)#no  10 permit ip host 12.1.1.1 host 12.1.1.2 
- +%ACL castle-acl can not be modified/deleted, as it is used in crypto-map svpn-map 
- +%Please first remove the ACL from crypto map or remove the crypto map from the interface</code> 
- +  * This is the correct procedure to migrate the ACL entry to the end. 
 +<code>r2-spoke#conf t 
 +Enter configuration commands, one per line.  End with CNTL/Z. 
 +r2-spoke(config)#int g1  
 +r2-spoke(config-if)#no crypto map 
 +r2-spoke(config-if)# 
 +*Aug 31 17:23:37.223: (ipsec_license_release) IPSEC License handle release failed (55) 
 +r2-spoke(config-if)# 
 +*Aug 31 17:23:37.323: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is OFF 
 +r2-spoke(config-if)#ip access-list extended castle-acl 
 +r2-spoke(config-ext-nacl)#no  10 permit ip host 12.1.1.1 host 12.1.1.2 
 +r2-spoke(config-ext-nacl)#10 permit ip host 12.1.1.2 host 12.1.1.1</code> 
 +  * Verify the ACL is correct. 
 +<code>r2-spoke(config-if)#do show run | s access-list extended castle-acl 
 +ip access-list extended castle-acl 
 + 10 permit ip host 12.1.1.2 host 12.1.1.1</code>  
 +  * The ACL is now correct. Next, add the crypto map back on the interface. 
 +<code>r2-spoke(config-ext-nacl)#int g1 
 +r2-spoke(config-if)# crypto map svpn-map</code> 
 +  * Turn debugging off on the hub and spoke. 
 +<code>r1-hub#u all 
 +All possible debugging has been turned off</code> 
 +<code>r2-spoke#u all 
 +All possible debugging has been turned off</code> 
 +  * Test with a ping again from either the hub or spoke. 
 +<code>r1-hub#ping 12.1.1.2 
 +Type escape sequence to abort. 
 +Sending 5, 100-byte ICMP Echos to 12.1.1.2, timeout is 2 seconds: 
 +!!!!! 
 +Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms</code> 
 +<code>r2-spoke#ping 12.1.1.1 
 +Type escape sequence to abort. 
 +Sending 5, 100-byte ICMP Echos to 12.1.1.1, timeout is 2 seconds: 
 +!!!!! 
 +Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/2 ms</code> 
 +  * Success. Verify the crypto sa. 
 +<code>r1-hub#show crypto ikev2 sa  
 + IPv4 Crypto IKEv2  SA 
  
 +Tunnel-id Local                 Remote                fvrf/ivrf            Status 
 +1         12.1.1.1/500          12.1.1.2/500          none/none            READY  
 +      Encr: AES-CBC, keysize: 256, PRF: SHA512, Hash: SHA512, DH Grp:14, Auth sign: PSK, Auth verify: PSK
 +      Life/Active Time: 86400/276 sec</code>
 +<code>r2-spoke#show crypto ikev2 sa
 + IPv4 Crypto IKEv2  SA 
  
-  * Packet Capture on r1-hub e0/0 interface+Tunnel-id Local                 Remote                fvrf/ivrf            Status  
-{{ :cisco:books:ccnp_300-730:ch3:000:Lab-000-IKEv2-Overview.png?800 |Lab-001-Overview}}\\ +1         12.1.1.2/500          12.1.1.1/500          none/none            READY   
 +      Encr: AES-CBC, keysize: 256, PRF: SHA512, Hash: SHA512, DH Grp:14, Auth sign: PSK, Auth verify: PSK 
 +      Life/Active Time: 86400/313 sec</code> 
 +  * One last check with Wireshark while pinging
 +{{ :cisco:books:ccnp_300-730:ch3:001:Lab-001-IKEv2-Capture2.png?900 |Lab-001-IKEv2-Capture2}}\\ 
  
  
cisco/books/ccnp_300-730/ch3/001.1756660034.txt.gz · Last modified: by Name

Page Tools

Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki