Ever wondered who the kings of the CCIE Mountain in Cisco Land are?

To achieve 3 CCIE’s is a remarkable achievement. Although there are a handful of Quadruple CCIE , I would like to mention the following four. Let me know if you would add another and the reason.

Quadruple CCIE’s:

• Scott Morris – is very well known, not only for his training abilities, but also for his uber lab and his extraordinary resume. He recently joined the power house of CCIE training, Internetwork Expert. In addition to being a QUAD CCIE, Scott also holds CISSP, JNCIE, and since December 2009, a CCDE. The only thing left for Scott is the Cisco Architect.
• Marius Holmsen – distinguished himself by being the first person to acquire three CCIE certifications in one year.
• Petr Lapukhov – one of the few to acquire 4 CCIE certifications in less than 2 years, at intervals of 5/6 months. Petr from Siberia is my new hero. Sorry Batman. Truly amazing.

-

Quintuple CCIE’s:

• Brian Dennis – is definitely one of the top CCIE’s in my humble opinion. Besides having acquired 5 CCIE certifications, he has been a CCIE for more than 10 years. Brian is very well known for his brilliant ability to explain the most complicated technologies. When Brian talks, its just pure knowledge and experience!
• Tom Glennon – was the second person to acquire 5 CCIE certifications.

-

Sextupple CCIE’s (The Kings of the CCIE Mountain)

• Michael Purcell was the first person to acquire 6 CCIE certifications on the older tracks. Currently the only sextupple 10-year ccie.
• Roman Rodichev passed his 6th CCIE on the 28 July 2009 making him only the second person to have 6. HUGE archievement, for someone that not even 30 yet.
• Noritaka Tamehisa prefers doing a new CCIE track to recertify, since the drake is just to easy!
• Matthew White is the 4th person to showcase 6 CCIE certifications. He passed his last lab wireless on the 27th January 2010. He did 6 CCIE’s in less than 5 years.

-

I would also like to mention the following CCIE’s :

• Stuart Biggs – The creator of what most strive to obtain, deserves the necessary credit due to him.
• Terence Slattery – The Alpha CCIE.
• Jerzy Sliwinski – Has the coolest CCIE number.

This is how CISCO defines the ACL.

Reflexive ACLs allow IP packets to be filtered based on upper-layer session information.
They are generally used to allow outbound traffic and to limit inbound traffic in response to sessions that originate inside the router.

So now lets strip it down sentense by sentense.
1 – Reflexive ACLs allow IP packets to be filtered based on upper-layer session information.
2 – They are generally used to allow outbound traffic
3 – and to limit inbound traffic in response to sessions that originate inside the router.

So STEP – 1 : It is used to define a session mean you should match atleast a layer 4 information to make reflexive ACL i.e.
permit udp any any eq domain

Can a reflexive ACL be like “permit ip any any”
probably not because it doesn’t have any Layer 4 information to match
or
probabally yes because even though you have not specified any layer 4 information but it will catch all laer 4 protocols within IP stack. we will check it with a set of test.

STEP – 2 : First reflexive ACL should allow a outbound filter to traffic

STEP – 3 : And after the reflexion it allows that flow only from outbound to inbound.

Now we will implement this ACL for below setup

(R4)1.1.1.1 ———– 1.1.1.2 (R1) 10.1.12.1 ———–10.1.12.2 (R2) 2.2.2.2

TASK : Allow http traffic from R2 loopback 2.2.2.2 to come in when R4 1.1.1.1 access it. all other http traffic from 2.2.2.2 should be blocked.

R1
!
interface FastEthernet0/0
ip address 10.1.12.1 255.255.255.0
ip access-group inboundfilters in
ip access-group outboundfilters out
!
ip access-list extended inboundfilters
permit icmp any any
evaluate tcptraffic
permit udp any any eq rip
ip access-list extended outboundfilters
permit icmp any any
permit tcp host 1.1.1.1 host 2.2.2.2 reflect tcptraffic
permit udp any any eq rip

After the connection is initiated by the R4 to ip address 2.2.2.2 to port 80 we will se a dynamic entry in ACL like below

R1#sh ip access-lists
Extended IP access list inboundfilters
10 permit icmp any any (35 matches)
20 evaluate tcptraffic
30 permit udp any any eq rip (60 matches)
Extended IP access list outboundfilters
10 permit icmp any any (5 matches)
20 permit tcp host 1.1.1.1 host 2.2.2.2 reflect tcptraffic (24 matches)
30 permit udp any any eq rip
Reflexive IP access list tcptraffic
permit tcp host 2.2.2.2 eq www host 1.1.1.1 eq 20688 (4 matches) (time left 297)

See the time out is by default set to 300 second which can be change.

thanks
CiscoGeek

lets say for example your requirement is to allow access to network via gateway router after user has been authenticated to router.

1.1.1.1 (R1) 10.1.12.1 —————– 10.1.12.2 (R2) 2.2.2.2

Task : Allow user 1.1.1.1 to access 2.2.2.2 once he is authenticated to router R2

R1

interface Loopback0
 ip address 1.1.1.1 255.255.255.255
!
interface FastEthernet0/0
 ip address 10.1.12.1 255.255.255.0
!
router rip
 version 2
 network 1.0.0.0
 network 10.0.0.0
 no auto-summary
R2

!STEP – 1 Configure a password to allow telnet access to RTR
enable secret 5 $1$RCgL$EOtOYe8CTDnJM16V7SVOi1

!STEP – 2 Create a username and password for authentication
username test password 0 test
!STEP – 3 authentication timeout is 10 minute for this user
username test autocommand access-enable host timeout 10
!
interface Loopback0
 ip address 2.2.2.2 255.255.255.255
!
interface FastEthernet0/0
 ip address 10.1.12.2 255.255.255.0
!STEP – 4 Apply ACL to incoming interface
 ip access-group 101 in
!
router rip
 version 2
 network 2.0.0.0
 network 10.0.0.0
 no auto-summary

!STEP – 5 Create a ACL which allows the telent from R1 IP address (Any) to R2 ip 2.2.2.2
access-list 101 permit tcp any host 2.2.2.2 eq telnet
!STEP – 6 Create a dynamic ACL entry to allow access from R1 IP address to R2 ip 2.2.2.2
access-list 101 dynamic testlist timeout 15 permit ip any host 2.2.2.2
line vty 0 4
!STEP – 7 Enable local username/password authentication for telnet
 login local

 lets test this setup with the ping from R1 to R2 loopback.
R1#ping 2.2.2.2

…..
Success rate is 0 percent (0/5)

No access to 2.2.2.2. Lets see what R2 dynamic ACL says.
R2#sh ip access-lists
Extended IP access list 101
    10 permit tcp any host 2.2.2.2 eq telnet 
    20 Dynamic testlist permit ip any host 2.2.2.2

Now lets do a telnet from R1 to 2.2.2.2 and than do a ping.

R1#telnet 2.2.2.2
Trying 2.2.2.2 … Open

User Access Verification

Username: test
Password:
[Connection to 2.2.2.2 closed by foreign host]
R1#ping 2.2.2.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/42/104 ms

R2#sh ip access-lists
Time source is user configuration, 08:53:51.047 UTC Mon Apr 19 2010

Extended IP access list 101
    10 permit tcp any host 2.2.2.2 eq telnet (153 matches)
    20 Dynamic testlist permit ip any host 2.2.2.2
       permit ip host 10.1.12.1 host 2.2.2.2 (15 matches) (time left 595)

So when you did telnet from R1 to 2.2.2.2 and authenticated yourself R2 disconnected the session and created  a dynamic ACL entry for you to allow access to 2.2.2.2 for any protocol. which is proved after you are able to ping it.

It includes the software and hardware which is expected to work without the human intervention.

Embedded system is a terminology which basically points to RTOS [Real Time Operating system]

well knowing only this is not good enough.

It’s a core of machine automaton and work towards the luxury of human lives.

very good example of it a Water pump which fills your water tank before it gets empty without even telling you not a good obedient system who like it.

EMBEDDED SYSTEM DESIGN COURSE FROM IIT DELHI

interesting books : http://www.embedded.com/books

thanks

Ciscogeek

lets say for example you would like to do summary of below two routes

2003:1:0:1::/64

2003:1:0:11::/64

Note – During the summarization IPv6 remember it is hexadecimal value.

In my Router i am having this routes from R1

RSRack1R5#sh bgp ipv6 unicast | be Net
Network          Next Hop            Metric LocPrf Weight Path
*> 2003:1:0:1::/64          2001:1:0:1234::1           0             0 100 i
*> 2003:1:0:11::/64        2001:1:0:1234::1           0             0 100 i

Now if you want check which summary will cover both the routes you can check it by doing this

RSRack1R5#sh bgp ipv6 unicast 2003:1::/64 longer-prefixes | be Ne
RSRack1R5#sh bgp ipv6 unicast 2003:1::/64 longer-prefixes

RSRack1R5#sh bgp ipv6 unicast 2003:1::/63 longer-prefixes
Network          Next Hop            Metric LocPrf Weight Path
*> 2003:1:0:1::/64  2001:1:0:1234::1
0             0 100 i
RSRack1R5#sh bgp ipv6 unicast 2003:1::/62 longer-prefixes
Network          Next Hop            Metric LocPrf Weight Path
*> 2003:1:0:1::/64  2001:1:0:1234::1
0             0 100 i
RSRack1R5#sh bgp ipv6 unicast 2003:1::/61 longer-prefixes
Network          Next Hop            Metric LocPrf Weight Path
*> 2003:1:0:1::/64  2001:1:0:1234::1
0             0 100 i
RSRack1R5#sh bgp ipv6 unicast 2003:1::/60 longer-prefixes
Network          Next Hop            Metric LocPrf Weight Path
*> 2003:1:0:1::/64  2001:1:0:1234::1
0             0 100 i
RSRack1R5#sh bgp ipv6 unicast 2003:1::/59 longer-prefixes
Network          Next Hop            Metric LocPrf Weight Path
*> 2003:1:0:1::/64  2001:1:0:1234::1
0             0 100 i
*> 2003:1:0:11::/64 2001:1:0:1234::1
0             0 100 i

Now as you can see /63 includes only first prefix. at the end you get /59 which permits both the prefix.
so by following this method of testing you can calculate which prefix are covered in which summary prefix.

finally today i got my CCIE lab running on Ubuntu 9.10 Desktop. it was a very hard way to get this up. i faced lot of issues about this. but at the end thanks to ubuntu team to make it very simple to install any software on linux. it is first time i am using linux for personal use.

i found ubuntu a very good tool.

My new system config : http://ciscogeek.files.wordpress.com/2010/03/ccielab.doc

AMD Quad X4 955 3.20 GHz, 4GB DDR3 Dual channel corsair RAM with heat protection.
ASUS M4A785T-M mother board with ATI Radeon HD4200 VGA+H-DVI Dual display

Ubuntu 9.10 – the Karmic Koala with GNS3 0.7 Latest.

My CCIE Lab file :

I will post a short note about how did i install it tomorrow because time to go to bed i have to reach office by 6:30 AM

Thanks

Ciscogeek

Lo0:1.1.1.1                                                                                          Lo0: 3.3.3.3

R1 config

!
crypto isakmp policy 1
 hash md5
 authentication pre-share
crypto isakmp key ciscogeek address 0.0.0.0 0.0.0.0
crypto isakmp keepalive 30 5
!
!
crypto ipsec transform-set myset esp-3des esp-md5-hmac
!
crypto map mymap 10 ipsec-isakmp
 set peer 10.1.23.3
 set transform-set myset
 match address r13
!
interface FastEthernet0/0
 crypto map mymap
ip route 0.0.0.0 0.0.0.0 10.1.12.2

ip access-list extended r13
 permit ip host 1.1.1.1 host 3.3.3.3

R3 config

crypto isakmp policy 1
 hash md5
 authentication pre-share
crypto isakmp key ciscogeek address 0.0.0.0 0.0.0.0
crypto isakmp keepalive 30 5
!
!
crypto ipsec transform-set myset esp-3des esp-md5-hmac
!
crypto map mymap 10 ipsec-isakmp
 set peer 10.1.12.1
 set transform-set myset
 match address r13
!
interface FastEthernet0/0
 crypto map mymap
ip route 0.0.0.0 0.0.0.0 10.1.23.2

ip access-list extended r13
 permit ip host 3.3.3.3 host 1.1.1.1

successfull debug of this session while ping from 1.1.1.1 to 3.3.3.3

*Feb 11 21:05:51.823: ISAKMP (0:0): received packet from 10.1.12.1 dport 500 sport 500 Global (N) NEW SA
*Feb 11 21:05:51.823: ISAKMP: Created a peer struct for 10.1.12.1, peer port 500
*Feb 11 21:05:51.823: ISAKMP: New peer created peer = 0x660FFC5C peer_handle = 0×80000002
*Feb 11 21:05:51.827: ISAKMP: Locking peer struct 0x660FFC5C, refcount 1 for crypto_isakmp_process_block
*Feb 11 21:05:51.827: ISAKMP: local port 500, remote port 500
*Feb 11 21:05:51.827: insert sa successfully sa = 655CA8D4
*Feb 11 21:05:51.839: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Feb 11 21:05:51.839: ISAKMP:(0):Old State = IKE_READY  New State = IKE_R_MM1
*Feb 11 21:05:51.843: ISAKMP:(0): processing SA payload. message ID = 0
*Feb 11 21:05:51.847: ISAKMP:(0): processing vendor id payload
*Feb 11 21:05:51.847: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch
*Feb 11 21:05:51.847: ISAKMP (0:0): vendor ID is NAT-T v7
*Feb 11 21:05:51.847: ISAKMP:(0): processing vendor id payload
*Feb 11 21:05:51.847: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch
*Feb 11 21:05:51.851: ISAKMP:(0): vendor ID is NAT-T v3
*Feb 11 21:05:51.851: ISAKMP:(0): processing vendor id payload
*Feb 11 21:05:51.851: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
*Feb 11 21:05:51.851: ISAKMP:(0): vendor ID is NAT-T v2
*Feb 11 21:05:51.855: ISAKMP:(0):Looking for a matching key for 10.1.12.1 in default
*Feb 11 21:05:51.855: ISAKMP:(0): : success
*Feb 11 21:05:51.859: ISAKMP:(0):found peer pre-shared key matching 10.1.12.1
*Feb 11 21:05:51.859: ISAKMP:(0): local preshared key found
*Feb 11 21:05:51.859: ISAKMP : Scanning profiles for xauth …
*Feb 11 21:05:51.863: ISAKMP:(0):Checking ISAKMP transform 1 against priority 1 policy
*Feb 11 21:05:51.863: ISAKMP:      encryption DES-CBC
*Feb 11 21:05:51.863: ISAKMP:      hash MD5
*Feb 11 21:05:51.867: ISAKMP:      default group 1
*Feb 11 21:05:51.867: ISAKMP:      auth pre-share
*Feb 11 21:05:51.867: ISAKMP:      life type in seconds
*Feb 11 21:05:51.871: ISAKMP:      life duration (VPI) of  0×0 0×1 0×51 0×80
*Feb 11 21:05:51.875: ISAKMP:(0):atts are acceptable. Next payload is 0
*Feb 11 21:05:51.947: ISAKMP:(0): processing vendor id payload
*Feb 11 21:05:51.947: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch
*Feb 11 21:05:51.947: ISAKMP (0:0): vendor ID is NAT-T v7
*Feb 11 21:05:51.947: ISAKMP:(0): processing vendor id payload
*Feb 11 21:05:51.951: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch
*Feb 11 21:05:51.951: ISAKMP:(0): vendor ID is NAT-T v3
*Feb 11 21:05:51.951: ISAKMP:(0): processing vendor id payload
*Feb 11 21:05:51.951: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
*Feb 11 21:05:51.955: ISAKMP:(0): vendor ID is NAT-T v2
*Feb 11 21:05:51.959: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Feb 11 21:05:51.959: ISAKMP:(0):Old State = IKE_R_MM1  New State = IKE_R_MM1
*Feb 11 21:05:51.967: ISAKMP:(0): constructed NAT-T vendor-07 ID
*Feb 11 21:05:51.967: ISAKMP:(0): sending packet to 10.1.12.1 my_port 500 peer_port 500 (R) MM_SA_SETUP
*Feb 11 21:05:51.971: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Feb 11 21:05:51.975: ISAKMP:(0):Old State = IKE_R_MM1  New State = IKE_R_MM2
*Feb 11 21:05:52.215: ISAKMP (0:0): received packet from 10.1.12.1 dport 500 sport 500 Global (R) MM_SA_SETUP
*Feb 11 21:05:52.215: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Feb 11 21:05:52.219: ISAKMP:(0):Old State = IKE_R_MM2  New State = IKE_R_MM3
*Feb 11 21:05:52.223: ISAKMP:(0): processing KE payload. message ID = 0
*Feb 11 21:05:52.287: ISAKMP:(0): processing NONCE payload. message ID = 0
*Feb 11 21:05:52.291: ISAKMP:(0):Looking for a matching key for 10.1.12.1 in default
*Feb 11 21:05:52.291: ISAKMP:(0): : success
*Feb 11 21:05:52.295: ISAKMP:(0):found peer pre-shared key matching 10.1.12.1
*Feb 11 21:05:52.295: ISAKMP:(1001): processing vendor id payload
*Feb 11 21:05:52.299: ISAKMP:(1001): vendor ID is Unity
*Feb 11 21:05:52.299: ISAKMP:(1001): processing vendor id payload
*Feb 11 21:05:52.299: ISAKMP:(1001): vendor ID is DPD
*Feb 11 21:05:52.299: ISAKMP:(1001): processing vendor id payload
*Feb 11 21:05:52.303: ISAKMP:(1001): speaking to another IOS box!
*Feb 11 21:05:52.303: ISAKMP:(1001):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Feb 11 21:05:52.303: ISAKMP:(1001):Old State = IKE_R_MM3  New State = IKE_R_MM3
*Feb 11 21:05:52.311: ISAKMP:(1001): sending packet to 10.1.12.1 my_port 500 peer_port 500 (R) MM_KEY_EXCH
*Feb 11 21:05:52.311: ISAKMP:(1001):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Feb 11 21:05:52.315: ISAKMP:(1001):Old State = IKE_R_MM3  New State = IKE_R_MM4
*Feb 11 21:05:52.511: ISAKMP (0:1001): received packet from 10.1.12.1 dport 500 sport 500 Global (R) MM_KEY_EXCH
*Feb 11 21:05:52.511: ISAKMP:(1001):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Feb 11 21:05:52.515: ISAKMP:(1001):Old State = IKE_R_MM4  New State = IKE_R_MM5
*Feb 11 21:05:52.515: ISAKMP:(1001): processing ID payload. message ID = 0
*Feb 11 21:05:52.519: ISAKMP (0:1001): ID payload
        next-payload : 8
        type         : 1
        address      : 10.1.12.1
        protocol     : 17
        port         : 500
        length       : 12
*Feb 11 21:05:52.519: ISAKMP:(1001):: peer matches *none* of the profiles
*Feb 11 21:05:52.519: ISAKMP:(1001): processing HASH payload. message ID = 0
*Feb 11 21:05:52.523: ISAKMP:received payload type 17
*Feb 11 21:05:52.523: ISAKMP:(1001): processing NOTIFY INITIAL_CONTACT protocol 1 spi 0, message ID = 0, sa = 655CA8D4
*Feb 11 21:05:52.523: ISAKMP:(1001):SA authentication status: authenticated
*Feb 11 21:05:52.527: ISAKMP:(1001): Process initial contact, bring down existing phase 1 and 2 SA’s with local 10.1.23.3 remote 10.1.12.1 remote port 500
*Feb 11 21:05:52.527: ISAKMP:(1001):SA authentication status:
        authenticated
*Feb 11 21:05:52.527: ISAKMP:(1001):SA has been authenticated with 10.1.12.1
*Feb 11 21:05:52.531: ISAKMP: Trying to insert a peer 10.1.23.3/10.1.12.1/500/,  and inserted successfully 660FFC5C.
*Feb 11 21:05:52.531: ISAKMP:(1001):IKE_DPD is enabled, initializing timers
*Feb 11 21:05:52.531: ISAKMP:(1001):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Feb 11 21:05:52.535: ISAKMP:(1001):Old State = IKE_R_MM5  New State = IKE_R_MM5
*Feb 11 21:05:52.587: ISAKMP:(1001):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
*Feb 11 21:05:52.587: ISAKMP (0:1001): ID payload
        next-payload : 8
        type         : 1
        address      : 10.1.23.3
        protocol     : 17
        port         : 500
        length       : 12
*Feb 11 21:05:52.591: ISAKMP:(1001):Total payload length: 12
*Feb 11 21:05:52.595: ISAKMP:(1001): sending packet to 10.1.12.1 my_port 500 peer_port 500 (R) MM_KEY_EXCH
*Feb 11 21:05:52.595: ISAKMP:(1001):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Feb 11 21:05:52.595: ISAKMP:(1001):Old State = IKE_R_MM5  New State = IKE_P1_COMPLETE
*Feb 11 21:05:52.603: ISAKMP:(1001):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
*Feb 11 21:05:52.603: ISAKMP:(1001):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE
*Feb 11 21:05:52.783: ISAKMP (0:1001): received packet from 10.1.12.1 dport 500 sport 500 Global (R) QM_IDLE
*Feb 11 21:05:52.783: ISAKMP: set new node 550967427 to QM_IDLE
*Feb 11 21:05:52.787: ISAKMP:(1001): processing HASH payload. message ID = 550967427
*Feb 11 21:05:52.787: ISAKMP:(1001): processing SA payload. message ID = 550967427
*Feb 11 21:05:52.787: ISAKMP:(1001):Checking IPSec proposal 1
*Feb 11 21:05:52.791: ISAKMP: transform 1, ESP_3DES
*Feb 11 21:05:52.791: ISAKMP:   attributes in transform:
*Feb 11 21:05:52.791: ISAKMP:      encaps is 1 (Tunnel)
*Feb 11 21:05:52.791: ISAKMP:      SA life type in seconds
*Feb 11 21:05:52.791: ISAKMP:      SA life duration (basic) of 3600
*Feb 11 21:05:52.791: ISAKMP:      SA life type in kilobytes
*Feb 11 21:05:52.795: ISAKMP:      SA life duration (VPI) of  0×0 0×46 0×50 0×0
*Feb 11 21:05:52.795: ISAKMP:      authenticator is HMAC-MD5
*Feb 11 21:05:52.799: ISAKMP:(1001):atts are acceptable.
*Feb 11 21:05:52.799: ISAKMP:(1001): processing NONCE payload. message ID = 550967427
*Feb 11 21:05:52.799: ISAKMP:(1001): processing ID payload. message ID = 550967427
*Feb 11 21:05:52.803: ISAKMP:(1001): processing ID payload. message ID = 550967427
*Feb 11 21:05:52.803: ISAKMP:(1001): asking for 1 spis from ipsec
*Feb 11 21:05:52.803: ISAKMP:(1001):Node 550967427, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
*Feb 11 21:05:52.807: ISAKMP:(1001):Old State = IKE_QM_READY  New State = IKE_QM_SPI_STARVE
*Feb 11 21:05:52.835: ISAKMP:(1001): Creating IPSec SAs
*Feb 11 21:05:52.835:         inbound SA from 10.1.12.1 to 10.1.23.3 (f/i)  0/ 0 (proxy 1.1.1.1 to 3.3.3.3)
*Feb 11 21:05:52.835:         has spi 0x6D5B74BD and conn_id 0
*Feb 11 21:05:52.835:         lifetime of 3600 seconds
*Feb 11 21:05:52.835:         lifetime of 4608000 kilobytes
*Feb 11 21:05:52.835:         outbound SA from 10.1.23.3 to 10.1.12.1 (f/i) 0/0  (proxy 3.3.3.3 to 1.1.1.1)
*Feb 11 21:05:52.839:         has spi  0x907C7B40 and conn_id 0
*Feb 11 21:05:52.839:         lifetime of 3600 seconds
*Feb 11 21:05:52.839:         lifetime of 4608000 kilobytes
*Feb 11 21:05:52.843: ISAKMP:(1001): sending packet to 10.1.12.1 my_port 500 peer_port 500 (R) QM_IDLE
*Feb 11 21:05:52.843: ISAKMP:(1001):Node 550967427, Input = IKE_MESG_FROM_IPSEC, IKE_SPI_REPLY
*Feb 11 21:05:52.843: ISAKMP:(1001):Old State = IKE_QM_SPI_STARVE  New State = IKE_QM_R_QM2
*Feb 11 21:05:53.119: ISAKMP (0:1001): received packet from 10.1.12.1 dport 500 sport 500 Global (R) QM_IDLE
*Feb 11 21:05:53.119: ISAKMP:(1001):deleting node 550967427 error FALSE reason “QM done (await)”
*Feb 11 21:05:53.123: ISAKMP:(1001):Node 550967427, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
*Feb 11 21:05:53.123: ISAKMP:(1001):Old State = IKE_QM_R_QM2  New State = IKE_QM_PHASE2_COMPLETE

if you use metric command during ospf redistribution in BGP where does it sets the metric.

1 – all ospf route will have metric specified

2 – All connected interface subnet will have metric 0

R2——R3

\   /

R4

R2(config-router)#do sh run | be r o
router ospf 100
 log-adjacency-changes
 network 2.2.2.2 0.0.0.0 area 0
 network 10.1.0.0 0.0.255.255 area 0
!
router bgp 123
 no synchronization
 bgp log-neighbor-changes
 redistribute ospf 100 metric 100
 neighbor 10.1.23.3 remote-as 123
 neighbor 10.1.23.3 next-hop-self
 neighbor 10.1.24.4 remote-as 4
 no auto-summary

R3#sh run | be r o
router ospf 100
 log-adjacency-changes
 network 3.3.3.3 0.0.0.0 area 0
 network 10.1.0.0 0.0.255.255 area 0
!
router bgp 123
 no synchronization
 bgp log-neighbor-changes
 redistribute ospf 100 metric 110
 neighbor 10.1.23.2 remote-as 123
 neighbor 10.1.23.2 next-hop-self
 neighbor 10.1.34.4 remote-as 4
 no auto-summary

now see R4 routing table and check that R2′s connected interface 10.1.12.0/24 is coming with metric 0 from R2 but from R3 it is having metric of 110.

check that R3′s connected interface 10.1.13.0/24 is coming with metric 0 from R3 but from R2 it is having metric of 100.

R4#sh ip bgp
BGP table version is 28, local router ID is 4.4.4.4
Status codes: s suppressed, d damped, h history, * valid, > best, i – internal,
              r RIB-failure, S Stale
Origin codes: i – IGP, e – EGP, ? – incomplete

   Network          Next Hop            Metric LocPrf Weight Path
*  1.1.1.1/32       10.1.34.3              110             0 123 ?
*>                  10.1.24.2              100             0 123 ?
*  2.2.2.2/32       10.1.34.3              110             0 123 ?
*>                  10.1.24.2                0             0 123 ?
*> 3.3.3.3/32       10.1.34.3                0             0 123 ?
*                   10.1.24.2              100             0 123 ?
*> 4.4.4.4/32       0.0.0.0                  0         32768 i
*  10.1.12.0/24     10.1.34.3              110             0 123 ?
*>                  10.1.24.2                0             0 123 ?
*> 10.1.13.0/24     10.1.34.3                0             0 123 ?
*                   10.1.24.2              100             0 123 ?
*  10.1.23.0/24     10.1.34.3                0             0 123 ?
*>                  10.1.24.2                0             0 123 ?
r  10.1.24.0/24     10.1.34.3              110             0 123 ?
r>                  10.1.24.2                0             0 123 ?
r> 10.1.34.0/24     10.1.34.3                0             0 123 ?
r                   10.1.24.2              100             0 123 ?

2 way of doing it

A – on interface

 B – IN a area

A – Interface : How to enable ospf authentication in a interface

enable ospf auth in interface

ipv6 ospf authentication ipsec spi 500 md5 1234567890ABCDEF1234567890ABCDEF

What is SPI? Security Parameter Index and it should be same both routers.

What is MD5? a 32Bit HEX no which will be used as authentication

Configuration example

R1 interface Serial1/1

 ipv6 address FE80::1:1 link-local

ipv6 address 2001:13::1/64

ipv6 ospf 1 area 0

ipv6 ospf authentication ipsec spi 500 md5 1234567890ABCDEF1234567890ABCDEF R3

interface Serial1/2

ipv6 address FE80::3:3 link-local

ipv6 address 2001:13::3/64

ipv6 ospf 1 area 0

ipv6 ospf authentication ipsec spi 500 md5 1234567890ABCDEF1234567890ABCDEF

R1(config-if)#do sh ipv ospf int s1/1

Serial1/1 is up, line protocol is up

Link Local Address FE80::1:1, Interface ID 7

Area 0, Process ID 1, Instance ID 0, Router ID 150.1.1.1

MD5 Authentication SPI 500, secure socket state UP (errors: 0)

Adjacent with neighbor 150.1.3.3

Suppress hello for 0 neighbor(s)

B – In a Area

ipv6 router ospf 1

area 0 authentication ipsec spi 256 md5 1234567890ABCDEF1234567890ABCDEF

Rack1R1#sh ipv ospf | in SPI|Are

Area BACKBONE(0)

MD5 Authentication, SPI 256

Thanks

Ciscogeek