WEBVTT 00:01.060 --> 00:01.600 All right. 00:02.590 --> 00:10.240 Before we talk about easy VPN enhanced the newer version of it, we need to talk about this. 00:11.880 --> 00:13.860 Virtual tunnel interface, a special type of. 00:20.270 --> 00:20.750 Called. 00:25.530 --> 00:26.880 DVD. 00:30.420 --> 00:31.590 The D stands for. 00:38.260 --> 00:40.330 Dynamic virtual tunnel interface. 00:42.680 --> 00:44.630 What is the dynamic which return interface? 00:44.720 --> 00:47.660 Until now we have seen static virtual tunnel interfaces. 00:48.620 --> 00:50.570 Well before that, we saw what tunnels were. 00:50.600 --> 00:50.980 Right? 00:52.640 --> 00:54.530 How would you configure a tunnel? 01:01.180 --> 01:02.530 Create a trial interface. 01:05.550 --> 01:06.760 They'll have something like this. 01:06.780 --> 01:07.980 This will be your tunnel, right? 01:12.120 --> 01:14.520 You go here to R1, you'd say something like this. 01:15.090 --> 01:16.920 Tunnel zero Interface Tunnel zero. 01:21.240 --> 01:21.890 Dinosaurs. 01:21.900 --> 01:22.980 The public address. 01:24.750 --> 01:26.790 150 112.1. 01:27.920 --> 01:29.000 Final destination. 01:32.100 --> 01:34.080 151, not the remote address. 01:34.440 --> 01:38.010 And you could also specify the IP address. 01:38.900 --> 01:41.210 Is 192 168 .1.1. 01:42.500 --> 01:42.750 Correct. 01:43.640 --> 01:44.510 You would do that. 01:45.620 --> 01:48.200 Then on the other side, this is a graph, a simple graph. 01:53.200 --> 01:54.070 Do the same here. 01:54.080 --> 01:57.770 This will be 1.2 and source and destination would be the worst. 01:58.830 --> 02:00.390 So from the other side. 02:06.900 --> 02:08.550 This would be your source and destination. 02:10.110 --> 02:11.600 Right to change the mode. 02:11.610 --> 02:15.750 You'll just go tunnel mode IPsec IPv4 and protected using thermal protection. 02:15.780 --> 02:17.670 That is not the main point right now. 02:18.000 --> 02:24.120 What I want to explain is this tunnel that you have, if you're using it as a static tunnel and you 02:24.120 --> 02:24.680 just do that. 02:31.390 --> 02:31.940 IPsec. 02:31.960 --> 02:32.830 IPv4. 02:32.950 --> 02:37.570 Since you've converted it into an Svi, you would also require what tunnel protection? 02:39.260 --> 02:39.560 AP. 02:40.960 --> 02:43.630 Because now you won't have the header anymore. 02:43.660 --> 02:44.470 Anymore. 02:44.680 --> 02:46.350 So you need these two commands to. 02:47.890 --> 02:50.830 To use the SB as a header or a. 02:53.580 --> 02:58.080 For the ESPN says you're starting your IPCC. 02:59.830 --> 03:02.050 Now if you have these two. 03:03.190 --> 03:04.210 Working like that. 03:05.270 --> 03:05.660 It's fine. 03:05.660 --> 03:06.020 This is an. 03:07.620 --> 03:08.010 Right. 03:08.580 --> 03:09.250 Well and good. 03:09.270 --> 03:11.640 I'll try to use this in my VPN also. 03:11.910 --> 03:13.650 But do you remember easy VPN? 03:13.680 --> 03:14.970 There was one problem. 03:16.930 --> 03:17.920 What was the problem with these? 03:20.420 --> 03:20.900 I get it. 03:21.410 --> 03:22.820 I did not know the IP address. 03:22.820 --> 03:23.210 Of what? 03:23.240 --> 03:24.350 Of the other endpoints. 03:26.110 --> 03:30.340 I did not know the IP address of the other endpoint, so that means I don't have a tunnel destination 03:30.340 --> 03:31.420 First problem. 03:31.990 --> 03:33.250 I don't have a tunnel destination. 03:34.150 --> 03:37.060 Apart from that, there is also another thing. 03:37.820 --> 03:38.450 What is that? 03:38.450 --> 03:41.150 Let's say I have two different departments. 03:41.420 --> 03:42.860 One is sales. 03:42.890 --> 03:43.760 One is it? 03:45.380 --> 03:47.090 One in sales and one is it. 03:47.780 --> 03:51.530 Both of them say, for example, when a sales guy logs in from home. 03:57.550 --> 03:59.050 I believe in here. 03:59.470 --> 03:59.890 Interesting. 03:59.980 --> 04:02.770 There was interesting graphic based on the tunnel IP address. 04:02.800 --> 04:07.810 The source in the routing table, whatever is going through that interface goes through the tunnel. 04:12.940 --> 04:14.320 You know, like, let's do this first. 04:14.710 --> 04:15.730 Let's go to R1. 04:17.140 --> 04:18.210 Copy this. 04:27.980 --> 04:30.620 Interface Channel zero IP Address 192. 04:36.540 --> 04:38.240 Kernel source 20. 04:39.390 --> 04:40.320 Final destination. 04:41.760 --> 04:42.180 This part. 04:42.210 --> 04:42.930 We didn't have. 04:44.490 --> 04:44.870 It's not. 04:45.960 --> 04:49.530 Change the tunnel mode because then I would require tunnel protection. 04:51.630 --> 04:53.040 So I'll just use. 04:56.400 --> 04:57.190 The more I. 05:08.630 --> 05:09.210 Of the more. 05:12.000 --> 05:12.430 Jerry. 05:13.780 --> 05:13.960 I. 05:15.920 --> 05:17.210 No tunnel protection. 05:22.780 --> 05:23.890 I will not use any protection. 05:23.890 --> 05:28.300 I'll just create a normal tunnel and make sure that one side can ping the. 05:29.840 --> 05:30.890 How does the ping happen? 05:30.890 --> 05:32.780 Because, see, this is important. 05:32.810 --> 05:37.940 When you go to your routing table, you see that you have that address, you have that source address 05:37.940 --> 05:42.080 in your routing table, whatever IP address that you specified that address in your routing. 05:43.890 --> 05:49.260 Anything that goes through the tunnel, it will go to the running configuration, use the source and 05:49.260 --> 05:53.160 destination as the public header and take it to the other side. 05:53.840 --> 05:55.010 A simple, static tunnel. 05:56.310 --> 05:56.510 Right. 05:56.730 --> 05:59.070 The problem imagine now with. 06:01.390 --> 06:02.440 With your. 06:04.100 --> 06:06.080 Easy VPN is okay. 06:06.080 --> 06:10.460 I understand that I have one say sales guy. 06:10.490 --> 06:12.570 I'm giving sales people the address from the pool. 06:12.580 --> 06:14.330 19221681.0. 06:15.590 --> 06:16.400 Marketing. 06:16.400 --> 06:17.870 I'm not giving them 1.0. 06:17.870 --> 06:21.320 I'm giving them 2.01921682. 06:21.320 --> 06:25.040 So I can differentiate that these are sales people and these are marketing people. 06:26.280 --> 06:29.190 Hey, where am I making that differentiating section here? 06:29.190 --> 06:30.240 Let's say this is the server. 06:31.140 --> 06:33.090 Let's say R1 is the VPN server. 06:34.650 --> 06:38.700 Does that mean if I use IP address 1921681.1. 06:38.880 --> 06:42.030 Does that mean it cannot communicate to, for example, the other endpoint? 06:42.030 --> 06:44.070 I'll give it 2.1 or 3 dot one. 06:45.270 --> 06:47.010 Right if it's good. 06:47.010 --> 06:50.820 I'm actually trying to say is give me a second. 06:50.880 --> 06:51.030 Let me. 06:59.070 --> 06:59.520 There you go. 07:00.150 --> 07:06.180 So in VPN, if you remember the other end point of the tunnel, whatever you specify. 07:06.990 --> 07:08.040 Is given by whom? 07:08.550 --> 07:10.110 The server pushes it down. 07:11.570 --> 07:12.470 It pushes it down, right? 07:12.470 --> 07:16.940 So yesterday we pushed down 192.168 .1. ten today. 07:16.940 --> 07:22.250 Let's push out 1.1 for example, or one dot ten to the other End point. 07:22.400 --> 07:23.030 Okay. 07:23.060 --> 07:25.640 My endpoint is also 191 68 1.10. 07:25.640 --> 07:27.980 So I can communicate to each other to the other side. 07:28.520 --> 07:35.000 What if what if now it guy logs in when the IT guy logs in? 07:35.000 --> 07:36.770 I don't push out 1.10. 07:36.770 --> 07:37.340 I will push out. 07:37.340 --> 07:37.820 What? 07:40.290 --> 07:40.700 Two that. 07:42.310 --> 07:46.630 The problem that will happen in that case is what is my IP address? 07:46.750 --> 07:47.530 1.1. 07:47.530 --> 07:48.820 The other end point is what? 07:48.940 --> 07:49.750 2.1. 07:50.380 --> 07:54.520 Both ends of the tunnel will be at different addresses, different subnets, so they would not be able 07:54.520 --> 07:55.720 to communicate to each other. 07:58.470 --> 07:58.770 Right. 08:02.150 --> 08:03.650 Do you understand what I'm trying to say? 08:04.190 --> 08:07.010 I'll push down the other end point of the other end point. 08:07.040 --> 08:09.470 IP address is pushed down from the server. 08:09.470 --> 08:10.400 From the pool. 08:11.380 --> 08:12.070 For sales. 08:12.070 --> 08:15.400 I pushed down 192 168 2.0. 08:15.700 --> 08:19.240 For marketing, I pushed down 190 to 168 3.0. 08:20.080 --> 08:20.980 What does that mean? 08:20.980 --> 08:27.610 That means my endpoint IP address cannot be constant, cannot be static because I'm not only pushing 08:27.610 --> 08:32.080 down for sales, I'm also pushing down for I'm pushing down different subnet addresses. 08:33.310 --> 08:33.690 For some. 08:33.700 --> 08:34.690 Sometimes I'm giving out. 08:34.720 --> 08:37.090 2.03.04.05.0. 08:37.090 --> 08:40.900 That means this side, this end of the tunnel cannot have a static IP address. 08:41.780 --> 08:43.040 Then what can it have? 08:43.980 --> 08:48.240 If it cannot have a static IP address, it can have something we call it. 08:50.660 --> 08:55.340 Give this address using your go to interface channel zero, not IP address. 08:55.340 --> 08:57.580 We call it IP number. 09:00.690 --> 09:02.340 It's called IP, UN number. 09:02.340 --> 09:05.190 And then you have to specify the IP address of an interface. 09:05.190 --> 09:06.960 Now, this interface can be anything. 09:07.740 --> 09:12.450 It does not make any difference at all what this interface is, right? 09:12.450 --> 09:17.600 It could be I could create a loopback, I could give it any address. 09:17.610 --> 09:18.180 IP address. 09:18.180 --> 09:19.650 1.1.1.1. 09:24.310 --> 09:24.580 Right. 09:24.580 --> 09:27.910 So when I go to my interface Channel zero, I could say IP unnumbered. 09:30.400 --> 09:31.030 It doesn't have an. 09:32.990 --> 09:33.560 I'll explain. 09:34.840 --> 09:39.130 Now, if you see your show IP interface brief, you'll see your tunnel is up. 09:40.780 --> 09:45.130 The method that you gave the IP address is not actually TftP. 09:45.160 --> 09:46.960 It means you have not done it manually. 09:47.380 --> 09:49.090 The system generated it for. 09:50.100 --> 09:50.930 For this interface. 09:51.280 --> 09:57.480 If you check your show run interface, Channel zero, sorry, show Interface, Channel zero, you'll 09:57.480 --> 10:02.730 see that it says interface is unnumbered, meaning interface does not have an IP address. 10:02.760 --> 10:04.740 It is borrowing the address of what? 10:05.940 --> 10:06.720 Loopback zero. 10:07.140 --> 10:09.220 Why would it need to borrow the address? 10:09.270 --> 10:10.770 It doesn't borrow the address. 10:10.770 --> 10:18.420 Actually, what it borrows Is it because if you don't have an IP right, this tunnel has to be IP tunnel. 10:18.780 --> 10:21.690 Basically, the IP stack on this tunnel should be up. 10:23.120 --> 10:24.770 Otherwise it won't be able to communicate. 10:26.200 --> 10:26.500 Right. 10:26.500 --> 10:30.040 So but you also have to make sure it doesn't have a static IP address. 10:30.310 --> 10:33.100 IP unnumbered does what from loopback zero. 10:33.100 --> 10:38.130 It takes the IP stack so that it can have IP functions of this tunnel. 10:39.560 --> 10:40.400 Just the stack. 10:40.790 --> 10:42.770 The IP address is not used at all. 10:43.040 --> 10:45.770 There is a shocking thing that you'll see in the routing table. 10:47.090 --> 10:49.430 If you go right now, show IP route. 10:51.080 --> 10:52.730 You see that the address? 10:52.730 --> 10:53.810 The tunnel is not here. 10:56.980 --> 10:57.700 From here. 10:57.700 --> 10:58.780 You don't see a tunnel. 11:00.680 --> 11:01.790 It's completely empty. 11:02.360 --> 11:03.800 Then how do you communicate? 11:05.700 --> 11:07.080 The question is, how do you communicate? 11:08.370 --> 11:08.940 Empty, right? 11:08.970 --> 11:10.110 You don't see anything here. 11:10.650 --> 11:14.790 The way you communicate is you use static routes. 11:15.750 --> 11:20.340 So I could say 192 168.1.3. 11:22.770 --> 11:23.610 Is from Turner. 11:28.620 --> 11:33.630 In the routing table we use unnumbered because unnumbered is not an IP address. 11:33.900 --> 11:36.400 It doesn't put that information in the routing table. 11:36.420 --> 11:39.410 You have to manually go in there and tell him, okay. 11:39.420 --> 11:42.570 192 168 1.3 is reachable from tunnel zero. 11:42.600 --> 11:47.940 I could also later tell him 192 .168. let's say 2.3. 11:50.370 --> 11:51.480 Is reachable from tunnel. 11:56.510 --> 11:58.270 The other problem is with the destination. 12:00.380 --> 12:01.460 There's two problems. 12:01.700 --> 12:02.060 The source. 12:02.660 --> 12:03.800 The source is fixed. 12:03.830 --> 12:04.760 There's two. 12:05.060 --> 12:05.690 There's one. 12:09.090 --> 12:10.020 Is two problems. 12:10.050 --> 12:13.140 One problem is this destination is not there anymore. 12:13.530 --> 12:15.720 That is not the problem I'm solving right now. 12:16.410 --> 12:17.550 I don't know the destination. 12:17.550 --> 12:18.000 Right. 12:18.090 --> 12:19.890 That is not the problem I'm solving right now. 12:19.890 --> 12:22.030 The problem that I'm solving right now is this part. 12:22.050 --> 12:23.250 The unnumbered part. 12:24.030 --> 12:24.930 IP address part. 12:25.970 --> 12:27.020 What is that problem? 12:27.260 --> 12:33.050 The problem is that the other end point of the tunnel will not always be on the same subnet. 12:33.740 --> 12:35.960 Sometimes it will be using 1.0. 12:36.200 --> 12:38.360 Some other times it will be using 2.0. 12:38.810 --> 12:40.940 Even yesterday it wasn't like it was. 12:40.940 --> 12:43.820 123.1.2.2 at one. 12:44.730 --> 12:47.220 192 still working. 12:47.850 --> 12:48.600 It wasn't. 12:49.580 --> 12:49.880 Buzzer. 12:50.750 --> 12:52.250 That was a crypto map, remember? 12:52.280 --> 12:53.930 That was not a tunnel interface. 12:55.640 --> 12:56.690 There was a crypto map. 12:56.720 --> 12:59.960 It did not have a tunnel source and destination for a tunnel to work. 12:59.990 --> 13:00.800 It's an interface. 13:00.800 --> 13:02.300 Think of this as an interface. 13:03.780 --> 13:04.650 It's a normal interface. 13:04.650 --> 13:06.630 Both endpoints should be the same subnet, right? 13:06.660 --> 13:10.170 What I'm doing from this side is I'm completely removing the IP address part. 13:10.590 --> 13:12.660 This side does not have an IP address. 13:13.050 --> 13:18.120 So when you go inside the routing table, you will not find this route because you don't have the IP. 13:18.840 --> 13:20.100 This tunnel does not have an IP. 13:20.130 --> 13:25.560 So you have to manually go in there and tell him, listen, if you want to go to 192 160 81. anything 13:25.560 --> 13:28.710 1.3, your next hop is through the tunnel. 13:28.950 --> 13:33.600 You also tell him if you want to go to 2.3, your next is from where? 13:35.130 --> 13:36.990 Now, there is no 2.3 right now. 13:37.650 --> 13:39.030 No one has 2.3. 13:39.060 --> 13:41.580 But I could also do is I could create a loop back here. 13:41.610 --> 13:42.780 Give it What address? 13:48.400 --> 13:48.610 That. 13:49.300 --> 13:54.070 So when I send a ping from here to 2.3, it would go through the tunnel because I'm telling it to go 13:54.070 --> 13:54.790 through the tunnel. 13:55.570 --> 13:56.920 It goes to the other point. 13:56.950 --> 14:00.610 The other end point recalculates and reaches what? 14:02.610 --> 14:02.760 The. 14:04.200 --> 14:05.490 Let's first try the first one. 14:06.420 --> 14:10.830 If I can ping on 82 and 68 1.3. 14:14.380 --> 14:15.160 Cannot right now. 14:16.570 --> 14:17.710 Show IP Interface Brief. 14:19.450 --> 14:26.440 So interface down I'm using IP unnumbered my source is this my destination? 14:26.440 --> 14:28.480 Is this from here? 14:28.480 --> 14:29.170 Let's check. 14:42.130 --> 14:42.940 To be able to go. 14:45.480 --> 14:45.810 Thing. 14:46.500 --> 14:48.960 192 168 .1.3. 14:49.780 --> 14:50.380 Yes. 14:52.650 --> 14:54.960 The problem that would occur is what source does it use? 14:57.030 --> 14:58.260 When it goes out from the tunnel. 14:58.260 --> 14:59.370 What source does it use? 14:59.970 --> 15:01.530 It doesn't have a source, right? 15:03.680 --> 15:09.980 When it needs to go, it needs to have at least a source address so that the other guy also knows what 15:09.980 --> 15:11.190 this guy is coming from. 15:11.210 --> 15:15.320 Right now, the source that it's using, if you check, we have Wireshark running. 15:15.900 --> 15:17.400 The source that it would use. 15:17.400 --> 15:17.630 Right. 15:17.640 --> 15:19.950 Because this is not an IP, right? 15:19.950 --> 15:20.940 It's unnumbered. 15:21.120 --> 15:21.930 So. 15:22.980 --> 15:23.730 Let's check. 15:26.000 --> 15:27.500 What is the source that is using? 15:30.120 --> 15:31.890 The source that is using is 1.1. 15:31.890 --> 15:33.900 But which 1.1 is this? 15:34.530 --> 15:35.850 Is this the tunnel IP? 15:35.880 --> 15:37.110 It's not the tunnel IP. 15:38.010 --> 15:38.700 It's a loopback. 15:40.340 --> 15:42.900 The borrowed blue bags address. 15:44.210 --> 15:45.860 It's using the loopback address to go. 15:45.890 --> 15:50.810 The problem what is happening on the other side is the other side does not know where 1.1 is. 15:51.940 --> 15:53.810 R3 doesn't know where 1.1 is. 15:53.810 --> 15:54.650 So how would you do it? 15:54.650 --> 15:55.430 You would have. 15:56.300 --> 15:58.790 Its static route pointing towards. 16:01.820 --> 16:02.160 Only three. 16:04.200 --> 16:05.400 For this to be successful. 16:11.190 --> 16:11.580 Not. 16:11.580 --> 16:14.010 Not this address to be rude. 16:17.040 --> 16:17.610 From tunnel. 16:22.970 --> 16:26.570 You're basically guiding this traffic through the tunnel using static routes. 16:26.780 --> 16:31.490 The important point here to note is I did not use an IP address from this site. 16:33.050 --> 16:39.170 To counter that problem, I needed to add a static route telling R2 about the other endpoints. 16:40.650 --> 16:41.610 What are behind. 16:41.640 --> 16:43.050 How does this help me? 16:43.080 --> 16:49.950 This helps me in a way that tomorrow, if the tunnel changes the address to a different subnet. 16:51.000 --> 16:51.900 2.3. 16:53.950 --> 16:56.910 If you change the address of the other point to a different subnet. 16:56.930 --> 16:59.570 All I need from this side is what? 17:01.300 --> 17:02.110 2.3. 17:04.930 --> 17:06.550 All I need from this side is what? 17:07.130 --> 17:08.900 Just to start. 17:11.380 --> 17:12.460 To go to the other endpoint. 17:13.750 --> 17:14.760 This will help me. 17:14.770 --> 17:15.040 Why? 17:15.070 --> 17:16.090 Because tomorrow, When? 17:16.480 --> 17:17.080 When? 17:17.080 --> 17:17.920 Today. 17:17.920 --> 17:24.100 When I'm doing my VPN, later my tunnel endpoints are going to have different subnets for sales, different 17:24.100 --> 17:24.550 subnet. 17:25.840 --> 17:27.430 For marketing a different subnet. 17:27.760 --> 17:29.770 For a different subnet. 17:30.940 --> 17:33.220 All I need at that time is. 17:34.420 --> 17:37.030 Install static route towards those destinations. 17:37.100 --> 17:37.840 How is it dynamic? 17:39.170 --> 17:40.370 According to the requirements. 17:40.550 --> 17:41.480 I'm changing this part. 17:41.480 --> 17:44.480 I'm not changing this part from here. 17:44.480 --> 17:45.820 All I need is a static, right? 17:45.840 --> 17:50.120 And if you remember, we have a mechanism to do that reverse route injection. 17:52.370 --> 17:53.260 It does that, right? 17:53.270 --> 17:56.060 So whenever he pushes down an IP, it will install a static out. 17:56.060 --> 18:00.440 So this part will be solved by dynamic, part will be solved. 18:03.620 --> 18:04.100 Right. 18:04.190 --> 18:05.750 And the other end is also solved. 18:05.750 --> 18:05.930 Why? 18:05.960 --> 18:08.090 Because the IPS are giving according to the pool. 18:09.660 --> 18:11.100 So sales will be here. 18:12.810 --> 18:17.880 Marketing will be here and it will be here using different IPS. 18:18.540 --> 18:20.040 It doesn't really make a difference. 18:20.040 --> 18:20.190 Why? 18:20.220 --> 18:22.080 Because I have a static route from. 18:22.110 --> 18:23.460 Why do I need a static route? 18:23.490 --> 18:29.670 The only reason I need a static route is so that R1 knows in his routing table which traffic to send 18:29.670 --> 18:30.270 through the tunnel. 18:31.760 --> 18:36.740 Traffic going to 1.0 should go through the tunnel, 2.0 should go through the tunnel, 3.0 should go 18:36.740 --> 18:38.030 through the tunnel and so on and so forth. 18:38.690 --> 18:44.660 Otherwise, this information would not be involved in your routing table because you're using unnumbered 18:44.660 --> 18:45.260 links. 18:51.400 --> 18:53.320 Dynamic routing would cause problems. 18:53.740 --> 18:54.730 It does work. 18:54.880 --> 18:55.660 It does work. 18:55.660 --> 19:00.700 But in that case, this side, if you're using DVT on one side, basically if you're using unnumbered 19:00.700 --> 19:06.910 on one side and numbered on the other side, you would have to keep them in the same network for routing 19:06.940 --> 19:07.480 to work. 19:08.440 --> 19:10.750 Or you could keep both as a number. 19:12.250 --> 19:13.210 Both are unnumbered. 19:13.420 --> 19:14.740 Any network doesn't matter. 19:14.770 --> 19:17.770 Routing will come up because both of them don't have an IP address. 19:19.470 --> 19:20.330 Right here. 19:20.370 --> 19:21.440 It's unnumbered on one. 19:22.240 --> 19:22.930 Only one second. 19:23.930 --> 19:28.640 If you keep both sides on unnumbered, you will have static routes or static routes on both ends. 19:30.590 --> 19:32.030 How does a package route borrowing? 19:32.520 --> 19:34.160 1.1.1.1.1. 19:35.320 --> 19:36.490 I'm going to the other end. 19:36.610 --> 19:37.170 Going to the other. 19:37.180 --> 19:38.680 It doesn't have to be on the same. 19:39.280 --> 19:39.930 It doesn't have to. 19:41.860 --> 19:45.760 It's a simple it's a simple routing routing happening here. 19:45.970 --> 19:49.030 Packet is sourcing from 1.1.1.1. 19:49.240 --> 19:50.980 Destination is going to where? 19:53.430 --> 19:54.060 2.3. 19:55.110 --> 19:58.170 This is your packet goes to the routing table. 19:59.530 --> 20:00.580 What is the routing table? 20:00.580 --> 20:01.120 Tell him. 20:03.440 --> 20:04.010 Through which. 20:05.030 --> 20:06.170 Goes to the ground Zero. 20:06.740 --> 20:07.430 Gets what? 20:08.160 --> 20:14.430 The source and destination attaches that to Gray doesn't have a source and. 20:15.300 --> 20:17.580 It does have this is the source and this is the destination. 20:18.060 --> 20:19.560 Public source and public destination. 20:22.080 --> 20:22.890 In SETI. 20:25.170 --> 20:25.880 Header won't be there. 20:25.890 --> 20:28.200 This will replace it, but the concept will be the same. 20:29.110 --> 20:31.390 Heading toward the Ori won't be there. 20:31.390 --> 20:32.980 ESP will be here instead of gray. 20:33.760 --> 20:37.840 So I didn't use that because then I would have to protect it first and get the ESP. 20:38.290 --> 20:38.890 Yeah. 20:39.400 --> 20:45.040 IPsec will work here also, but the same concept works in IPsec and the IP unnumbered. 20:45.220 --> 20:45.550 Here. 20:45.550 --> 20:47.650 The only thing I wanted to show you is the IP unnumbered. 20:49.580 --> 20:52.550 The is with the ones that did the actual routing. 20:52.550 --> 20:52.870 Yes. 20:52.910 --> 20:53.600 From here. 20:54.110 --> 20:55.010 From here to here? 20:55.010 --> 20:55.520 Yes. 20:56.900 --> 20:57.110 Right. 20:57.110 --> 21:03.260 That is the outside header is done from 151 .15. 1 to 151 .23.. 21:05.420 --> 21:05.810 Correct. 21:07.330 --> 21:12.490 The important part again, is to make sure that this site no IP address at all and it does not make 21:12.490 --> 21:17.920 any difference if you have if you do have an IP, if you do not have an IP does not make a difference. 21:18.550 --> 21:18.940 And the. 21:20.990 --> 21:21.380 Right now. 21:21.380 --> 21:22.880 Normal right now. 21:22.880 --> 21:24.350 It's not DVT I'm talking about. 21:24.350 --> 21:25.190 I'm doing SVT. 21:26.030 --> 21:31.910 This one is an SVT, but it's just that I'm making sure that the other endpoint can be dynamic IPS. 21:32.550 --> 21:33.560 Different types. 21:34.640 --> 21:37.450 So I could change an IP here, right? 21:37.460 --> 21:38.690 I could change an IP here. 21:38.690 --> 21:42.560 And from this side, all I needed was static route to those items. 21:42.770 --> 21:44.540 I did not need to change anything else. 21:44.720 --> 21:49.100 I needed a route basically telling this side if you want to go to the other end point, it is through 21:49.100 --> 21:49.460 the tunnel. 21:49.640 --> 21:50.420 Why is this? 21:50.420 --> 21:55.040 Because this side has no IP address so it can form tunnel with any IP address. 22:00.270 --> 22:01.800 Anyway, we want to do it on only one. 22:03.590 --> 22:04.610 I'll explain that also. 22:04.610 --> 22:04.910 Why? 22:05.840 --> 22:08.150 Because the parameters should be the same. 22:10.230 --> 22:10.440 Right. 22:12.810 --> 22:15.600 Decline towards the end point of all the clients. 22:15.600 --> 22:15.900 Yes. 22:16.080 --> 22:16.920 From the client. 22:17.600 --> 22:20.710 According to the one from the client, you wouldn't need that. 22:22.130 --> 22:23.240 Subscribe here. 22:23.270 --> 22:25.130 Here we used it from the client. 22:25.130 --> 22:27.230 If you remember, Easy VPN is source based. 22:27.770 --> 22:31.910 Anything from the source will go through the tunnel, so it doesn't need that. 22:31.910 --> 22:32.750 An easy VPN. 22:36.250 --> 22:36.610 Right. 22:36.700 --> 22:37.480 It's sauce based. 22:37.480 --> 22:43.450 So anything anything that uses the sauce of 10 or 10 in that case will always go back through the tunnel, 22:43.450 --> 22:43.930 right? 22:45.370 --> 22:50.500 All we need to do is tell, first of all, R1 what traffic should go through the tunnel. 22:51.400 --> 22:53.320 We do it by using a static route. 22:53.680 --> 22:57.730 We tell it any traffic going to 192 168 network should go through the tunnel. 22:58.600 --> 22:59.080 Correct. 22:59.680 --> 23:02.170 From the client side in VPN. 23:02.200 --> 23:08.800 All we need to do is we need to make sure that the address is pushed down to the loopback, because 23:08.800 --> 23:14.020 once we do that, anything sourced from that loopback will automatically come back through the tunnel. 23:16.510 --> 23:16.780 Right. 23:18.020 --> 23:20.120 That's what we do in VPN. 23:21.200 --> 23:22.310 We haven't gone there yet. 23:22.340 --> 23:24.000 We'll get more concepts clear then. 23:24.020 --> 23:28.760 But the only difference, the only big thing that I wanted to show you is here. 23:31.150 --> 23:32.170 No IP address. 23:32.200 --> 23:32.920 Why? 23:32.950 --> 23:35.890 So that it can form an IP address with anybody else. 23:39.060 --> 23:39.480 Right. 23:40.560 --> 23:44.320 This is the only point where people have difficulty in easy VPN enhanced. 23:44.340 --> 23:48.290 Everything else is the same as we did yesterday with small minor changes. 23:48.300 --> 23:49.200 Let's do that. 23:49.200 --> 23:50.700 Let's create the new topology. 23:52.740 --> 23:53.420 All right. 23:54.020 --> 23:55.740 So same topology as before. 23:55.770 --> 24:01.620 The difference that is going to be there today is I am not going to use crypto maps. 24:02.990 --> 24:04.880 No crypto maps I'm going to use. 24:07.990 --> 24:08.620 But which. 24:11.690 --> 24:13.640 There are two reasons for dynamic VDI. 24:14.540 --> 24:19.940 Reason number one is I don't know the other destinations. 24:19.940 --> 24:21.770 I don't know the tunnel destination part. 24:22.130 --> 24:23.390 That is reason one. 24:23.390 --> 24:26.750 Reason two is my tunnels, which are going to be created. 24:26.780 --> 24:29.750 There is a huge possibility that one of them. 24:31.010 --> 24:32.750 Maybe, let's say 1.0. 24:32.960 --> 24:35.390 The other tunnel that I create could be. 24:40.240 --> 24:43.450 The endpoints of the tunnel can be on different IP addresses. 24:44.710 --> 24:46.630 How do I tackle those problems? 24:47.140 --> 24:48.270 I don't use an SVG. 24:48.280 --> 24:51.720 I use the dynamic virtual terminals. 24:53.300 --> 24:57.950 We'll see how to configure it when we reach before we go to that point. 24:59.840 --> 25:02.240 Let's configure the normal stuff that we've been doing until now. 25:03.540 --> 25:04.140 Step one. 25:05.720 --> 25:10.790 Always the same crypto camp policy. 25:17.130 --> 25:18.090 Authentication. 25:19.470 --> 25:21.840 Detail and. 25:25.510 --> 25:26.110 Step two. 25:27.820 --> 25:31.960 I would require an ISO compliant configuration group for that. 25:31.960 --> 25:39.760 The first thing I would require is IP, local pool sales pool for 92 168.1.. 25:41.160 --> 25:47.700 10.121932168 .1. 2010 dot 20. 25:47.970 --> 25:49.200 I'll create another pool. 25:51.030 --> 25:52.420 The cell call as. 25:53.770 --> 25:54.240 Mark. 25:55.410 --> 25:55.490 So. 25:55.570 --> 25:56.890 Sales pool and marketing pool. 25:58.580 --> 25:59.270 Step three. 26:00.520 --> 26:01.420 I have two different tools. 26:01.420 --> 26:01.840 Right? 26:03.930 --> 26:04.260 Yeah. 26:04.650 --> 26:07.920 I need to change the IP to 20.1 20 dot. 26:08.430 --> 26:08.780 Thanks. 26:09.910 --> 26:10.480 Then what? 26:11.920 --> 26:15.880 Crypto is a scam client configuration. 26:17.540 --> 26:18.680 Sales. 26:19.820 --> 26:20.720 He is Cisco. 26:20.750 --> 26:21.560 One, two, three. 26:22.370 --> 26:24.170 Pool is sales. 26:24.470 --> 26:24.740 Pool. 26:24.770 --> 26:26.540 If I wanted, I could also have a split tunnel. 26:28.390 --> 26:29.530 Copy the same way. 26:29.530 --> 26:31.690 Paste Mark. 26:32.810 --> 26:33.860 And this would be. 26:36.050 --> 26:36.410 Mark. 26:41.730 --> 26:42.300 Yes. 26:44.670 --> 26:45.300 The other one, right? 26:45.300 --> 26:52.380 So Mark Buehrle and Sales, I've done it then for Crypto IPsec. 26:53.060 --> 26:54.110 Transforms it. 26:56.230 --> 26:58.270 ESP three 3ds esp. 26:59.460 --> 27:01.320 So until now, the concept is still the same. 27:03.070 --> 27:10.300 The one thing that you have to add is since I'm going to use an SVG, how do I apply protection to an 27:10.300 --> 27:10.810 SVG? 27:11.310 --> 27:13.060 I would require a profile. 27:14.030 --> 27:17.090 So step five would be transforms that you've done already. 27:17.090 --> 27:19.160 I would also require a crypto. 27:20.070 --> 27:22.230 IPsec profile. 27:22.260 --> 27:22.890 I call it I. 27:24.940 --> 27:25.630 Set. 27:27.010 --> 27:28.180 Transform set. 27:34.490 --> 27:40.550 I would also require triple A new model Y, because I have to say I have to tell my isochem that the 27:40.550 --> 27:46.520 authorization of this network will be done using the list Sha, which is going to. 27:49.980 --> 27:51.400 Pointing to the local database. 27:51.420 --> 27:53.820 Until now, we did the same thing as yesterday. 27:53.820 --> 27:59.280 Except for this one extra step off transform set, which was put in a profile. 27:59.760 --> 28:01.680 Now here is where the difference comes in. 28:03.090 --> 28:03.280 Okay. 28:04.440 --> 28:05.460 Yesterday. 28:05.610 --> 28:06.270 Do you remember? 28:06.270 --> 28:07.920 What did we do after this? 28:10.910 --> 28:12.710 Using a crypto dynamic map. 28:14.860 --> 28:15.250 Right. 28:15.250 --> 28:17.440 I created where I set the transform set. 28:20.860 --> 28:22.510 Then I had a crypto map. 28:24.180 --> 28:26.400 Which make whatever. 28:26.400 --> 28:29.010 I'm just showing you the right so dynamic. 28:29.010 --> 28:30.420 I linked it to the dynamic. 28:30.450 --> 28:31.260 Then. 28:32.250 --> 28:34.360 Crypto map I map. 28:34.380 --> 28:35.160 Then I said. 28:35.940 --> 28:36.690 I said camp. 28:38.170 --> 28:39.140 Authorization. 28:40.480 --> 28:43.110 Then I also said crypto map. 28:43.150 --> 28:43.780 I map. 28:45.290 --> 28:48.410 Client configuration address. 28:50.710 --> 28:52.000 This is what I said yesterday. 28:52.180 --> 28:54.130 Then I applied the map on an interface. 28:54.490 --> 28:57.010 Here, I cannot apply it on an interface here. 28:57.010 --> 29:04.660 I cannot do it this part, but I still need to find out a way to the to do the authorization list and 29:04.660 --> 29:10.720 to use this command where I tell my router that you can push down an address if in case the client asks 29:10.720 --> 29:11.170 for it. 29:12.380 --> 29:14.750 Respond to an address request. 29:14.870 --> 29:15.790 You have the option in the. 29:17.560 --> 29:19.510 Obviously that's how we'll do it. 29:19.540 --> 29:21.850 Not in the profile, but what? 29:21.880 --> 29:24.010 Step seven here is replaced by. 29:24.040 --> 29:26.500 Since I'll be using what? 29:28.250 --> 29:29.720 And as a DVD. 29:30.860 --> 29:33.200 If it was an SVT, I would use it like this. 29:33.230 --> 29:37.860 Interface Channel zero, then IP address and stuff like that here. 29:37.880 --> 29:38.810 It's a DVD. 29:39.770 --> 29:41.270 Now think about this. 29:41.780 --> 29:42.590 A DVD. 29:44.620 --> 29:45.490 What does it mean? 29:46.210 --> 29:49.690 It means that I'll be creating a separate tunnel with this client. 29:50.230 --> 29:52.810 I'll be creating a separate tunnel with this time. 29:53.260 --> 29:53.800 Can it. 29:54.070 --> 29:54.950 Can it achieve? 29:55.030 --> 29:57.100 Can it be achieved with Interface Tunnel zero? 29:58.350 --> 29:58.890 Interface. 29:58.890 --> 30:00.120 Channel zero is only one channel. 30:01.350 --> 30:04.830 I need to create multiple tunnels with multiple clients. 30:06.040 --> 30:11.410 The best part about that is, though, all of these tunnels would have similar characteristics. 30:13.660 --> 30:16.980 All of these tunnels will have almost the same characters. 30:18.430 --> 30:18.570 Right. 30:19.570 --> 30:21.640 Have you ever heard of the word template? 30:22.630 --> 30:23.950 What is a template? 30:27.300 --> 30:34.680 It's like a it's like yeah, it's like a template is like a blueprint, right? 30:35.040 --> 30:39.300 Say, for example, you're printing cards for someone who's getting married. 30:39.690 --> 30:42.840 You'll choose a template first, right? 30:42.840 --> 30:44.400 Then all the other cards. 30:44.400 --> 30:45.210 What will you change? 30:45.210 --> 30:48.120 Only the name on the outside. 30:48.120 --> 30:50.550 You add a label on the label, you just change the name. 30:50.550 --> 30:52.320 So this card is destined to this guy. 30:52.530 --> 30:54.990 But the format of the card remains the same. 30:56.200 --> 30:57.590 So you choose a template. 30:57.610 --> 31:01.240 Then you clone out cards from that template. 31:02.050 --> 31:03.970 Same concept will be applied here. 31:04.000 --> 31:05.680 We'll choose it in DevTools. 31:05.680 --> 31:06.850 You choose a template. 31:07.150 --> 31:15.130 Then sweeties are removed from that template using the same characteristics that you will choose for 31:15.160 --> 31:15.490 that. 31:20.330 --> 31:21.730 You will have to use NP. 31:23.140 --> 31:24.690 People have to come up and register. 31:24.700 --> 31:25.420 It wouldn't work. 31:26.620 --> 31:27.330 This is different. 31:27.340 --> 31:28.410 This is a VPN, right? 31:28.810 --> 31:31.000 You would have an endpoint from that side. 31:31.000 --> 31:35.770 Then you would have to create an interface channel zero IP, and then they will have to come up and 31:35.770 --> 31:37.780 register so many different things that you would have to. 31:39.140 --> 31:39.550 One. 31:39.650 --> 31:41.330 The source is fixing the destination. 31:42.370 --> 31:42.880 For? 31:42.880 --> 31:46.720 Yes, a little similar, but still different because the IPS can also change there. 31:46.750 --> 31:47.890 The IP wouldn't change. 31:49.300 --> 31:52.210 Here, these IPS address IP addresses also are changing. 31:52.210 --> 31:55.540 And plus there the tunnels didn't have remote IPS. 31:56.200 --> 31:57.280 The destination. 31:57.280 --> 32:04.840 Yes, it could have the tunnel IPS cells will have different IP marketing will have different IP. 32:06.390 --> 32:09.450 He was same concept 192 168 1.0. 32:09.570 --> 32:12.840 Then the endpoints were 1.1234567. 32:14.380 --> 32:14.920 Yeah, it was. 32:14.920 --> 32:19.060 That's why OSPF point to point and multi point we had to do right because the same network. 32:20.360 --> 32:20.990 Right here. 32:21.020 --> 32:25.940 First of all, the network can change and there's a huge possibility that the destination can also keep 32:25.940 --> 32:26.330 on changing. 32:26.330 --> 32:29.150 The same guy's destination will keep on changing every single time. 32:29.420 --> 32:33.470 Because when you go back to connect from a hotel, you connect using a different address. 32:33.470 --> 32:36.740 You can go back home, connect with a different address, you can go to a coffee shop. 32:36.740 --> 32:40.400 So in one day you can connect from four different locations there. 32:40.400 --> 32:41.690 That was not the case. 32:42.380 --> 32:45.320 We knew the destination is just that we couldn't map it. 32:46.100 --> 32:47.090 We used an Http. 32:47.240 --> 32:52.010 Now the thing here is you will create something. 32:52.860 --> 32:53.520 Called. 32:54.390 --> 32:54.930 You call it. 32:58.950 --> 33:00.030 Interface. 33:01.170 --> 33:02.010 Virtual. 33:03.280 --> 33:04.060 Template. 33:05.700 --> 33:09.330 And you number it just like you would number a normal tunnel. 33:09.510 --> 33:12.080 You have to specify what kind of a template is this? 33:12.090 --> 33:18.060 What is the kind tunnel basically saying that from this virtual interface, tunnels will be cloned. 33:20.770 --> 33:22.840 Tons will be cloned from this template. 33:22.960 --> 33:25.000 Now what are the common features? 33:27.170 --> 33:29.990 Of this virtual template which all the tunnels will use. 33:30.020 --> 33:32.690 First of all is the source. 33:34.490 --> 33:37.670 Which is 151 .2.2. 33:38.570 --> 33:42.140 Every tunnel will have the same public source from this end. 33:45.100 --> 33:47.710 Tunnel mode will be IPsec. 33:47.730 --> 33:49.810 IPv4 for all the tunnels. 33:50.770 --> 33:52.090 Tunnel protection. 33:53.980 --> 33:55.120 IPsec profile. 33:56.390 --> 33:59.150 April will be the same. 33:59.150 --> 34:00.710 There will be no destination. 34:00.860 --> 34:03.080 That will be resolved as per each tunnel. 34:03.080 --> 34:04.680 So that will be different for each. 34:04.700 --> 34:05.510 I will not change. 34:05.510 --> 34:08.660 I will not put that here because that is the only thing that will change. 34:08.660 --> 34:11.510 Also, I would also require a IP. 34:13.310 --> 34:20.270 Unnumbered not address IP unnumbered because the other endpoints can have different subnet. 34:20.300 --> 34:21.260 IP addresses. 34:21.290 --> 34:23.180 IP unnumbered you can use any one here. 34:23.180 --> 34:25.040 I'll use fast ethernet zero zero. 34:29.030 --> 34:33.230 No, I'm using this this interface address because anyways, I want them to reach this network. 34:33.230 --> 34:33.650 Right? 34:36.580 --> 34:41.140 Not to back any address, any any physical interface, any interface which has an IP address, It will 34:41.170 --> 34:42.670 borrow the IP address from there. 34:43.040 --> 34:45.250 Doesn't have to be a loopback loopback. 34:45.280 --> 34:47.260 I just showed you because I did not have any interface. 34:49.450 --> 34:51.540 It would if you want, it could. 34:51.550 --> 34:57.250 But at that point, the problem would be would be that when our four has it has the root right. 34:57.250 --> 34:59.110 When you install the root, you could have it. 34:59.110 --> 35:00.340 It won't make a difference. 35:00.520 --> 35:01.570 It won't make a difference. 35:01.570 --> 35:02.620 You can use any one here. 35:03.310 --> 35:06.220 There would be wouldn't be any problem because it doesn't read it out. 35:06.220 --> 35:07.540 It needs a root to this network. 35:07.540 --> 35:09.310 All you have to tell him is go through the tunnel. 35:09.310 --> 35:10.750 So wouldn't be a problem at all. 35:12.240 --> 35:12.560 Right. 35:12.570 --> 35:15.570 So this I would copy it. 35:16.170 --> 35:18.000 Always remember one thing. 35:18.000 --> 35:19.800 I need to show this to you also. 35:23.810 --> 35:24.640 I Prof is not. 35:24.650 --> 35:25.950 Obviously nothing is defined. 35:25.970 --> 35:27.170 I haven't copied anything yet. 35:27.170 --> 35:27.650 Right. 35:41.000 --> 35:45.620 Always remember one thing in this because sometimes. 35:46.480 --> 35:47.950 If they ask you this in exam. 35:50.010 --> 35:52.450 An EVP, and they ask you to create a virtual tunnel. 35:52.500 --> 35:57.990 Type ten virtual template of ten, for example, the number should be ten. 35:57.990 --> 35:59.700 And you make a mistake like this. 36:02.220 --> 36:04.920 You forget to use the type tunnel, you just press the enter key. 36:07.240 --> 36:13.810 Then when you try to go back again and change the type of tunnel, it will not accept the command even 36:13.810 --> 36:15.250 if you try to remove it. 36:18.790 --> 36:21.940 You can remove it, but when you add it back again. 36:24.360 --> 36:31.350 Interface virtual template, then type tunnel will give you the same error message. 36:32.980 --> 36:37.420 What I'm basically trying to say is whenever you configure, if you forget the type tunnel. 36:39.340 --> 36:42.970 If you forget the type tunnel, you will not be able. 36:42.970 --> 36:47.290 If you just press the enter key, you will not be able to change the type of this tunnel again. 36:49.330 --> 36:52.660 Whenever you're using virtual templates, make sure do not forget the type. 36:52.930 --> 36:56.350 Otherwise you'll have to restart the the system to get it back. 36:59.250 --> 37:04.790 Now, it's not really necessarily important from production point of view, but if, for example, in 37:04.800 --> 37:08.550 the exam, they might ask you specifically make the tunnel of ten. 37:10.040 --> 37:10.730 What's your template? 37:10.730 --> 37:12.620 Should be the name number ten. 37:13.010 --> 37:15.260 If you make this mistake, you'll have to restart the. 37:16.590 --> 37:18.300 The out and then get it back. 37:20.590 --> 37:20.830 Right. 37:20.830 --> 37:22.390 So always use the type command. 37:22.900 --> 37:24.310 Just food for thought. 37:25.840 --> 37:26.740 Go back to our to. 37:28.100 --> 37:31.100 Now my virtual template is stuff. 37:31.610 --> 37:33.950 Everything looks well and good right now. 37:33.980 --> 37:38.600 I need to just like yesterday, I used crypto maps to bind this together. 37:38.960 --> 37:41.270 I also need something else here to bind it. 37:43.530 --> 37:44.700 Right here. 37:44.700 --> 37:48.660 I don't have a crypto map, so I need to find another way to bind it together. 37:48.840 --> 37:49.980 What is that other way? 37:50.160 --> 37:51.300 We call it. 37:55.180 --> 37:55.660 Crypto. 37:56.580 --> 37:57.240 I say come. 37:58.420 --> 37:58.900 Profile. 38:02.760 --> 38:03.840 To bind everything together. 38:03.840 --> 38:04.620 We use what? 38:04.950 --> 38:05.370 Isaac? 38:07.830 --> 38:08.280 Right. 38:09.030 --> 38:09.870 Let's see. 38:09.870 --> 38:11.460 Let's have a look at these options. 38:16.630 --> 38:23.100 It says a profile is deemed incomplete until it has matched identity statements. 38:23.110 --> 38:25.440 What is what are those match identity statements? 38:25.450 --> 38:28.870 You need to match the identity group of people who are going to be coming in. 38:30.040 --> 38:36.940 When someone comes in, it can come in with a group name of sales and a group name of. 38:41.680 --> 38:45.640 Specifying this is for the client cam profile is over the client. 38:45.640 --> 38:50.320 So I'm saying the client can come in with a group name of sales or it can come in with a group name 38:50.320 --> 38:51.430 of marketing. 38:52.240 --> 38:56.560 The key is already specified in the local database, but I have to tell him that. 38:56.590 --> 38:57.250 How? 39:00.790 --> 39:02.800 For the pool and everything to be pushed down. 39:09.130 --> 39:09.370 Right. 39:09.370 --> 39:10.150 Same as yesterday. 39:10.150 --> 39:10.790 The one which I used. 39:10.810 --> 39:11.570 What else do I need? 39:11.590 --> 39:12.880 Client configuration. 39:16.150 --> 39:17.430 Those things I'm specifying here. 39:17.440 --> 39:18.690 Also, I also need to bind. 39:18.700 --> 39:19.000 What? 39:21.770 --> 39:22.430 For things. 39:24.690 --> 39:25.170 Right. 39:25.170 --> 39:28.170 I need to bind step seven. 39:28.470 --> 39:30.570 I need to bind step six. 39:31.970 --> 39:35.870 Four and five are already bound in seven, so no need to worry about that. 39:37.070 --> 39:38.510 I need to call these two. 39:39.800 --> 39:43.460 Pool is already called in here and I am obviously works by on its own. 39:45.110 --> 39:45.770 How do I call it? 39:45.770 --> 39:46.550 I call it all in. 39:46.550 --> 39:46.880 Where? 39:49.970 --> 39:50.840 In the profile. 39:50.840 --> 39:52.970 The first thing that I call is step three. 39:53.000 --> 39:54.080 Match Identity. 39:56.890 --> 39:59.530 Group sales and. 40:02.310 --> 40:02.940 Mark. 40:03.870 --> 40:05.280 Did I use a capital mark? 40:05.820 --> 40:06.330 Yes. 40:07.410 --> 40:10.290 So my step one, two, and three is done. 40:10.470 --> 40:16.950 I need to bind my four, five and seven, which is already bound together, but I need to call it here. 40:16.980 --> 40:18.090 How do I call it here? 40:19.440 --> 40:20.340 I just call. 40:22.200 --> 40:22.640 Virtual. 40:29.320 --> 40:30.070 Visual template. 40:30.400 --> 40:35.370 So basically telling my process to use virtual template ten to create the tunnels. 40:37.130 --> 40:37.360 Right. 40:37.760 --> 40:38.780 What else do I need? 40:40.080 --> 40:40.620 Basecamp. 40:41.160 --> 40:43.200 Step six needs to be called. 40:44.440 --> 40:44.680 Yeah. 40:45.670 --> 40:46.570 Finally. 40:48.040 --> 40:49.390 Client configuration. 40:51.250 --> 40:52.150 Address. 40:56.200 --> 40:57.220 Which I needed yesterday. 40:57.220 --> 41:04.720 So if you see these two, which I was using with the crypto map, are now used with ICBM profile, the 41:04.720 --> 41:09.550 best way to remember this, if you have to remember if you think you might have a problem remembering 41:09.550 --> 41:12.010 it, first of all, is to follow the steps. 41:13.050 --> 41:13.320 Follow. 41:13.320 --> 41:14.640 One, two, three, four, five, six, seven, eight. 41:14.700 --> 41:15.330 It's easier. 41:15.330 --> 41:18.690 But the other way, if you can do that, is to go from down to up. 41:20.150 --> 41:21.590 Remember what you have to do here. 41:22.070 --> 41:24.020 It will make you do the rest of the stuff. 41:24.110 --> 41:26.120 First thing you call is group sales. 41:26.120 --> 41:29.990 So you remember that you need to create the group sales, you create the group sales, and you do that. 41:29.990 --> 41:32.050 You need what, a pool. 41:32.060 --> 41:34.550 So you'll create the pool, right? 41:34.550 --> 41:35.780 Then you go to virtual template. 41:35.780 --> 41:37.310 And now you know you need a virtual template. 41:37.340 --> 41:40.160 Then when you're configuring it, you know, you need to protect it. 41:40.190 --> 41:42.530 To protect it, you will require an IP profile. 41:42.530 --> 41:44.720 For that, you will require a transform set. 41:45.140 --> 41:47.900 Then you go to authorization list. 41:47.900 --> 41:51.830 For this, you would require a new model and list should be pointing to the local database. 41:51.830 --> 41:57.650 Or if you want to a triple A server, then this obviously you'll have to use on your own kind configuration. 41:57.650 --> 41:59.060 Address this spawn. 42:00.640 --> 42:00.940 Done. 42:02.640 --> 42:03.630 I've already copied it. 42:03.810 --> 42:04.620 That's it. 42:04.620 --> 42:06.960 That's all you need to do on the server side. 42:08.040 --> 42:09.120 What about the client? 42:10.880 --> 42:11.660 Same as yesterday. 42:11.900 --> 42:12.860 Nothing changes. 42:13.070 --> 42:16.760 Crypto IPsec Client Easy VPN Easy Connect. 42:21.390 --> 42:22.590 I can profile. 42:23.380 --> 42:24.490 You don't need to map it. 42:28.800 --> 42:29.370 IPCC. 42:30.160 --> 42:31.450 That's an eye to. 42:34.070 --> 42:34.550 That tonight. 42:34.550 --> 42:35.210 We do not. 42:35.210 --> 42:35.570 Here. 42:36.110 --> 42:36.470 Here. 42:36.470 --> 42:37.790 You don't need to see here. 42:37.820 --> 42:39.710 Who's going to kick start the process? 42:40.160 --> 42:40.420 But. 42:43.310 --> 42:45.980 IPsec profile is in the virtual template. 42:50.260 --> 42:51.880 With iSight camera. 42:52.510 --> 42:52.900 Right. 42:52.900 --> 42:54.190 So when the packet comes in. 42:54.220 --> 42:58.120 The good thing about it is the packet will be coming from where? 42:59.910 --> 43:00.570 From the client. 43:01.570 --> 43:02.860 In that packet. 43:02.860 --> 43:05.920 Your policies will be negotiated in that packet. 43:05.920 --> 43:07.390 Group name and key will be there. 43:07.660 --> 43:10.540 So all that information will already be coming from down. 43:11.260 --> 43:13.720 You don't have to initiate the tunnel from this end. 43:15.260 --> 43:15.530 Right. 43:16.070 --> 43:21.090 So interesting traffic will come in from there first and then the negotiation will take place. 43:21.110 --> 43:27.500 Let's monitor this link so you can have a look at the packets to. 43:29.990 --> 43:31.700 If this is done again, the client side. 43:31.700 --> 43:32.390 What do I do? 43:32.450 --> 43:35.120 Connect Auto mode Client. 43:36.430 --> 43:41.930 Right connect to mode Client peer address is 151 .2.2. 43:41.950 --> 43:42.940 Same as yesterday. 43:42.970 --> 43:45.580 Group Sales key. 43:45.880 --> 43:47.140 Cisco 123. 43:48.220 --> 43:48.640 That's it. 43:48.640 --> 43:48.940 Right? 43:49.480 --> 43:51.370 Interface fast Ethernet zero zero. 43:51.610 --> 43:56.020 Crypto IPsec Client VPN Easy outside interface loopback zero. 43:56.050 --> 43:59.920 I don't think I have the crypto IPsec client an easy. 44:00.600 --> 44:04.980 The moment you do inside is going to go in and try to create a connection. 44:08.000 --> 44:08.450 It's up. 44:09.930 --> 44:10.140 Hey. 44:12.620 --> 44:13.820 The same thing as yesterday. 44:13.820 --> 44:14.990 Aggressive, aggressive, aggressive. 44:15.020 --> 44:15.200 Then. 44:15.200 --> 44:16.070 Quick, quick, quick. 44:16.720 --> 44:20.610 Nothing changes unless up as it was before. 44:20.620 --> 44:27.180 If you check your IP interface, brief blue back 10,000 has been given the address of 192 168 10.10 44:27.190 --> 44:28.810 if you check your show IP route. 44:30.490 --> 44:31.570 In your IP route. 44:31.600 --> 44:34.180 You don't have much, you don't have any information. 44:34.180 --> 44:36.180 But what do you have that information? 44:36.670 --> 44:38.260 IPsec Anything? 44:38.260 --> 44:41.770 Source from 10.1, 10.10 will go through the tunnel. 44:42.160 --> 44:45.880 Now, the good part about this VPN is called Easy VPN enhanced. 44:46.000 --> 44:48.090 The best part is you don't have to do RRC. 44:48.370 --> 44:49.690 It's automatically done. 44:50.350 --> 44:51.670 Reverse route injection. 44:52.780 --> 44:54.820 It's automatically embedded into the system. 44:54.820 --> 45:01.840 So if you check your R2 and you do your show IP route, you'll see a static route has already been installed. 45:03.780 --> 45:04.680 Using what? 45:04.710 --> 45:09.030 Virtual access to what is a virtual access. 45:10.610 --> 45:12.110 Virtual access is a tunnel. 45:12.140 --> 45:15.020 These are tunnels which are created from the template. 45:15.410 --> 45:17.810 So you have a template from the template. 45:17.810 --> 45:20.060 You clone what virtual access? 45:20.120 --> 45:22.850 So if you check show interface. 45:23.460 --> 45:25.770 Virtual access to. 45:27.370 --> 45:28.990 It says it is unnumbered. 45:29.800 --> 45:31.730 It is using the address of F0 zero. 45:31.840 --> 45:34.180 So it's not having an address at all right now. 45:34.720 --> 45:36.210 Encapsulation is done. 45:36.310 --> 45:37.450 It is access. 45:37.450 --> 45:38.710 Cloned from what? 45:41.530 --> 45:43.210 The source is 20.2. 45:43.240 --> 45:46.900 The destination which the virtual template did not do, did not know. 45:46.900 --> 45:50.320 Now I know the clone knows is 40.4. 45:52.710 --> 45:58.530 So whoever came in with the second packet, who came in with the second packet after. 45:58.650 --> 46:05.670 So it took its source address, used it as a clone the moment it received that part, or that is what 46:05.670 --> 46:06.180 is missing. 46:06.180 --> 46:09.870 That is the only missing piece of the puzzle, the destination address. 46:09.870 --> 46:11.970 And the guy comes in and registered with that. 46:12.810 --> 46:13.680 So I got it. 46:13.680 --> 46:15.840 I took it, used it as the destination. 46:16.440 --> 46:17.850 My tunnel is up. 46:18.300 --> 46:21.990 Also, one more thing that you'll see is a lot of people have confusion here. 46:21.990 --> 46:26.010 If you do show IP interface brief, you'll see that there is a virtual access one. 46:27.670 --> 46:28.720 Just one second here. 46:29.470 --> 46:29.950 Hello. 46:32.390 --> 46:33.570 Ah, yes. 46:37.830 --> 46:42.150 You will see that, first of all, your visual template always stays down. 46:43.470 --> 46:43.860 First. 46:43.860 --> 46:47.580 The first thing virtual template will always stay down because no traffic goes through it. 46:49.020 --> 46:51.690 Another thing is you'll have a virtual access one. 46:55.910 --> 46:59.270 Which will be there and you'll see that it will have no address at all. 47:00.660 --> 47:03.930 It just creates this to see if the clone is working or not. 47:03.960 --> 47:05.490 It's not used for anything. 47:06.420 --> 47:10.470 When you have virtual templates, virtual access, one is created to see if the cloning is working or 47:10.470 --> 47:10.890 not. 47:11.550 --> 47:13.530 It will not have a tunnel destination. 47:13.530 --> 47:14.940 It will not have anything. 47:14.940 --> 47:16.320 No information at all. 47:16.350 --> 47:20.670 The first virtual access which will be working with will be virtual access to. 47:23.730 --> 47:24.060 Right. 47:24.540 --> 47:25.740 Source is here. 47:25.770 --> 47:27.040 Destination is here. 47:27.060 --> 47:30.030 Which type of tunnel protocol transport you're using? 47:30.810 --> 47:32.250 IPsec IP. 47:32.610 --> 47:33.830 You're not a tunnel. 47:33.840 --> 47:34.740 You're an IPsec tunnel. 47:35.280 --> 47:37.060 And the other stuff is the same. 47:37.110 --> 47:37.400 What? 47:37.470 --> 47:38.400 Queuing strategy? 47:38.430 --> 47:39.630 First in, first out. 47:39.660 --> 47:42.610 Your packets coming through and going through the tunnel. 47:42.630 --> 47:46.860 Let's try to send some traffic through the tunnel from here. 47:47.010 --> 47:49.260 First, let's check the IPsec from here. 47:49.300 --> 47:53.340 So, Crypto IPsec, is anything going to the destination of 192 168? 47:53.340 --> 47:54.840 10.10 will go through the tunnel. 47:55.680 --> 47:58.290 All I need to do is set static route to send that traffic. 47:58.290 --> 48:00.360 I do have a static route to send that traffic. 48:00.660 --> 48:05.820 So right now if I send traffic to 192 168 10.10, I should be able to. 48:07.180 --> 48:07.630 Right. 48:07.780 --> 48:11.170 So should 10 or 10 be able to send traffic to ten, 11? 48:11.170 --> 48:12.850 11.1. 48:16.240 --> 48:16.960 Not right now. 48:16.960 --> 48:20.980 I'll have to use which source to back 10,000. 48:22.350 --> 48:28.530 So I can go to ten, 11, 11, one, ten, 11, 11, two, ten, 11, 11.6. 48:28.540 --> 48:29.890 Because it's a source based on. 48:33.020 --> 48:33.530 Right. 48:33.860 --> 48:35.030 What about the loopback? 48:35.060 --> 48:36.680 Can I use loopback zero. 48:38.350 --> 48:39.850 Again, the same concept. 48:39.890 --> 48:40.270 Nothing. 48:43.630 --> 48:46.330 The concept is the same the users who are behind here. 48:48.450 --> 48:50.520 Ten .4.4.0 slash 24. 48:50.520 --> 48:54.960 Since I use this interface as my inside and the public interface as my outside. 48:55.590 --> 48:56.820 What is happening? 48:57.060 --> 48:59.670 Nothing is happening from inside to outside. 49:02.200 --> 49:08.110 And when it comes to that source is used as 192, 168, 10.10 Source base tunnel, go straight up. 49:09.070 --> 49:12.040 Let's go to R5 and use it for marketing. 49:15.300 --> 49:15.960 Interface. 49:15.960 --> 49:16.350 Sorry. 49:17.230 --> 49:19.470 Crypto IPsec Client VPN is. 49:20.880 --> 49:21.390 Mode. 49:21.390 --> 49:27.110 Client Connect Auto address is 150 1.1. 49:28.290 --> 49:29.490 This is where I decide. 49:29.490 --> 49:30.690 Group Mark. 49:31.480 --> 49:31.810 He. 49:34.250 --> 49:34.820 That's it. 49:35.300 --> 49:36.470 I'm going in with Mark. 49:37.770 --> 49:41.510 Interface zero zero Crypto IPsec Client. 49:42.430 --> 49:45.870 Outside the Facebook page zero Crypto IPsec client is. 49:52.760 --> 49:53.690 I've only given. 49:54.290 --> 49:55.670 And you only give Only Yes. 49:55.670 --> 49:56.330 For one client. 49:56.360 --> 49:56.900 One group. 49:57.860 --> 49:59.780 One group because one IP, right? 50:01.680 --> 50:07.680 One IP right now at one time on an easy if you have an easy VPN client as the software, you can have 50:07.680 --> 50:10.230 two, but you at one time you can only connect one of them. 50:11.990 --> 50:16.730 One time, one IP because one adapter only write only one loop loopback 10,000. 50:17.510 --> 50:18.890 You would need different different authors. 50:19.240 --> 50:21.560 Yes, that would make sense. 50:21.560 --> 50:22.040 Right? 50:22.220 --> 50:23.990 One router will only be in one group. 50:24.650 --> 50:26.000 This will be sales router. 50:26.390 --> 50:31.280 This will be marketing because people behind our marketing or sales, you cannot have sales marketing 50:31.280 --> 50:32.630 sales behind the same router. 50:34.970 --> 50:35.240 Right. 50:35.240 --> 50:38.720 So if you check right now, what is the IP that I've received? 50:42.770 --> 50:46.220 20.10 show IP route. 50:46.430 --> 50:50.870 I have no information in my routing table, which I don't really need because I have the information 50:50.870 --> 50:57.500 where show crypto IPsec RSA, which is anything that source from 20.10 should go through the tunnel. 50:57.500 --> 50:59.090 So wherever I whatever I do. 51:01.540 --> 51:03.280 If I'm using the source of. 51:05.760 --> 51:06.240 10,000. 51:06.240 --> 51:09.540 I'll go through the tunnel if I'm also using the loopback of zero. 51:09.570 --> 51:11.250 I can go through the. 51:12.610 --> 51:13.480 Can I go to? 51:24.710 --> 51:25.550 Where am I going? 51:27.620 --> 51:28.340 This is not the servant. 51:29.690 --> 51:30.680 I'm going to ask for. 51:32.410 --> 51:33.100 From the server. 51:33.100 --> 51:37.570 I'm going to ask for the other end point from one end point to the other. 51:37.570 --> 51:41.350 End point through the tunnel, through two different virtual accesses. 51:42.690 --> 51:47.550 If you check from our to show IP interface brief, you see another virtual axis was up. 51:47.550 --> 51:48.090 Right? 51:49.330 --> 51:53.380 So now earlier it was only virtual access to now you have virtual access. 51:53.650 --> 51:54.190 Three. 51:54.220 --> 51:55.060 The IP. 51:55.090 --> 51:55.930 This is not an IP. 51:55.960 --> 51:57.100 Don't think of this as an IP. 51:57.130 --> 51:57.970 This is unnumbered. 51:58.870 --> 52:00.640 This IP is not used at all. 52:01.240 --> 52:03.610 The only important part is you should have a static route. 52:05.180 --> 52:09.620 Ten, not ten, is from virtual access to 20.10 is from virtual access. 52:11.270 --> 52:16.250 You just need to tell the routing table if you want to go to 10 or 10, which virtual access to use 52:16.280 --> 52:17.540 if you want to go to. 52:19.280 --> 52:21.500 It automatically does it reverse route. 52:22.550 --> 52:23.690 It automatically injects it. 52:25.950 --> 52:26.430 Right. 52:27.210 --> 52:27.540 Clear. 52:29.760 --> 52:30.330 Same as well. 52:34.340 --> 52:34.670 The. 52:34.780 --> 52:35.390 Yeah, same. 52:36.580 --> 52:37.930 We are not giving reverse route. 52:37.930 --> 52:39.820 But now you're using VPNs, right? 52:39.880 --> 52:45.040 Earlier it was crypto maps on here in in. 52:45.040 --> 52:46.510 What do you mean benefit here? 52:50.340 --> 52:50.880 Watch your tongue. 52:51.510 --> 52:54.510 It's more scalable, more scalable. 52:55.170 --> 52:57.680 If you remember, are more scalable than crypto maps. 52:57.690 --> 53:02.160 Tomorrow, if you might need to send multicast traffic, you wouldn't have been able to do it with crypto 53:02.160 --> 53:02.790 maps. 53:03.890 --> 53:05.500 You can send multicast traffic here. 53:07.510 --> 53:07.780 There. 53:07.780 --> 53:09.460 It was not possible right here. 53:09.460 --> 53:12.700 All you need to do is a route through the tunnel for that multicast address. 53:12.730 --> 53:14.800 It will go through through a crypto map. 53:14.800 --> 53:15.790 It doesn't go through. 53:18.860 --> 53:20.290 So I need to ask. 53:22.180 --> 53:22.990 In crypto maps. 53:22.990 --> 53:23.620 It will not. 53:24.220 --> 53:25.390 Here it will. 53:26.080 --> 53:27.940 SETI is crypto multicast. 53:27.940 --> 53:28.640 Traffic goes through. 53:28.660 --> 53:31.150 Remember, you can run routing also. 53:32.620 --> 53:38.400 So if there is a possibility that you do need to do that with Etis, you can do that with crypto maps. 53:38.410 --> 53:39.190 Not possible. 53:39.730 --> 53:42.940 It's not as scalable and this is easier to manage. 53:44.750 --> 53:46.220 Because now you have virtual access. 53:48.280 --> 53:49.640 Is it possible for the other one? 53:50.900 --> 53:51.010 We? 53:52.710 --> 53:53.880 You guys wouldn't work in that. 53:54.510 --> 53:56.970 It wouldn't work in that in crypto maps. 53:56.970 --> 53:59.100 It would not work in any situation. 53:59.100 --> 54:00.960 It would not work here. 54:00.960 --> 54:06.860 It would buy it wouldn't work because we are I mean, it has to be. 54:07.530 --> 54:09.270 This would be a problem. 54:09.270 --> 54:09.870 Yes. 54:10.110 --> 54:14.460 But that is not only not only ACL crypto maps by default, they do not allow. 54:15.510 --> 54:22.080 If you're applying crypto maps on interfaces, they do not allow what I see your multicast traffic to 54:22.080 --> 54:22.530 go through. 54:22.740 --> 54:23.310 How does it work? 54:23.310 --> 54:23.940 It's not allowed. 54:24.060 --> 54:25.620 You can just any anything. 54:25.620 --> 54:29.400 Just if you have a multicast traffic, all you need to do is from the server side. 54:29.400 --> 54:30.450 What do you need to do? 54:30.720 --> 54:34.140 IP route to 20 400 ten. 54:36.360 --> 54:37.920 From virtual access. 54:39.870 --> 54:41.070 You cannot give virtual access. 54:42.880 --> 54:43.240 Yeah. 54:44.600 --> 54:45.740 Virtual template. 54:45.810 --> 54:50.570 Know the route which you have to give in that case is see what I could do. 54:50.570 --> 54:52.960 I could run a routing protocol EGP. 54:54.760 --> 54:59.020 Then I could say network 192 168 .1.0. 55:00.060 --> 55:00.370 August. 55:02.540 --> 55:04.760 I suppose it's starting from 192. 55:06.140 --> 55:06.470 Yeah. 55:06.950 --> 55:09.380 You can't have a show from 224 to 1 to one. 55:10.310 --> 55:10.910 It won't work. 55:11.240 --> 55:12.560 But why can't it work in. 55:14.030 --> 55:15.410 How will you give the ACL? 55:15.710 --> 55:17.360 How will you send the traffic? 55:17.570 --> 55:18.980 How will you tell him to send? 55:19.010 --> 55:20.690 See, it's when you send. 55:20.690 --> 55:21.410 When you update it. 55:21.410 --> 55:21.890 Right. 55:21.920 --> 55:24.620 It will go to 224 001 from the server side. 55:24.620 --> 55:27.490 How will the traffic come back from the server side? 55:27.500 --> 55:28.430 It's destination based. 55:28.430 --> 55:28.840 Right? 55:28.850 --> 55:32.780 Anything going to the destination of 192 168 10.10 will go through the tunnel. 55:35.260 --> 55:37.020 Where when it comes back. 55:37.520 --> 55:40.160 But the source will not be the source. 55:40.190 --> 55:42.260 Your destination will be 224. 55:42.500 --> 55:44.780 The multicast traffic destination will be what? 55:45.260 --> 55:46.580 Coming from the server down. 55:46.940 --> 55:49.340 The destination will not be 192 168. 55:49.520 --> 55:51.590 The destination will be 220 400. 55:53.020 --> 55:53.770 Right here. 55:53.770 --> 55:55.630 It's a tunnel, so it can go through the tunnel. 55:57.100 --> 55:57.460 Can I? 55:57.850 --> 55:59.560 Can you give a fool like I feel? 56:01.480 --> 56:02.110 Multicast. 56:02.530 --> 56:06.340 You will use pool as multicast address and on the other side you will use. 56:06.370 --> 56:08.320 I don't think why you would do that. 56:09.070 --> 56:09.820 I think why you would. 56:09.820 --> 56:11.050 But you can try if you want. 56:11.740 --> 56:15.970 You can try and check if you can give out addresses on to 24 through the pool. 56:17.140 --> 56:17.290 Right. 56:17.290 --> 56:18.040 But I don't think. 56:18.040 --> 56:19.660 Why would anybody use that? 56:19.990 --> 56:20.200 Right. 56:20.200 --> 56:20.830 Just to try. 56:21.070 --> 56:22.030 This is a substitute. 56:22.030 --> 56:22.210 Why? 56:22.240 --> 56:23.920 Because I ran it here, right? 56:23.950 --> 56:25.210 I'll go to R4. 56:25.390 --> 56:26.800 I'll say router one. 56:26.800 --> 56:30.430 I'll say 192168.9.0. 56:34.850 --> 56:35.480 Order summary. 56:43.680 --> 56:44.490 Bag zero. 56:47.630 --> 56:47.860 Okay. 56:47.870 --> 56:51.440 Right now it will not work because why the client side? 56:51.440 --> 56:53.720 I'm not running a I'm only running a from. 56:55.790 --> 57:00.260 The server side is only a virtual tunnel interface from the client side if you check. 57:02.210 --> 57:06.200 You don't have a it's a normal IPsec client from this end. 57:06.230 --> 57:10.670 If you have a look at it for this to work, you will have to use a also from. 57:11.250 --> 57:13.260 The client which you can use. 57:13.710 --> 57:15.120 How will you use it? 57:16.080 --> 57:19.590 You create an interface virtual template, anything. 57:19.590 --> 57:20.940 This name does not matter type. 57:21.750 --> 57:32.400 You change the mode to tunnel mode IPsec IPV four and give it an IP unnumbered address of let's say 57:32.910 --> 57:33.870 loopback. 57:35.820 --> 57:36.660 Blue bag zero. 57:37.290 --> 57:44.700 And then when you do your crypto IPsec client VPN easy here you'll say virtual interfaces. 57:45.700 --> 57:45.910 Okay. 57:47.490 --> 57:48.330 She'll go down. 57:50.010 --> 57:53.490 We come back up again from virtual access. 57:53.700 --> 57:56.080 So show IP interface brief. 57:56.100 --> 58:00.360 Now you have a virtual access of two from here, also using 11. 58:00.720 --> 58:04.350 So show IP, IP interface. 58:05.190 --> 58:07.500 Now it's running on the virtual access. 58:15.330 --> 58:15.470 He. 58:19.090 --> 58:19.630 And not zero. 58:19.630 --> 58:20.040 Right? 58:21.580 --> 58:22.390 The interface grease. 58:25.880 --> 58:26.630 I have to use it. 58:28.610 --> 58:29.090 Yeah. 58:29.090 --> 58:29.470 With. 58:29.730 --> 58:30.740 With the unnumbered. 58:30.740 --> 58:31.310 You can. 58:32.300 --> 58:32.710 There you go. 58:35.010 --> 58:35.430 Neighbor is. 58:35.430 --> 58:37.530 Our neighbor is. 58:38.130 --> 58:44.320 You wouldn't usually do this, but just to show you that Multicasts are going through, usually you 58:44.340 --> 58:46.110 wouldn't do this because you wouldn't need to. 58:46.350 --> 58:48.930 You can always through VPN, everything goes. 58:51.470 --> 58:51.950 With what? 58:51.980 --> 58:53.000 IP address? 58:55.320 --> 58:57.450 Let me explain with unnumbered. 58:59.840 --> 59:00.560 With unnumbered. 59:00.560 --> 59:06.830 What you have is if you have two interfaces, both are unnumbered, so both don't have an IP address. 59:07.220 --> 59:12.200 If you send IP traffic from here to 220 400 ten does it have an IP from here? 59:12.230 --> 59:12.680 No. 59:12.950 --> 59:14.330 Does it have an IP from here? 59:14.360 --> 59:14.880 No. 59:14.900 --> 59:20.620 If it receives multicast from both ends does not matter from which source it will form a neighbor. 59:22.590 --> 59:25.040 Does it have to be directly, directly connected? 59:25.580 --> 59:26.230 Does it have to be? 59:26.240 --> 59:29.600 You can have two different networks because they're not networks. 59:29.600 --> 59:31.070 These are not IP addresses. 59:32.210 --> 59:34.400 They're not considered to be IP addresses. 59:34.640 --> 59:37.130 There's actually a document on it if you want to read it. 59:37.370 --> 59:38.450 How to do this. 59:40.240 --> 59:41.590 It's where it's called. 59:46.490 --> 59:47.720 It's unnumbered, right? 59:51.240 --> 59:52.020 IP number. 1:00:03.570 --> 1:00:04.560 You didn't understand before. 1:00:04.590 --> 1:00:05.460 The same concept. 1:00:05.820 --> 1:00:08.130 If you have unnumbered on both ends. 1:00:09.550 --> 1:00:11.410 Yeah, there's IP and IP unnumbered. 1:00:11.440 --> 1:00:14.560 What we are doing right now is IP unnumbered and IP unnumbered. 1:00:17.830 --> 1:00:19.150 Both sides are numbered. 1:00:20.110 --> 1:00:24.550 If you do and numbered from this end, this is 171.68.0. 1:00:24.580 --> 1:00:25.580 This is 172. 1:00:25.600 --> 1:00:26.950 So two different networks. 1:00:29.450 --> 1:00:31.570 Right to different networks does not matter. 1:00:31.580 --> 1:00:32.540 They will form neighbors. 1:00:32.540 --> 1:00:33.020 Why? 1:00:33.050 --> 1:00:37.490 Because the multicast that you're sending, your source will not be affected. 1:00:37.490 --> 1:00:40.130 The other guy will not will know that it's a copied source. 1:00:40.130 --> 1:00:44.590 When he sends you the address, it will know that it's not a it's an unnumbered source. 1:00:45.680 --> 1:00:47.160 They will form neighbors. 1:00:47.180 --> 1:00:48.890 You wouldn't usually do this. 1:00:48.980 --> 1:00:49.220 Why? 1:00:49.220 --> 1:00:52.730 I showed you this is because I wanted to show you how multicast traffic can go through it. 1:00:52.790 --> 1:00:55.880 So now you have more visibility, more control. 1:00:56.980 --> 1:00:58.870 More than your crypto mouse. 1:01:00.480 --> 1:01:00.740 Right. 1:01:02.120 --> 1:01:02.330 Then. 1:01:04.210 --> 1:01:07.360 So how will you do a virtual interface on your client side? 1:01:10.310 --> 1:01:11.690 You say crypto. 1:01:12.970 --> 1:01:14.630 I'd be sick. 1:01:17.540 --> 1:01:18.260 Client. 1:01:19.710 --> 1:01:20.460 Easy VPN. 1:01:23.230 --> 1:01:24.940 More client. 1:01:26.010 --> 1:01:27.940 Connect Auto. 1:01:28.830 --> 1:01:30.170 Then what group? 1:01:30.930 --> 1:01:32.880 Mark T Cisco. 1:01:32.910 --> 1:01:33.660 One, two, three. 1:01:34.910 --> 1:01:36.020 And what else? 1:01:37.750 --> 1:01:39.210 Peer to peer. 1:01:39.220 --> 1:01:48.430 One 51.21 For the interface, what you will do is interface virtual template type tunnel ten. 1:01:49.830 --> 1:01:50.250 IP. 1:01:51.530 --> 1:01:52.220 Unnumbered. 1:01:53.270 --> 1:01:54.080 Whatever. 1:01:56.850 --> 1:01:59.260 But this was not like, you know. 1:01:59.550 --> 1:02:00.780 Yeah, it's not required. 1:02:00.780 --> 1:02:03.330 But if you have to do it, you can do it this way. 1:02:03.360 --> 1:02:04.440 IPsec Profile. 1:02:06.790 --> 1:02:07.510 No, not. 1:02:08.090 --> 1:02:09.310 Not IPsec. 1:02:09.850 --> 1:02:10.840 Just change the mode. 1:02:10.840 --> 1:02:11.200 That's it. 1:02:11.200 --> 1:02:12.220 And call it where? 1:02:15.910 --> 1:02:21.780 If you want to have virtual interfaces on both ends, sorry is on both ends. 1:02:21.790 --> 1:02:23.920 You can do it this way, but not really required. 1:02:23.920 --> 1:02:25.060 You wouldn't usually do that. 1:02:26.290 --> 1:02:27.790 Most of the times you wouldn't do it. 1:02:30.010 --> 1:02:33.490 Hey, if you want to send multicast from both ends, you will. 1:02:34.420 --> 1:02:35.350 So copy it. 1:02:36.660 --> 1:02:37.110 And then. 1:02:38.790 --> 1:02:39.450 Your template? 1:02:39.490 --> 1:02:39.960 Yeah. 1:02:43.990 --> 1:02:45.100 This is which mode? 1:02:46.330 --> 1:02:46.930 Client. 1:02:49.400 --> 1:02:50.660 This is the client. 1:02:50.810 --> 1:02:51.770 What else do I need? 1:02:56.700 --> 1:02:58.290 Oh, which one? 1:03:00.610 --> 1:03:03.220 Its routing protocols, we would network extension. 1:03:03.220 --> 1:03:08.560 You don't really need that because it automatically does it for you if you try right now. 1:03:13.650 --> 1:03:14.630 Multicast map? 1:03:14.640 --> 1:03:15.000 No. 1:03:15.270 --> 1:03:17.490 Did you see when I sent the multicast traffic? 1:03:19.100 --> 1:03:19.760 From the neighbor. 1:03:19.790 --> 1:03:20.960 I just formed a neighbor. 1:03:25.080 --> 1:03:27.900 It was not possible with crypto maps. 1:03:29.440 --> 1:03:29.540 Right. 1:03:29.600 --> 1:03:32.180 So you can do it here with clients. 1:03:32.540 --> 1:03:37.840 It is a little unstable probably because it's enhanced is not that form. 1:03:37.850 --> 1:03:40.700 This neighbor will sometimes it is unstable. 1:03:40.700 --> 1:03:44.450 It might go up and down right from both ends. 1:03:44.600 --> 1:03:49.190 Not yet completely stable, but there is a possibility normally. 1:03:49.190 --> 1:03:49.670 Do we? 1:03:51.780 --> 1:03:52.920 It's not meant for that. 1:03:53.670 --> 1:03:55.590 It's meant for VPN client. 1:03:56.550 --> 1:04:00.160 The remote client which you use to connect up from your home is meant for that. 1:04:00.180 --> 1:04:03.030 This is only so that now you can enhance it. 1:04:03.030 --> 1:04:03.300 You can. 1:04:03.300 --> 1:04:05.340 People from inside can also come through. 1:04:07.300 --> 1:04:08.680 From the server behind the server. 1:04:09.160 --> 1:04:09.360 You can. 1:04:11.030 --> 1:04:11.570 Exactly. 1:04:12.190 --> 1:04:14.000 So from the client, you just need to connect up. 1:04:14.020 --> 1:04:17.830 It's just like one part of your company is connecting up through the internet. 1:04:18.100 --> 1:04:21.730 It's still a part of your company connecting up through the Internet, through a different address. 1:04:21.730 --> 1:04:25.690 So you are maintaining a you're just connecting it directly. 1:04:27.480 --> 1:04:29.460 So it's just another part of your company connecting up. 1:04:31.670 --> 1:04:32.570 But this remote. 1:04:32.570 --> 1:04:33.740 So you connected remotely. 1:04:35.570 --> 1:04:36.860 Right now. 1:04:39.600 --> 1:04:40.170 I'm sorry. 1:04:42.130 --> 1:04:42.700 Not really. 1:04:46.830 --> 1:04:51.030 If we need routing, see why we use use this. 1:04:51.030 --> 1:04:52.110 I told you this yesterday. 1:04:52.110 --> 1:04:53.670 Also we would use it. 1:04:53.820 --> 1:04:54.420 Yes. 1:04:54.810 --> 1:04:55.470 Yes. 1:04:55.500 --> 1:04:56.580 It's an internal no, no. 1:04:56.580 --> 1:04:59.550 He's talking about routing to exchange these networks. 1:05:00.090 --> 1:05:01.080 But do we. 1:05:02.610 --> 1:05:02.820 He. 1:05:04.260 --> 1:05:04.620 You wonder. 1:05:04.620 --> 1:05:04.770 Do it. 1:05:05.340 --> 1:05:06.240 Not through the Internet. 1:05:06.240 --> 1:05:07.080 It's on the tunnel. 1:05:09.230 --> 1:05:09.530 Through that. 1:05:09.770 --> 1:05:11.210 It's not on the on the internet. 1:05:11.480 --> 1:05:12.130 You would. 1:05:12.140 --> 1:05:18.020 But the thing is why we use VPN mostly is because we use it on small sites. 1:05:18.260 --> 1:05:20.090 When you have small sites on the other end. 1:05:21.320 --> 1:05:22.430 We don't need routing. 1:05:22.430 --> 1:05:25.580 You can just network extension in network extension. 1:05:25.580 --> 1:05:30.860 You can just put those routes in there and forward it automatically to the other side, right? 1:05:31.130 --> 1:05:35.180 If you have huge sites, then you would require something like dmvpn. 1:05:35.660 --> 1:05:41.270 The problem here is what happens if this is a dynamically changing IP Every day it changes. 1:05:43.200 --> 1:05:46.780 If the IP changes every day at that time, you wouldn't have a choice. 1:05:47.020 --> 1:05:47.860 Very low. 1:05:48.160 --> 1:05:53.770 I mean, the scenario is very low possibility of that happening because the site usually has a leased 1:05:53.770 --> 1:05:54.070 line. 1:05:54.280 --> 1:06:00.790 But let's say your leased line is down and you use a broadband connection, you use a broadband connection, 1:06:00.790 --> 1:06:02.560 your IP keeps on changing every day. 1:06:06.340 --> 1:06:09.760 Lee's line is when you go to a service provider and you buy an IP address. 1:06:11.430 --> 1:06:11.910 Do the same. 1:06:11.910 --> 1:06:14.250 When you see point to point, the point is completely different. 1:06:14.270 --> 1:06:15.960 Point to point links are serial links. 1:06:16.380 --> 1:06:18.810 Nowadays these lines, you don't get them by serial links. 1:06:18.810 --> 1:06:21.960 Now you get them as fibre links just by five. 1:06:21.990 --> 1:06:24.000 Earlier you used to get it as serial links. 1:06:24.240 --> 1:06:25.680 So point to point links. 1:06:25.680 --> 1:06:28.350 Now you get it at fibre links fibre to the home. 1:06:28.350 --> 1:06:30.660 So they bring it to your apartment. 1:06:30.660 --> 1:06:32.190 From there you get a line straight in. 1:06:32.970 --> 1:06:37.230 Please line means when you purchase an IP completely for you, there is no download limit or anything 1:06:37.230 --> 1:06:37.950 like that. 1:06:37.950 --> 1:06:39.690 They give you an IP address. 1:06:40.670 --> 1:06:42.590 Right with the other one. 1:06:43.340 --> 1:06:46.010 With the broadband connection, you don't have an IP. 1:06:47.030 --> 1:06:47.270 Right. 1:06:47.270 --> 1:06:49.130 So they keep on managing whatever is free. 1:06:49.130 --> 1:06:50.030 They give it to you. 1:06:50.060 --> 1:06:52.190 Whatever IP is free at this point, they'll give it to you. 1:06:52.880 --> 1:06:53.330 Not the same. 1:06:53.330 --> 1:06:54.650 Your IP will keep on changing. 1:06:55.440 --> 1:06:56.140 Gonna find this one? 1:06:56.190 --> 1:06:56.690 Yes. 1:06:56.730 --> 1:06:57.770 In broadband. 1:06:59.160 --> 1:07:01.230 Point to point is link. 1:07:01.260 --> 1:07:01.860 Type. 1:07:02.730 --> 1:07:03.900 Point to point is a link type. 1:07:03.930 --> 1:07:05.370 There are two different domains. 1:07:05.820 --> 1:07:07.590 Lease line is something else. 1:07:07.620 --> 1:07:13.290 Lease line is when you go and type of connection that you have to purchase and you have actual physical. 1:07:16.180 --> 1:07:19.720 Lehzen is a type of connection that you have purchased from the service provider. 1:07:20.140 --> 1:07:22.600 Point to point link is a network type. 1:07:24.470 --> 1:07:26.690 Network type point to point, so on the other. 1:07:26.690 --> 1:07:28.550 So it's one PC connected to another PC. 1:07:29.180 --> 1:07:30.620 Ethernet is not point to point, right? 1:07:30.650 --> 1:07:31.580 Ethernet is broadcast. 1:07:31.610 --> 1:07:31.760 Why? 1:07:31.790 --> 1:07:35.060 Because you can connect it to a switch and broadcast serial links. 1:07:35.060 --> 1:07:37.340 You can do that, serial links, you connect directly to each other. 1:07:37.610 --> 1:07:38.990 So these are link types. 1:07:39.120 --> 1:07:42.650 Difference between link types and this line is a type of connection. 1:07:46.730 --> 1:07:52.130 Bandwidth, but how do you get the bandwidth through an IP, a public IP? 1:07:52.160 --> 1:07:53.630 You are dedicating to yourself. 1:07:55.880 --> 1:07:58.160 Yeah, obviously I have to take a bandwidth. 1:07:58.310 --> 1:07:59.870 You have to take these line per bandwidth. 1:08:01.200 --> 1:08:01.470 Sorry. 1:08:05.210 --> 1:08:05.750 Bandwidth. 1:08:06.470 --> 1:08:07.180 Yes. 1:08:07.190 --> 1:08:10.970 And but how will I give you the bandwidth through a static IP? 1:08:11.030 --> 1:08:13.250 A static public IP you purchase, right? 1:08:14.720 --> 1:08:14.980 Yeah. 1:08:15.200 --> 1:08:16.520 Purchase a static public IP. 1:08:18.400 --> 1:08:21.010 See, for example, this place, the host. 1:08:22.520 --> 1:08:22.670 You. 1:08:25.070 --> 1:08:25.410 Simon. 1:08:25.850 --> 1:08:26.180 I would. 1:08:27.340 --> 1:08:28.150 This line doesn't look. 1:08:28.180 --> 1:08:29.110 It's a concept. 1:08:29.140 --> 1:08:30.850 This line is not a physical link. 1:08:31.880 --> 1:08:33.740 This line is not a physical, it's a connection. 1:08:33.950 --> 1:08:36.080 When you have you go to a service provider, right? 1:08:36.110 --> 1:08:39.110 He gives you connections, broadband connection. 1:08:43.650 --> 1:08:45.820 A good broadband connection or a leased line connection. 1:08:47.090 --> 1:08:48.350 I can say one. 1:08:49.870 --> 1:08:51.130 Can I have a B.S. degree? 1:08:51.800 --> 1:08:53.800 Lehzen is your connection to the internet? 1:08:56.310 --> 1:08:57.540 When you purchase a public. 1:08:59.450 --> 1:09:00.980 When you have a side to side connection. 1:09:01.970 --> 1:09:04.160 A you don't usually by a side to side, how will you have. 1:09:04.430 --> 1:09:05.540 You will have direct connection. 1:09:05.540 --> 1:09:07.300 No, you will have it from the ISP, right? 1:09:08.480 --> 1:09:09.950 Cereal is a kind of a link. 1:09:11.940 --> 1:09:13.380 Cyril is a kind of a link. 1:09:13.890 --> 1:09:18.150 So a link if it's using if you're using a serial link, it'll be point to point link. 1:09:23.910 --> 1:09:24.070 From. 1:09:24.360 --> 1:09:24.870 Yeah, that is. 1:09:24.870 --> 1:09:26.280 That is way too expensive. 1:09:26.430 --> 1:09:27.930 I do way, way too expensive. 1:09:29.160 --> 1:09:34.260 Through the service provider, he'll give you a direct link from you to him, but way too expensive. 1:09:34.530 --> 1:09:35.280 You were saying? 1:09:36.290 --> 1:09:36.920 Which one? 1:09:43.270 --> 1:09:48.460 And the one which you say, for example, I want to have a public dedicated public IP. 1:09:48.490 --> 1:09:49.420 What do you call that? 1:09:55.270 --> 1:09:56.170 I'll explain. 1:09:56.170 --> 1:10:00.160 This company which which we are sitting in right now, they have a public address. 1:10:00.670 --> 1:10:02.080 Why do they have a public address? 1:10:02.080 --> 1:10:03.730 Because they are hosting racks online. 1:10:06.610 --> 1:10:08.920 They have to access the Internet, so they're accessing racks online. 1:10:08.920 --> 1:10:12.760 So when they went to the service provider, when they purchased a connection, they purchased the leased 1:10:12.760 --> 1:10:13.060 line. 1:10:16.190 --> 1:10:18.320 It was called the lease line when they purchased it. 1:10:18.500 --> 1:10:25.340 And they give you now these lines, they have costs 40 Mbps, 60 Mbps. 1:10:25.490 --> 1:10:27.980 That'll be how much connection is dedicated to you. 1:10:28.160 --> 1:10:29.450 It's not fluctuating. 1:10:29.450 --> 1:10:32.870 It's a dedicated 40 Mbps line to you, to the Internet. 1:10:34.610 --> 1:10:37.580 A dedicated phone line to the Internet, so it will not fluctuate. 1:10:37.580 --> 1:10:42.370 So whenever you try to download or upload anything, you'll always get those 40 Mbps or 20 Mbps. 1:10:42.380 --> 1:10:48.830 Now, depending upon what bandwidth you're purchasing, that bandwidth will your cost will change. 1:10:50.310 --> 1:10:51.270 Based on that bandwidth. 1:10:51.270 --> 1:10:54.240 But the IP that you get, yes, the bandwidth is constant. 1:10:54.270 --> 1:10:57.300 Not from your side to another side from you to the Internet. 1:10:57.420 --> 1:10:59.010 This bandwidth will be constant. 1:10:59.280 --> 1:10:59.850 Right. 1:10:59.850 --> 1:11:00.790 That's what you're trying to say. 1:11:00.810 --> 1:11:01.170 Right. 1:11:01.170 --> 1:11:03.870 But when you buy this, you will also have a static IP address. 1:11:04.080 --> 1:11:07.910 Your IP will not change because that's how you host tracks online, right? 1:11:07.920 --> 1:11:10.380 I cannot tell students today that. 1:11:10.380 --> 1:11:13.020 Okay, your address today is something else. 1:11:13.020 --> 1:11:14.580 So tomorrow I'll give them a different address. 1:11:14.580 --> 1:11:16.110 This address will also stay constant. 1:11:18.500 --> 1:11:18.920 Correct. 1:11:19.960 --> 1:11:20.140 Right? 1:11:20.180 --> 1:11:20.330 Right. 1:11:21.790 --> 1:11:24.680 I mean, I don't know what frame relay was used before. 1:11:24.690 --> 1:11:26.130 Frame relay used to use serial links. 1:11:26.820 --> 1:11:28.050 Frame relay replaced. 1:11:30.010 --> 1:11:30.640 Now. 1:11:30.670 --> 1:11:31.990 Mpls replaced everything. 1:11:32.000 --> 1:11:32.210 Yeah. 1:11:32.400 --> 1:11:32.610 Yeah. 1:11:33.820 --> 1:11:35.530 What you're talking about is. 1:11:35.560 --> 1:11:36.820 No, that's a different case. 1:11:36.820 --> 1:11:42.670 What you're talking about is you're talking about when you when you connect to companies directly to 1:11:42.670 --> 1:11:43.210 each other. 1:11:43.960 --> 1:11:45.130 That was done before. 1:11:45.760 --> 1:11:48.560 This was also called a leased line, but this was leased line for what? 1:11:48.580 --> 1:11:51.220 To connect two parts of the companies together. 1:11:51.430 --> 1:11:58.630 This was a concept used way long back, but it's still like I mean this and point to point it was point 1:11:58.630 --> 1:11:58.930 to point. 1:11:59.500 --> 1:12:02.470 People buy direct connections from one side to another. 1:12:02.950 --> 1:12:03.970 Very expensive. 1:12:05.150 --> 1:12:05.630 Very expensive. 1:12:06.990 --> 1:12:07.740 This one. 1:12:07.950 --> 1:12:09.850 What do you call the connection that you purchase? 1:12:09.870 --> 1:12:10.490 A direct line. 1:12:10.500 --> 1:12:11.430 What do you call that? 1:12:13.950 --> 1:12:17.610 If a guy purchases, if I purchase a connection from here to the Internet. 1:12:19.380 --> 1:12:20.280 Who's purchasing this? 1:12:23.660 --> 1:12:25.460 When you say we, who are you mentioning? 1:12:31.750 --> 1:12:32.490 Are you going to this? 1:12:32.650 --> 1:12:34.780 And then you'll give it to other people, right? 1:12:34.810 --> 1:12:35.800 Then you'll give it. 1:12:37.340 --> 1:12:38.420 Your purchasing connection. 1:12:38.420 --> 1:12:39.350 From what to what? 1:12:42.880 --> 1:12:48.660 You are a company, you are purchasing it from a service provider from one point to another point. 1:12:48.670 --> 1:12:49.780 Is that what you're trying to say? 1:12:54.680 --> 1:12:56.130 From a fiber provider. 1:12:56.150 --> 1:12:56.510 Okay. 1:12:56.510 --> 1:12:57.050 And then. 1:12:58.440 --> 1:12:58.930 After the. 1:13:00.190 --> 1:13:02.260 After that, they are giving it to customers. 1:13:02.800 --> 1:13:07.510 I still don't understand what you are trying to get at because what I am talking about, what we are 1:13:07.720 --> 1:13:09.160 on topic, right? 1:13:09.190 --> 1:13:12.940 What I'm talking about is the connection which a person purchases. 1:13:14.210 --> 1:13:15.440 Let's not drift away. 1:13:16.370 --> 1:13:17.900 What I'm talking about. 1:13:18.620 --> 1:13:19.940 You get my point, right? 1:13:19.970 --> 1:13:23.120 What I'm talking about is a connection which I purchased from the Internet. 1:13:24.550 --> 1:13:25.360 This purchase. 1:13:25.360 --> 1:13:28.780 When a company purchases it, you purchase a static IP, right? 1:13:32.140 --> 1:13:33.580 You get a static public IP. 1:13:33.790 --> 1:13:40.660 All I need is a static public IP where on the VPN connection, what I'm getting at is these people here 1:13:41.200 --> 1:13:43.510 will not have a static IP address. 1:13:43.540 --> 1:13:46.450 Their address is bound to change every day. 1:13:48.700 --> 1:13:53.980 Right if they have any broadband connection because you will not use private users at home, will not 1:13:53.980 --> 1:13:55.090 use anything like that. 1:13:56.040 --> 1:13:56.340 Right. 1:13:56.340 --> 1:14:01.620 They'll use a broadband connection or they'll connect using their 4G phones or 3G phones or Internet 1:14:01.620 --> 1:14:03.730 cafes so their IP can change. 1:14:03.750 --> 1:14:10.470 Now, if if a site also has something like that, a broadband connection, but you need to connect up 1:14:10.470 --> 1:14:13.650 to people here, but their IP is also changing. 1:14:14.160 --> 1:14:16.020 VPN would not be your best solution. 1:14:17.830 --> 1:14:20.470 At that point, VPN would not be your best solution. 1:14:20.470 --> 1:14:25.810 What would you be your best solution to connect up using easy VPN virtual interfaces on both ends and 1:14:25.810 --> 1:14:26.800 then run routing? 1:14:27.860 --> 1:14:32.500 Ryan Bolton on the houting will only run because when you have on both sides. 1:14:32.500 --> 1:14:32.770 Right? 1:14:34.030 --> 1:14:34.940 We don't need that. 1:14:34.960 --> 1:14:35.740 We don't need that. 1:14:35.740 --> 1:14:37.810 But if there is no way out. 1:14:37.810 --> 1:14:38.040 Yeah. 1:14:38.080 --> 1:14:40.760 If there is no way out for you, you have a possibility. 1:14:40.780 --> 1:14:42.860 You can do it here in crypto maps. 1:14:42.880 --> 1:14:44.140 That's not an option. 1:14:45.410 --> 1:14:47.180 Crypto max, you don't have that option at all. 1:14:49.250 --> 1:14:49.460 Right. 1:14:49.460 --> 1:14:51.470 Because it's bound to an interface. 1:14:52.380 --> 1:14:53.700 Right now. 1:14:53.700 --> 1:14:55.410 I've seen this clear, right? 1:14:56.310 --> 1:14:56.580 Clear. 1:14:56.580 --> 1:14:59.490 Right Now, What I'll do from the side is I'll change the mode. 1:14:59.520 --> 1:15:00.090 To what? 1:15:02.350 --> 1:15:05.320 Network extension ignore goes down. 1:15:06.330 --> 1:15:07.470 Comes back up again. 1:15:10.190 --> 1:15:11.390 From the server side. 1:15:13.830 --> 1:15:15.030 You should have. 1:15:18.050 --> 1:15:18.800 10.4. 1:15:18.890 --> 1:15:20.750 So now the server can reach. 1:15:22.480 --> 1:15:23.920 Ten .4.4.4. 1:15:25.150 --> 1:15:25.390 Right. 1:15:25.390 --> 1:15:30.100 So all the people behind the server, same concept as yesterday can reach 10.4. 1:15:30.590 --> 1:15:32.290 They'll have a default route right now. 1:15:35.060 --> 1:15:35.710 Swipe it out. 1:15:38.930 --> 1:15:40.400 It'll be using what source? 1:15:41.150 --> 1:15:41.330 Ten. 1:15:41.330 --> 1:15:41.660 11? 1:15:41.660 --> 1:15:41.870 Yeah. 1:15:41.900 --> 1:15:43.220 Should be able to reach. 1:15:44.010 --> 1:15:44.370 And not. 1:15:44.370 --> 1:15:45.060 So let's check. 1:15:46.440 --> 1:15:47.250 Source Doesn't matter. 1:15:47.550 --> 1:15:49.620 Show Crypto IPsec. 1:15:55.990 --> 1:15:59.830 So no, because I have because I have the virtual access now. 1:15:59.830 --> 1:16:00.250 Right. 1:16:02.040 --> 1:16:04.470 So now it'll be based on the vertical axis. 1:16:05.280 --> 1:16:08.070 Whatever is true, going through the axis will be encrypted. 1:16:08.550 --> 1:16:13.320 If you check show interface virtual access to. 1:16:14.490 --> 1:16:16.710 The source and destination will be specified here. 1:16:18.130 --> 1:16:20.440 This is your applied protection to the tunnel, right? 1:16:20.830 --> 1:16:22.090 To the interface. 1:16:23.250 --> 1:16:24.390 So your source is what? 1:16:24.390 --> 1:16:27.000 40.4 destination is 20.2. 1:16:27.000 --> 1:16:29.370 Anything going through this tunnel will be encrypted. 1:16:30.480 --> 1:16:32.330 Anything going through the tunnel will be encrypted. 1:16:32.370 --> 1:16:34.980 So if you check right now, show IP route. 1:16:36.760 --> 1:16:40.600 The problem here would be that you would not know where to go. 1:16:42.560 --> 1:16:44.870 The problem in this case because you don't have a static route. 1:16:44.870 --> 1:16:45.140 Where. 1:16:46.620 --> 1:16:51.360 Pointing towards the other end point so you don't know how to reach to the other side. 1:16:51.510 --> 1:16:53.190 When you use virtual access here. 1:16:55.100 --> 1:16:59.720 Right now and I use virtual access here, I won't be able to go to the other end point of the tunnel. 1:17:00.170 --> 1:17:03.260 So what I would need is reverse route injection. 1:17:04.120 --> 1:17:06.250 But to do it here. 1:17:08.080 --> 1:17:09.440 Not really sure how to apply it. 1:17:10.700 --> 1:17:11.630 Virtual. 1:17:14.920 --> 1:17:16.540 Let's first see from the other side. 1:17:18.310 --> 1:17:18.520 Again. 1:17:20.560 --> 1:17:21.070 I can. 1:17:21.890 --> 1:17:24.720 Like that Crypto IPsec client is a VPN. 1:17:24.740 --> 1:17:30.110 We can we don't really need that, but let's try because here I don't have a virtual axis virtual template 1:17:30.110 --> 1:17:33.500 anymore, so it'll be a normal tunnel with a show IP route. 1:17:33.530 --> 1:17:35.440 This, this side should be able to go. 1:17:35.450 --> 1:17:37.760 So first of all, I need to change what. 1:17:39.430 --> 1:17:41.890 Mode network extension. 1:17:41.980 --> 1:17:46.000 You would not use network extension with virtual interface on the on the side. 1:17:47.090 --> 1:17:53.720 Because if you are using routing, if you're using routing, right, you would need to do network extension 1:17:54.050 --> 1:17:56.000 because routing will exchange everything. 1:17:57.520 --> 1:17:58.360 Network extension. 1:17:58.360 --> 1:18:00.870 You'll use it with normal crypto maps from this end. 1:18:00.880 --> 1:18:01.260 Right? 1:18:01.270 --> 1:18:04.780 So I am having my remote subnets being sent to the other side. 1:18:04.780 --> 1:18:06.090 So show IP route. 1:18:06.100 --> 1:18:08.380 If you check here, 10.5 is also coming. 1:18:08.380 --> 1:18:11.080 I should be able to go to ten .5.5.5. 1:18:11.440 --> 1:18:17.230 The the router behind should also be able to go to ten .5.5. 5 or 6. 1:18:17.230 --> 1:18:19.540 Should be able to go to ten .5.5.5. 1:18:22.970 --> 1:18:26.690 R5 did not have a virtual template for I need to remove it. 1:18:27.440 --> 1:18:28.160 So crypto. 1:18:31.500 --> 1:18:32.300 How was what effect? 1:18:33.450 --> 1:18:37.760 The virtual template was affecting because since now this side is also unnumbered. 1:18:38.550 --> 1:18:42.270 So in the routing table, he doesn't know what traffic to send through the virtual axis. 1:18:46.480 --> 1:18:52.150 If you check R2 and you do a show IP route, how do you know that traffic to 10.5 should go through 1:18:52.180 --> 1:18:53.290 virtual access three? 1:18:53.750 --> 1:18:55.440 You have a you have. 1:18:55.480 --> 1:18:56.620 I have a static route. 1:18:56.860 --> 1:19:01.090 I told you when it's an unnumbered interface to reach the other side, you would require what? 1:19:01.420 --> 1:19:04.300 A static route to reach the other side of the. 1:19:04.360 --> 1:19:05.020 Of the tunnel. 1:19:06.180 --> 1:19:08.150 One automatic. 1:19:09.080 --> 1:19:12.650 Once the ice forms, it automatically knows the static route. 1:19:12.650 --> 1:19:14.630 But it doesn't happen from the client side. 1:19:15.080 --> 1:19:19.730 If it's a mode client, I know it wouldn't be a problem because I'm only accessing that endpoint. 1:19:20.600 --> 1:19:23.030 I'm only accessing 192 168 10.10. 1:19:23.090 --> 1:19:26.210 The problem would be if I'm trying to access it from a server. 1:19:28.320 --> 1:19:29.850 From ten, 11, 11 one. 1:19:30.630 --> 1:19:32.040 Does he know now? 1:19:32.610 --> 1:19:36.900 See, right now he doesn't have a static route or anything through the virtual axis. 1:19:36.930 --> 1:19:43.470 How does it know if it gets traffic to ten .17.17.0 slash 24. 1:19:43.500 --> 1:19:46.470 How does it know that this traffic should go through virtual axis? 1:19:48.550 --> 1:19:48.940 Here. 1:19:48.940 --> 1:19:50.470 It knows because you have a static route. 1:19:52.480 --> 1:19:52.810 Here. 1:19:52.810 --> 1:19:53.680 You don't have a static. 1:19:59.040 --> 1:20:02.460 And know first it has to find out what traffic goes through this interface. 1:20:03.360 --> 1:20:03.510 Right. 1:20:03.860 --> 1:20:04.550 This is checked. 1:20:04.550 --> 1:20:06.070 If you remember, source is checked. 1:20:06.080 --> 1:20:09.980 When you reach the crypto interface, then the source will be checked here. 1:20:10.010 --> 1:20:12.410 First, you have to make sure what traffic is going through the tunnel. 1:20:13.190 --> 1:20:16.270 Once it goes through the tunnel, it will automatically be encrypted. 1:20:16.280 --> 1:20:19.820 All you need to make sure is that traffic, is it going through the tunnel or not? 1:20:22.780 --> 1:20:23.410 Do you understand? 1:20:24.580 --> 1:20:26.320 If you're going through the tunnel or not. 1:20:26.320 --> 1:20:28.060 The same thing is from this end. 1:20:28.090 --> 1:20:29.320 Are you going through? 1:20:29.530 --> 1:20:30.740 You have a tunnel here. 1:20:30.760 --> 1:20:32.980 How do you make sure your traffic is going through the tunnel? 1:20:35.810 --> 1:20:36.080 Really? 1:20:36.860 --> 1:20:40.940 How do you know if your traffic is going through the tunnel from the routing table? 1:20:41.900 --> 1:20:44.530 The routing table tells you what traffic is going through the tunnel. 1:20:44.540 --> 1:20:45.020 Right. 1:20:45.500 --> 1:20:46.670 Check your routing table. 1:20:47.210 --> 1:20:50.620 It'll show you that if you want to go to 10.5 is going through this tunnel. 1:20:50.630 --> 1:20:51.290 Tunnel three. 1:20:51.320 --> 1:20:53.540 If you're going to 10.4, you're going through which tunnel? 1:20:54.020 --> 1:20:55.090 Tunnel two. 1:20:55.130 --> 1:20:58.610 The problem is when you return it, when the traffic is coming returned. 1:20:59.920 --> 1:21:02.230 How do you know which side is it going through? 1:21:04.090 --> 1:21:05.890 You need to know which traffic is going through the tunnel. 1:21:06.100 --> 1:21:07.510 For that you would require what? 1:21:07.930 --> 1:21:08.770 A static route. 1:21:10.730 --> 1:21:13.340 For that, you would require a static route from here. 1:21:13.340 --> 1:21:14.450 I installed a static route. 1:21:14.450 --> 1:21:14.800 All right. 1:21:14.810 --> 1:21:17.480 From here, I don't have a reverse route injection procedure. 1:21:19.460 --> 1:21:20.180 I don't have what it was. 1:21:21.260 --> 1:21:22.420 This side doesn't have. 1:21:22.430 --> 1:21:26.540 So that's why when you're using virtual access here, you only use it in client mode. 1:21:26.930 --> 1:21:27.380 Why? 1:21:27.380 --> 1:21:27.950 In client mode? 1:21:27.950 --> 1:21:29.360 Because then you'll run routing. 1:21:30.740 --> 1:21:35.420 When you have routing running, you will have next stops when whichever network you run from here, 1:21:35.420 --> 1:21:36.500 you will have next hops. 1:21:36.530 --> 1:21:38.120 Next hops will be through the tunnel. 1:21:39.200 --> 1:21:39.800 Estatico. 1:21:40.500 --> 1:21:40.880 No, no. 1:21:41.370 --> 1:21:43.390 Be between the two tunnel interfaces. 1:21:43.440 --> 1:21:44.640 I just ran it, right. 1:21:46.310 --> 1:21:46.800 Unnumbered. 1:21:46.890 --> 1:21:48.240 Unnumbered Run. 1:21:49.130 --> 1:21:52.490 Share these networks will share his network Will share his network. 1:21:53.650 --> 1:21:53.730 Yeah. 1:21:53.800 --> 1:21:58.630 The networks for this guy to go to ten, 11, 11, zero next hop will be the other endpoint of the tunnel 1:21:58.780 --> 1:22:04.540 for R2 to reach ten four four for the next hop will be so it knows what traffic should go through the 1:22:04.540 --> 1:22:07.630 tunnel both ends know what traffic should go through the tunnel. 1:22:10.740 --> 1:22:11.080 Right. 1:22:11.670 --> 1:22:12.190 Right now. 1:22:12.210 --> 1:22:14.520 R2, R4 doesn't know what to send to the. 1:22:19.260 --> 1:22:25.830 Either we can use virtual template or if we use virtual template, sorry, if we use the virtual template 1:22:25.830 --> 1:22:28.230 here and we use routing, we can use that. 1:22:28.230 --> 1:22:32.010 Or you could use network extension which will give you the same thing. 1:22:32.950 --> 1:22:35.650 Right so if I also go to our for. 1:22:42.830 --> 1:22:44.750 There is no there is no three modes of there. 1:22:44.750 --> 1:22:46.040 And here the modes are the same. 1:22:46.040 --> 1:22:47.540 They work exactly the same way. 1:22:47.690 --> 1:22:53.230 The difference because he asked the question about what is the difference between crypto maps and why 1:22:53.240 --> 1:22:54.940 would we require twice? 1:22:54.950 --> 1:23:00.110 I said that with vice you have a possibility tomorrow if you need to send traffic. 1:23:00.140 --> 1:23:04.310 What traffic multicast traffic through this tunnel in crypto maps. 1:23:04.310 --> 1:23:06.410 It was not possible with here. 1:23:06.410 --> 1:23:12.740 What you could do is you could run a TV from both ends and send and send multicast traffic. 1:23:13.510 --> 1:23:15.160 So normally you wouldn't use it. 1:23:15.340 --> 1:23:16.720 Normally you wouldn't use it. 1:23:16.720 --> 1:23:21.010 But if you need to tomorrow, send multicast traffic for any purpose through a tunnel. 1:23:21.130 --> 1:23:23.150 You can only use it with VPNs. 1:23:23.230 --> 1:23:24.580 Not with crypto maps. 1:23:24.580 --> 1:23:26.000 It's impossible with crypto maps. 1:23:27.500 --> 1:23:27.700 Right. 1:23:27.710 --> 1:23:29.870 The modes are still the same mode. 1:23:29.870 --> 1:23:34.520 Client You don't really have to stress the VDI on R4 much. 1:23:35.030 --> 1:23:38.750 You don't have to stress it much because most of the times you would not use it. 1:23:40.340 --> 1:23:46.730 Most of the times you'll use your normal crypto IPsec client VPN and not not the interface you would 1:23:46.730 --> 1:23:47.270 mostly use. 1:23:47.270 --> 1:23:47.570 What? 1:23:48.380 --> 1:23:53.360 We'll just connect up using a client mode, network extension mode or network plus mode. 1:23:53.360 --> 1:23:56.960 And as I said before, Network Plus does have problems with enhanced. 1:23:59.510 --> 1:23:59.750 Right. 1:23:59.750 --> 1:24:03.200 So what I would do here is I would go to our code. 1:24:04.690 --> 1:24:09.610 Interface crypto IPsec Client VPNs. 1:24:10.700 --> 1:24:10.890 Right. 1:24:11.210 --> 1:24:13.700 I will say no virtual interface then. 1:24:13.940 --> 1:24:15.590 Now this is network extension mode. 1:24:15.890 --> 1:24:19.670 We'll go up Since Connect Auto is enabled, we'll come back up again. 1:24:19.700 --> 1:24:20.450 Now you'll see. 1:24:20.450 --> 1:24:21.770 I should be able to go to. 1:24:30.110 --> 1:24:30.860 Don't have a look back. 1:24:36.920 --> 1:24:40.340 10.4 can only go because I don't have an address. 1:24:40.340 --> 1:24:44.060 Also, you see, right now no address has been pushed down to. 1:24:47.550 --> 1:24:48.840 Just like that. 1:24:48.840 --> 1:24:49.700 Same same. 1:24:49.710 --> 1:24:54.600 It's just that from our to the management is easier now because our two will manage you. 1:24:54.600 --> 1:24:55.320 Using what? 1:24:57.230 --> 1:24:58.430 Different virtual accesses. 1:24:59.880 --> 1:25:00.970 From the water campus. 1:25:06.090 --> 1:25:07.530 This part As in what? 1:25:10.230 --> 1:25:12.420 Virtual access command from virtual templates. 1:25:12.450 --> 1:25:13.530 Virtual access is nothing. 1:25:13.530 --> 1:25:14.330 These are svgs. 1:25:14.400 --> 1:25:18.870 Think of it as SVG as static virtual tunnel interfaces. 1:25:18.900 --> 1:25:19.920 Same as before. 1:25:19.950 --> 1:25:22.380 You have a tunnel source and tunnel destination. 1:25:22.380 --> 1:25:25.320 Here the tunnel destination is solved by whoever comes up. 1:25:27.780 --> 1:25:28.040 Right. 1:25:28.050 --> 1:25:29.340 Think of it as Tunnel zero. 1:25:29.340 --> 1:25:31.700 Tunnel one Tunnel two Tunnel three tunnel zero. 1:25:31.710 --> 1:25:34.200 The destination is 40.4. 1:25:34.590 --> 1:25:37.590 Tunnel to the destination is 50.5. 1:25:38.490 --> 1:25:40.320 Everything else between the tunnels is the same. 1:25:40.320 --> 1:25:41.430 The source is the same. 1:25:42.210 --> 1:25:43.560 The protection is the same. 1:25:44.770 --> 1:25:46.390 Right source. 1:25:46.720 --> 1:25:50.940 The only difference is they are both IP unnumbered, so no IP address is given from this side. 1:25:50.950 --> 1:25:53.530 The only reason is so that I can communicate to the other side. 1:25:54.930 --> 1:25:57.120 One thing that I need to go to the other side is what? 1:25:57.120 --> 1:25:58.680 A static route which I have. 1:26:01.660 --> 1:26:02.530 I explained it earlier. 1:26:02.530 --> 1:26:02.830 Right. 1:26:03.040 --> 1:26:05.360 If you remember from earlier, I said static routes. 1:26:05.380 --> 1:26:06.730 Why do I need a static route? 1:26:06.850 --> 1:26:10.630 Because now I can communicate to the same tunnel, different IP addresses. 1:26:10.930 --> 1:26:12.430 So this side doesn't need an IP. 1:26:12.730 --> 1:26:16.810 I can communicate to the other ends if they are on different subnets. 1:26:16.840 --> 1:26:19.390 What's possible with work with this? 1:26:20.600 --> 1:26:24.860 Also another thing that we need to do remember the extended authentication. 1:26:26.290 --> 1:26:27.310 How did I do it here? 1:26:27.550 --> 1:26:31.240 Triple A authentication login. 1:26:31.570 --> 1:26:33.160 I said whatever I can call this. 1:26:33.400 --> 1:26:37.210 Also, the name doesn't really have to match yesterday. 1:26:37.210 --> 1:26:37.480 Yeah. 1:26:37.510 --> 1:26:39.760 Username password. 1:26:39.880 --> 1:26:40.600 Cisco. 1:26:40.960 --> 1:26:42.100 Where do I call this? 1:26:42.100 --> 1:26:44.140 Yesterday I called it where crypto map. 1:26:44.530 --> 1:26:45.760 Where do I call it today? 1:26:47.050 --> 1:26:49.510 Crypto scam profile. 1:26:50.170 --> 1:26:55.660 I cross and I'll say client same client authentication list. 1:26:55.690 --> 1:26:56.680 Just like yesterday. 1:26:56.680 --> 1:26:58.720 I said crypto client authentication list today. 1:26:58.720 --> 1:27:00.310 Also client authentication list. 1:27:00.490 --> 1:27:01.450 I'll clear it. 1:27:01.690 --> 1:27:03.070 Clear crypto ice cap. 1:27:03.610 --> 1:27:03.970 Sorry. 1:27:03.970 --> 1:27:04.300 Clear. 1:27:04.300 --> 1:27:07.000 Crypto IPsec Client. 1:27:08.360 --> 1:27:08.810 There you go. 1:27:10.110 --> 1:27:11.370 So now you get what? 1:27:16.780 --> 1:27:18.850 Username Cisco Password. 1:27:23.670 --> 1:27:23.820 Is. 1:27:25.380 --> 1:27:27.330 This username and password is saved on the server. 1:27:28.590 --> 1:27:31.490 The client on this network extension. 1:27:33.140 --> 1:27:34.370 The client is the client. 1:27:35.030 --> 1:27:35.480 The client. 1:27:36.290 --> 1:27:37.040 Another thing. 1:27:37.040 --> 1:27:38.080 Let's do the split tunnel. 1:27:38.090 --> 1:27:38.480 ACL. 1:27:39.200 --> 1:27:40.660 Access list 101. 1:27:40.670 --> 1:27:44.030 Permit traffic from ten 1111 dot zero. 1:27:45.490 --> 1:27:46.330 Going anywhere. 1:27:49.850 --> 1:27:50.510 Going anywhere. 1:27:50.810 --> 1:27:51.860 Where do I call it? 1:27:52.250 --> 1:27:55.970 Crypto is a compliant config configuration. 1:27:57.090 --> 1:28:00.230 SEALs as a seals. 1:28:03.640 --> 1:28:05.920 So right now, if I check, I've not cleared the tunnel. 1:28:06.130 --> 1:28:12.310 So crypto IPsec 90 VPN right now it just shows you what is normal stuff, what is inside and outside. 1:28:12.340 --> 1:28:15.210 Now what I'll do is I'll clear crypto IPsec client. 1:28:17.290 --> 1:28:21.070 It will connect back up again because I'm not using Crypt Connect manually. 1:28:21.460 --> 1:28:22.990 So put in your IP. 1:28:23.080 --> 1:28:24.970 Put in your username and password. 1:28:28.700 --> 1:28:29.420 And. 1:28:34.760 --> 1:28:36.640 I think I made a mistake connecting up. 1:28:36.660 --> 1:28:38.040 I used a different password. 1:28:47.710 --> 1:28:48.240 Policy map. 1:28:48.250 --> 1:28:48.940 Inform what? 1:28:50.460 --> 1:28:52.020 So I'll do this. 1:29:10.570 --> 1:29:11.290 They use. 1:29:11.290 --> 1:29:12.430 I think my ACL is wrong. 1:29:14.560 --> 1:29:14.890 Yep. 1:29:17.340 --> 1:29:17.930 Access list. 1:29:18.180 --> 1:29:19.970 I'm still with firewall permit. 1:29:19.980 --> 1:29:21.540 IP 1011. 1:29:33.070 --> 1:29:34.210 You see, the one on one is applied. 1:29:34.210 --> 1:29:35.200 So clear it again. 1:29:38.060 --> 1:29:38.960 I should be fine. 1:29:45.620 --> 1:29:46.160 Cisco. 1:29:50.370 --> 1:29:50.700 What's up? 1:29:51.940 --> 1:29:54.040 So Crypto IPsec client is EVP and. 1:29:57.480 --> 1:30:01.710 Now only traffic going to ten dot zero network from 205 network. 1:30:03.080 --> 1:30:03.830 We go through. 1:30:03.860 --> 1:30:06.350 So ten, 11, 11.1. 1:30:06.380 --> 1:30:09.380 We go through with the source of loopback. 1:30:11.040 --> 1:30:11.450 Zero. 1:30:11.940 --> 1:30:13.550 I can go to point six. 1:30:13.560 --> 1:30:14.310 Anything else? 1:30:14.310 --> 1:30:15.060 If I go? 1:30:17.730 --> 1:30:19.110 Doesn't matter the source now. 1:30:20.400 --> 1:30:22.560 If I go anywhere else, I will not go through. 1:30:23.580 --> 1:30:25.320 Also, another thing I want to test. 1:30:27.650 --> 1:30:32.050 IP set client is an easy I think this might make a difference for. 1:30:35.710 --> 1:30:36.250 We cleared it. 1:30:37.780 --> 1:30:41.890 I think when you use split tunnel, it gives you the interesting traffic on the client side also. 1:30:47.450 --> 1:30:48.560 So I peered out. 1:30:53.200 --> 1:30:55.090 Anything going for 150? 1:30:55.120 --> 1:30:55.330 Yeah. 1:30:57.210 --> 1:30:57.690 With split. 1:31:00.490 --> 1:31:04.270 If you want to use virtual interface on the client, what will you use? 1:31:04.360 --> 1:31:08.560 Split tunneling because then the split tunnel comes down. 1:31:09.190 --> 1:31:10.630 It gives you the ACL off. 1:31:10.660 --> 1:31:13.300 If you want to go to ten dot zero network, go from. 1:31:14.660 --> 1:31:15.510 Virtual access to. 1:31:15.530 --> 1:31:17.060 So now I should be able to go to. 1:31:24.830 --> 1:31:25.070 Right. 1:31:26.200 --> 1:31:26.730 With split. 1:31:28.550 --> 1:31:34.940 Because all that you require with virtual remember, all that you require with virtual template is to 1:31:34.940 --> 1:31:38.570 tell the routing table where and how to go to the others. 1:31:40.160 --> 1:31:40.750 Now we are telling. 1:31:42.670 --> 1:31:47.440 So again, if you want to use virtual access on the client, it will work properly When you're doing 1:31:47.440 --> 1:31:52.990 work split because Split Tunnel will guide and give out an ACL and tell the other guy what traffic to 1:31:52.990 --> 1:31:54.250 send through that tunnel. 1:31:56.460 --> 1:31:56.700 Right. 1:31:56.700 --> 1:31:59.460 So I think it should not have a problem with. 1:32:01.530 --> 1:32:02.310 Our client also. 1:32:09.420 --> 1:32:10.350 Waiting to connect. 1:32:12.620 --> 1:32:13.030 Cisco. 1:32:16.900 --> 1:32:17.170 Up. 1:32:18.050 --> 1:32:18.590 Wipe it out. 1:32:20.360 --> 1:32:28.730 Yeah, they shouldn't be a problem paying ten, ten 111 1111 111 with a source of ten for. 1:32:30.070 --> 1:32:35.170 Can reach because you have a route in virtual templates, all you need is a route. 1:32:35.980 --> 1:32:37.150 If you have a route, you're fine. 1:32:37.180 --> 1:32:40.240 You need to know which traffic is going through the tunnel if you know that. 1:32:41.400 --> 1:32:41.540 Good. 1:32:45.760 --> 1:32:47.100 I was, what, different from yesterday? 1:32:47.110 --> 1:32:49.740 Yesterday, it was not done based on routing table. 1:32:51.320 --> 1:32:53.830 Yesterday, your traffic would hit the interface. 1:32:53.840 --> 1:32:58.640 Then you would go to the IPsec check, what is the source, what is the destination? 1:32:58.640 --> 1:32:59.910 And so on and so forth. 1:32:59.930 --> 1:33:04.070 Here it's done purely based on a tunnel which you already have. 1:33:04.430 --> 1:33:05.570 So you can check the tunnel. 1:33:06.140 --> 1:33:07.040 So Interface Tunnel. 1:33:08.950 --> 1:33:09.700 Can I remove the. 1:33:10.810 --> 1:33:13.330 From the plane, just remove it from the interface. 1:33:13.330 --> 1:33:16.480 Crypto IPsec client is no. 1:33:17.210 --> 1:33:17.550 Virtual. 1:33:18.620 --> 1:33:19.700 You put it in the client. 1:33:22.730 --> 1:33:24.980 IPsec client is an easy mode. 1:33:29.720 --> 1:33:30.920 Of the server, right? 1:33:30.950 --> 1:33:31.190 Sure. 1:33:31.820 --> 1:33:32.660 Let's do this first. 1:33:34.380 --> 1:33:39.240 Cisco routing table of the server to show IP route. 1:33:41.690 --> 1:33:42.040 I mean. 1:33:46.050 --> 1:33:46.770 We didn't have it. 1:33:47.890 --> 1:33:48.550 We didn't have. 1:33:48.730 --> 1:33:50.800 We had it using the reverse route command. 1:33:53.000 --> 1:33:57.700 Whatever address was pushed down, the worst route was installed and we'll be having this on the client 1:33:57.700 --> 1:33:57.850 side. 1:33:57.970 --> 1:34:00.730 But yesterday when we had this, we didn't have it through a tunnel. 1:34:01.900 --> 1:34:03.250 He headed to the public address. 1:34:03.400 --> 1:34:06.910 So when it hits the interface, then crypto map converts it. 1:34:07.980 --> 1:34:08.220 Here. 1:34:08.220 --> 1:34:10.610 We don't need the crypto map at the interface to convert it. 1:34:11.980 --> 1:34:14.200 This is much better in processor power. 1:34:16.940 --> 1:34:19.220 Have this address is at 10,000 on the client. 1:34:19.400 --> 1:34:26.110 And when I put it in network extension and get the remote subnets and the loopback will show up here. 1:34:26.120 --> 1:34:26.420 Right? 1:34:26.570 --> 1:34:29.570 The loopback address ten .4.4 will show up here. 1:34:31.170 --> 1:34:33.390 Android 4.4 with the virtual. 1:34:33.660 --> 1:34:38.370 Through virtual access to the difference between yesterday and today was this was not virtual access 1:34:38.370 --> 1:34:39.780 to this was the public address. 1:34:40.290 --> 1:34:40.830 That's it. 1:34:42.460 --> 1:34:44.100 Everything's now here. 1:34:44.100 --> 1:34:49.830 It's just more granular because now, you know, now you can have a good look at your virtual axis three 1:34:49.830 --> 1:34:51.240 and you can see what your source is. 1:34:51.240 --> 1:34:53.910 Destination is you can change parameters here. 1:34:54.540 --> 1:35:00.690 You know, you can add a Fifo strategies, queuing strategies, queues you could do on this tunnel. 1:35:02.830 --> 1:35:03.040 I think. 1:35:04.680 --> 1:35:06.480 Plus the control that you have over the tunnel now. 1:35:08.430 --> 1:35:11.070 You want to change your queuing strategy? 1:35:11.870 --> 1:35:13.280 You want to change your bandwidth? 1:35:14.090 --> 1:35:15.050 I can do that here. 1:35:15.050 --> 1:35:15.800 You can do that. 1:35:16.070 --> 1:35:16.520 Crypto Max. 1:35:16.520 --> 1:35:17.570 You don't have that control. 1:35:18.870 --> 1:35:20.820 Grew up because you don't know. 1:35:20.820 --> 1:35:23.670 You only have everything is going through the IPCC here. 1:35:23.670 --> 1:35:28.110 It's going through an IPCC, XVI, Xvii, where you can make changes. 1:35:29.550 --> 1:35:33.900 You can change the bandwidth, you can change the MTU, you can increase decrease the MTU with crypto 1:35:33.900 --> 1:35:34.140 maps. 1:35:34.140 --> 1:35:34.950 You can do that. 1:35:37.690 --> 1:35:43.060 Client on the client side, if you want the same amount of control on the client, the same amount of 1:35:43.060 --> 1:35:46.270 control from the client side, for usually you wouldn't do that. 1:35:46.300 --> 1:35:51.370 Now, if you wanted to run routing between the server and the client, for example, or any multicast, 1:35:51.400 --> 1:35:53.320 maybe you're joining a multicast stream. 1:35:53.650 --> 1:35:55.990 You wanted to join a stream, How do you join it? 1:35:56.020 --> 1:35:58.450 You wouldn't be able to do it with crypto maps Router. 1:36:00.120 --> 1:36:04.680 And here also, you wouldn't be able to do it if you don't use virtual tunnel interface on the on the 1:36:04.680 --> 1:36:05.280 client side. 1:36:05.280 --> 1:36:08.770 So you have to go to the client, use the both sides are using VDI. 1:36:08.850 --> 1:36:13.440 Then you can send multicast, you can have a control shows all those things can be done. 1:36:16.500 --> 1:36:17.370 For the client. 1:36:17.370 --> 1:36:23.490 When you have VDI, you need a route to know what is the other side because it's unnumbered, right? 1:36:23.490 --> 1:36:24.780 Also on the client side. 1:36:24.990 --> 1:36:26.790 The IP address is unnumbered. 1:36:28.150 --> 1:36:30.610 So if it's unnumbered, it's not in the routing table. 1:36:32.230 --> 1:36:33.860 The tunnel is not in the routing. 1:36:34.820 --> 1:36:35.330 Yes. 1:36:35.330 --> 1:36:36.820 How did it work with crypto maps? 1:36:36.980 --> 1:36:38.900 In crypto maps, you have something like this. 1:36:38.900 --> 1:36:39.620 You don't have to. 1:36:41.320 --> 1:36:42.010 Crypto maps. 1:36:42.010 --> 1:36:42.970 You go to the interface. 1:36:42.970 --> 1:36:44.020 Crypto map does it for you. 1:36:45.870 --> 1:36:46.250 Have the map. 1:36:46.260 --> 1:36:48.450 All you need to do is that traffic should hit the interface. 1:36:48.450 --> 1:36:49.410 So it's source based. 1:36:49.410 --> 1:36:52.380 So based on the source, it'll change it here. 1:36:52.380 --> 1:36:56.520 It's not like if you use VDI, it's not source based and destination based anymore. 1:36:56.520 --> 1:36:58.800 Anything that is going through the tunnel will be encrypted. 1:36:59.220 --> 1:37:01.320 So if I use a VPN on the client. 1:37:01.930 --> 1:37:02.730 I have a stack of them. 1:37:03.070 --> 1:37:03.480 Yes. 1:37:04.310 --> 1:37:05.810 Should have a static route to the other end. 1:37:06.350 --> 1:37:10.730 Basically saying that the static route should go through the tunnel in the routing table. 1:37:10.730 --> 1:37:11.570 It should be resolved. 1:37:12.170 --> 1:37:13.700 Is it clear for everybody else? 1:37:15.810 --> 1:37:18.830 What we have done is pretty simple, pretty same as yesterday. 1:37:18.840 --> 1:37:21.150 It's just that we have explained some topics again. 1:37:21.150 --> 1:37:25.260 So, you know, it's pretty self explanatory, everything. 1:37:25.260 --> 1:37:26.250 Just a quick recap. 1:37:26.250 --> 1:37:28.530 Everything that we did was the same until now. 1:37:28.680 --> 1:37:35.040 The only difference was we used a virtual template and we used a crypto cam profile because we don't 1:37:35.040 --> 1:37:36.360 have a crypto map to use. 1:37:38.380 --> 1:37:45.250 You like templates so that we can clone out different tunnels out of it and I can profile, so we can 1:37:45.250 --> 1:37:49.940 push down addresses, we can exhaust and we can do other features. 1:37:49.960 --> 1:37:54.700 Combine all of them together from the client side, you could either use the same client which you used 1:37:54.700 --> 1:38:00.160 before, or you could also use a virtual tunnel virtual interface where you have a separate interface 1:38:00.910 --> 1:38:02.110 even from the client side. 1:38:02.110 --> 1:38:06.970 So if you wanted granular control on both ends, you could use it, but most of the times you would 1:38:06.970 --> 1:38:07.540 not. 1:38:07.870 --> 1:38:08.260 Why? 1:38:08.290 --> 1:38:11.980 Because most of the time you would be requiring using Cisco VPN client. 1:38:13.640 --> 1:38:18.950 Cisco VPN easy VPN client, the software to connect up that wouldn't require. 1:38:19.610 --> 1:38:24.830 Obviously on the other side, it will connect up now the same way we connected with the first first 1:38:24.830 --> 1:38:28.160 day, the same way we connected yesterday also we did that. 1:38:28.190 --> 1:38:36.560 You can do that here also, instead of using a router here, just connect it up to a Windows XP machine. 1:38:37.010 --> 1:38:38.270 Use the VPN client. 1:38:38.270 --> 1:38:43.940 It will connect just like your normal client mode does without the VPN that will also connect. 1:38:43.940 --> 1:38:46.490 But always remember use MD5, not Sha. 1:38:48.050 --> 1:38:48.270 Right. 1:38:48.440 --> 1:38:49.400 That finishes your.