WEBVTT

00:00.290 --> 00:02.810
So the next thing that we are going to do is what?

00:05.570 --> 00:10.940
I want to make sure that R3 and R4 communicate to each other through R1.

00:12.140 --> 00:13.190
Based on what?

00:13.220 --> 00:15.440
Purely based on access lists.

00:15.920 --> 00:17.120
Purely based on access lists.

00:18.710 --> 00:19.970
Okay, let's do that.

00:20.000 --> 00:22.730
R3 and R1 right now.

00:22.730 --> 00:27.560
Now it's all based on your access list, which will tell you what traffic should go through the tunnel.

00:27.770 --> 00:36.230
Right now, if you go to R3 and you do your show, Crypto IPsec, you'll see that traffic from 10.3

00:36.230 --> 00:44.640
to 10.1 is going through the tunnel because my access list 101 is saying traffic going from 10.3 to

00:44.640 --> 00:46.430
10.1 should go through the traffic.

00:47.240 --> 00:57.750
What I'll do is to that access list, I'll add another keyword which says traffic from 3.3. 0 to 10

00:57.750 --> 01:03.300
.1.1.4.4.0

01:08.550 --> 01:09.090
permit.

01:11.040 --> 01:15.540
So traffic coming from ten dot three going to ten dot four should also go through where.

01:22.420 --> 01:27.910
10.32 10.4 will also go through the same tunnel from 23.3 to 12 dot.

01:29.770 --> 01:30.250
Correct.

01:30.550 --> 01:32.140
Let me send the traffic from here.

01:34.350 --> 01:35.600
Ten .4.4.4.

01:36.770 --> 01:37.730
The source of 10.3.

01:43.550 --> 01:44.000
Yeah.

01:53.400 --> 01:56.880
I'll send some packets which will obviously not go through.

01:57.540 --> 01:58.830
Will they be encapsulated?

01:58.830 --> 01:59.730
That is the question.

02:00.720 --> 02:01.550
What should I see?

02:01.560 --> 02:02.250
Encapsulation.

02:02.250 --> 02:03.120
Decapsulation.

02:03.960 --> 02:04.890
Encapsulation.

02:04.890 --> 02:08.670
So IPsec SA section.

02:18.430 --> 02:19.090
10.32.

02:19.090 --> 02:20.080
10.4.

02:27.880 --> 02:31.050
He sending errors?

02:31.840 --> 02:32.910
Let's check.

02:32.920 --> 02:34.540
Why is it sending errors?

02:37.610 --> 02:40.830
Sending errors because when the negotiation took place.

02:40.850 --> 02:42.470
Remember, the other side should be what?

02:43.910 --> 02:45.810
A mirror image of this side.

02:45.830 --> 02:48.050
The ACL on the other side should be.

02:48.170 --> 02:50.990
Do I have an ACL on the other side which will decrypt this packet?

02:53.090 --> 02:55.520
I don't have anything on the other side which will decrypt this packet.

02:56.130 --> 02:59.060
So I also have to do is I have to go to R1.

02:59.210 --> 03:00.590
Show access list.

03:02.230 --> 03:10.060
Now, this one will be for 10.3, so I will change with one 101 permit IP coming from ten dot.

03:13.640 --> 03:14.570
Going to ten dot.

03:20.200 --> 03:21.100
What did I do?

03:21.850 --> 03:23.910
I went to R3.

03:23.920 --> 03:25.090
I said, okay.

03:25.240 --> 03:26.410
Add to this.

03:26.980 --> 03:32.980
Going from 10.3 to 10.4 should also go through the tunnel.

03:33.190 --> 03:40.090
And here I said, okay, traffic going from 10.42 should go through this tunnel.

03:41.290 --> 03:41.560
Correct.

03:41.560 --> 03:47.590
Because the reply for here will come here and then he'll want to go content not for the reply will come

03:47.590 --> 03:50.200
here and then he will want to go to the other side.

03:50.410 --> 03:52.060
What else do I require from this end?

03:53.560 --> 04:03.340
Another ACL on R1, but that will be for this tunnel which says traffic going from ten .3.3.3.

04:03.460 --> 04:07.150
Going to ten dot should go through this tunnel.

04:09.960 --> 04:10.410
Right.

04:10.410 --> 04:16.770
And from here, I should say from 10.42 should go through.

04:19.140 --> 04:19.500
Right.

04:19.680 --> 04:20.440
Let's do that.

04:20.460 --> 04:22.860
So here I do not change.

04:22.860 --> 04:25.440
Now I added on to one list.

04:26.280 --> 04:28.140
I added on to this access list.

04:30.030 --> 04:32.130
I also need to add on to the second access list.

04:32.250 --> 04:34.410
1 or 2 is the second tunnel.

04:34.680 --> 04:35.700
In the second tunnel.

04:35.700 --> 04:38.310
What traffic will go from 10.3 to 10.4.

04:38.880 --> 04:44.730
So access list permit IP from ten dot going to ten dot

04:47.430 --> 04:48.750
show access list.

04:51.120 --> 04:51.330
Good.

04:52.290 --> 04:53.970
Good enough on our three.

04:56.730 --> 04:57.110
Good enough.

04:57.200 --> 05:00.650
And then also I need to do finally for.

05:01.070 --> 05:03.290
Show access list.

05:03.650 --> 05:07.430
See, he is getting he got it from before where it was not encrypted.

05:07.430 --> 05:12.590
So here I'll say access list 101 permit IP going from ten .4.4.0.

05:13.370 --> 05:16.580
Going to ten .3.3.0.

05:20.310 --> 05:22.620
I also need to clear all my apps access list.

05:23.430 --> 05:25.590
Sorry, your tunnels show clear crypto.

05:26.250 --> 05:33.900
You can also clear the session which will clear everything or essay essay will clear the security Association.

05:35.620 --> 05:38.130
So essay which is your IPsec essay will be cleared.

05:38.340 --> 05:45.750
Also do it here clear crypto is the first tunnel clear crypto either session or essay and R3 finally

05:45.990 --> 05:49.260
clear crypto sessions clear crypto.

05:51.060 --> 05:56.250
Then from here I'll send packet to 4.4.4 with the source of 3.3..

06:00.040 --> 06:08.230
Go through the packet goes through from here back to show crypto IPsec sa section.

06:11.180 --> 06:12.650
Encapsulation and encapsulation.

06:12.650 --> 06:13.220
So now.

06:16.440 --> 06:20.550
Clear crypto counters.

06:28.320 --> 06:28.830
10 in 10.

06:29.430 --> 06:30.810
But if I wanted to send.

06:34.120 --> 06:34.780
10.1.

06:34.780 --> 06:35.590
That will also work.

06:45.210 --> 06:48.480
If I don't take the sauce, it will not hit the interesting traffic.

06:48.480 --> 06:50.070
If it doesn't hit the interesting traffic.

06:51.330 --> 06:51.960
Yes.

06:51.960 --> 06:52.860
Straight to the Internet.

06:54.270 --> 06:57.510
You go straight to the Internet with the outside interface, the public IP.

06:57.880 --> 07:00.960
I mention this for outgoing interface.

07:01.740 --> 07:04.530
You wouldn't really do that because that is your public address.

07:05.130 --> 07:07.110
You don't want to go from public to private.

07:07.650 --> 07:08.770
You want to go private.

07:08.790 --> 07:09.420
Why?

07:09.450 --> 07:14.790
Because this actually, when I'm doing from loopback to loopback, this will not be a loopback this

07:14.790 --> 07:20.160
will be a network here with PCs connected just like yesterday I showed you routers behind right router

07:20.160 --> 07:22.110
to router communication was taking place.

07:23.130 --> 07:28.680
Those are PCs behind you want traffic to be encrypted from this PC to the PC which is right here.

07:28.890 --> 07:31.460
You want these PCs to track not loopbacks.

07:33.950 --> 07:39.360
Okay, so the PC to PC communication is possible across the map.

07:39.380 --> 07:43.430
Right now our phone is talking to R3, but through where there are two tunnels,

07:46.400 --> 07:48.890
there's this tunnel and there's.

07:49.560 --> 07:49.940
System.

07:50.910 --> 07:53.790
But between R1 and R3, you'll see there's two data transfer.

07:56.650 --> 07:57.490
Two data types.

07:57.670 --> 08:01.060
One is from ten dot 3 to 10 dot one.

08:01.450 --> 08:03.370
The other is from 10.3 to.

08:06.300 --> 08:06.510
Right.

08:06.540 --> 08:16.290
If you go to R three and you do your crypto as a Schmeidl is only one, but your IPsec, there are two

08:16.290 --> 08:23.730
IPsec s one for traffic going from 10.3 to 10.1, the other one going from 10.3 to 10.4.

08:26.180 --> 08:27.530
Based on the access list.

08:29.210 --> 08:34.280
So if you have as many entries in the access list as many IPsec tunnels will be created.

08:34.430 --> 08:37.340
But since they're all using the same material.

08:39.230 --> 08:40.160
Same material.

08:40.160 --> 08:40.520
Right.

08:40.550 --> 08:45.320
So your camp will only be one which will be there for 24 hours.

08:45.320 --> 08:46.040
24 hours.

08:46.040 --> 08:50.270
It will give you a new tunnel on which one?

08:52.220 --> 08:52.730
Two data.

08:53.510 --> 08:54.260
Two data times?

08:54.470 --> 08:55.040
Yes.

08:57.320 --> 09:02.390
Why not use the original tunnel is to differentiate between the two traffics.

09:02.880 --> 09:05.040
See, right now there are two types of traffics that are coming in.

09:05.060 --> 09:08.900
You have decided to access existing tunnel, but you're not creating another.

09:09.530 --> 09:12.090
We are not creating another tunnel.

09:12.200 --> 09:13.970
See your actual traffic.

09:14.000 --> 09:19.700
This traffic traffic is defined by which ACL 10.3 to 10.1.

09:19.970 --> 09:25.220
If you wanted only one traffic, one tunnel, you could have just used one ACL, which says ten .0.0.

09:25.220 --> 09:26.990
0 to 10 .0.0.0.

09:27.770 --> 09:28.640
There will be only one tunnel.

09:28.910 --> 09:37.190
But if you have two ACLs, two separate lines of ACLs that will create two separate data tunnels which

09:37.190 --> 09:42.680
will obviously use the same parameters, but he will send it through different data tunnels which will

09:42.680 --> 09:43.940
have the same endpoints.

09:44.510 --> 09:47.510
If you check right now, the endpoints of both of the tunnels will be the same.

09:50.410 --> 09:52.810
This is from 23.3 to 12.1.

09:52.930 --> 09:56.140
And this is also 23.3 to 12.3.

09:56.620 --> 09:58.240
The endpoint will be the same.

09:58.570 --> 10:03.250
Everything will be the same except for it'll be shown as two different because they want to show you

10:03.250 --> 10:08.200
encapsulation for this traffic is separate, encapsulation for this traffic is separate, so you can

10:08.200 --> 10:11.440
differentiate between the two at your end.

10:14.700 --> 10:17.730
At three, is that right?

10:18.360 --> 10:20.340
So as many as as many data tunnels.

10:20.340 --> 10:23.610
You have IPsec tunnels.

10:24.750 --> 10:25.980
It's the actual tunnels.

10:26.340 --> 10:30.330
Who is The traffic goes where this is happening.

10:32.610 --> 10:33.540
It was all good.

10:33.840 --> 10:39.720
I mean, when you have something like this, side to side, communication is more than enough.

10:40.800 --> 10:41.460
It's fine.

10:41.760 --> 10:43.740
But it has certain problems.

10:44.430 --> 10:46.830
It has certain limitations.

10:46.860 --> 10:48.260
What are those limitations?

10:48.270 --> 10:54.090
For example, R1, R3 and R1, I have right now three sites, so it's okay.

10:54.120 --> 10:59.760
What if tomorrow I have 50 sites for R3 to manage 50 sites he needs 50 What?

11:00.150 --> 11:05.640
50 acres needs 50 acres to manage 50 sites.

11:06.180 --> 11:06.630
Right.

11:06.630 --> 11:11.910
Plus, if you add another sites to the 50 sites, you add another one site, you have to add one command

11:11.910 --> 11:17.530
of ACL to all the 50 sites, at least one even more than that.

11:19.390 --> 11:19.810
Right.

11:19.990 --> 11:22.030
So you have to create separate tunnels for all of that.

11:22.030 --> 11:26.200
It is good for lower number of sites, but scalability is not there.

11:27.280 --> 11:32.230
Plus, another limitation is, remember I told you ice camp is only triggered when you have interesting

11:32.260 --> 11:32.920
traffic.

11:33.520 --> 11:37.270
Say, for example, your tunnel is up but 24 hours pass.

11:37.270 --> 11:39.160
After 24 hours, the tunnel goes down.

11:41.290 --> 11:44.170
After 24 hours, the tunnel goes down.

11:44.170 --> 11:48.010
If you use a crypto map like this, the tunnel will stay down.

11:48.010 --> 11:54.280
It will not come up unless you have interest in traffic, which is really not an issue because when

11:54.280 --> 11:56.890
you send interest in traffic, it will automatically come up.

11:56.890 --> 12:00.850
So if you're sending if you're using a protocol or anything, the moment you send something, 1 or 2

12:00.850 --> 12:03.640
packets will go drop and it will go through and the tunnel will be set up.

12:03.640 --> 12:09.700
But still, if there is a requirement that you want the tunnel to be up all the time, if you want the

12:09.700 --> 12:14.470
tunnel to be up all the time, you would require a mechanism of keepalives or something like that.

12:16.120 --> 12:17.550
That's the second limitation.

12:17.560 --> 12:21.430
Third limitation is an IPsec tunnel.

12:21.430 --> 12:27.190
Does not this crypto map using crypto maps, it does not support multicast and broadcast through.

12:28.570 --> 12:29.980
There is a reason for that.

12:29.980 --> 12:35.200
Say, for example, I want you to run routing between 10.1 and 10.3.

12:36.190 --> 12:37.720
I would run a routing protocol here.

12:37.750 --> 12:39.750
How does your routing traffic look like?

12:39.760 --> 12:42.070
Source will be ten .1.1.0.

12:42.460 --> 12:47.080
Destination whatever zero wherever here destination will be 224 dot.

12:48.190 --> 12:52.120
Even if this was allowed through the ACL, you say ACL this should go through the tunnel.

12:52.150 --> 12:54.520
The other side multicast traffic looks like.

12:54.520 --> 12:56.530
What source?

12:58.190 --> 12:58.940
Destination.

13:02.310 --> 13:03.720
You'll have to put that in the ACL.

13:03.990 --> 13:06.060
Are these two a mirror image of each other?

13:07.800 --> 13:09.480
They're not a mirror image of each other.

13:12.780 --> 13:14.780
It's loading the Provence.

13:15.650 --> 13:16.760
Routing does not work.

13:18.080 --> 13:19.010
Thing does not work.

13:20.060 --> 13:22.040
Doesn't work through an IPsec tunnel.

13:22.190 --> 13:24.080
If you're using crypto maps.

13:25.070 --> 13:25.540
Right.

13:25.550 --> 13:31.400
So why do we do crypto maps is to get the concept of how the nine packet exchange works and how to set

13:31.400 --> 13:37.940
up a side to side routing from where to where doesn't work private to private.

13:40.350 --> 13:46.470
I know that you cannot run dynamic routing through the tunnel and you're sending traffic through the

13:46.470 --> 13:46.700
tunnel.

13:46.710 --> 13:50.340
You can only send traffic, which is meant in the ACL, right.

13:50.940 --> 13:53.920
How does it decide which traffic goes through c R1?

13:54.000 --> 13:56.370
How does it decide which traffic goes through the tunnel?

13:56.820 --> 13:58.650
What is the main criteria for it?

14:00.000 --> 14:02.970
Interesting traffic which is defined by ACL.

14:03.090 --> 14:05.430
Now you want routing traffic to go through.

14:07.860 --> 14:10.110
Now you want routing traffic to go through.

14:10.350 --> 14:11.540
How will that happen?

14:11.550 --> 14:12.480
How will that work?

14:13.260 --> 14:14.820
What will you use?

14:17.930 --> 14:23.290
How what will you use when we yesterday.

14:23.900 --> 14:24.310
Static.

14:25.400 --> 14:26.570
I did what with the static.

14:27.060 --> 14:30.960
I mean, the whole routing was done by the default route.

14:31.220 --> 14:32.480
That is the public.

14:33.230 --> 14:34.550
You're talking about the public routing.

14:35.390 --> 14:36.740
Public routing will be there.

14:37.960 --> 14:42.560
I want routing between 10.1 networks and 10.3 networks, and that was possible.

14:44.060 --> 14:45.860
So what will you create?

14:45.860 --> 14:46.260
The neighbors.

14:46.280 --> 14:48.050
Can you run on the Internet?

14:51.050 --> 14:51.250
But.

14:55.730 --> 14:56.200
I didn't.

14:56.210 --> 14:56.990
I didn't use the edge.

14:59.300 --> 15:01.750
He used it as a normal, not the Internet concept.

15:02.060 --> 15:02.840
It's a normal browser.

15:03.710 --> 15:05.570
It will work as a normal router.

15:05.570 --> 15:10.040
But again, that will give you connectivity maximum from R1 to R3.

15:10.430 --> 15:13.970
You can you can share if you want to, if you can share 10.1.

15:13.970 --> 15:16.880
But then Internet will also have 10.1, which is not allowed.

15:18.020 --> 15:22.880
If you share routing between 1 and 2, one and two cannot become neighbors because then internet will

15:22.880 --> 15:24.590
get 10.1, which is not allowed.

15:26.600 --> 15:30.110
Even if you run BGP, 10.1 is not allowed to be advertised in your BGP.

15:30.200 --> 15:35.560
So R1 you don't want R1 and R3 to become neighbors using the public address lab.

15:35.570 --> 15:36.590
You can do anything.

15:36.890 --> 15:37.550
Lab.

15:37.550 --> 15:38.690
I don't even need the tunnel.

15:39.320 --> 15:42.230
I can just have a static route from R1 to R3 will work.

15:43.020 --> 15:43.220
Right.

15:43.220 --> 15:44.690
But our job is not lab.

15:44.690 --> 15:49.370
Right now we are going for a real life perspective scenario where this is the internet and you want

15:49.370 --> 15:52.550
our ten one and ten three to be shared dynamically through a protocol.

15:53.540 --> 15:58.560
For that you will have to tell R1 what traffic should be interesting to be sent through the tunnel.

15:59.010 --> 16:05.040
And the interesting traffic in the case of routing protocols is what to 20 400, 10 to 24 009 and stuff

16:05.040 --> 16:09.720
like that, which is not practically possible with the ACL because they cannot be a mirror image.

16:09.720 --> 16:12.180
For it to be a mirror image, it should look like this.

16:12.390 --> 16:17.790
Ten .1.1.1 going to 224 .0.0. let's say ten.

16:17.790 --> 16:22.980
And on the other side the mirror image should be 220 400 ten going to.

16:24.660 --> 16:29.130
Is it possible, is it possible for the source to ever be a multicast address?

16:30.150 --> 16:31.650
Multicast is always destination.

16:32.160 --> 16:33.840
The source will never be a multicast.

16:35.550 --> 16:35.930
Okay.

16:35.940 --> 16:43.350
So that kind of problem, these three problems in your crypto maps caused the need increase, the need

16:43.350 --> 16:48.030
for tunnels which were already there being used.

16:48.060 --> 16:53.610
The only problem with tunnels were they were open, they were cleartext.

16:53.640 --> 16:59.040
So if you send, for example, a telnet through and you follow the TCP stream, you should see the password

16:59.040 --> 17:00.870
and all of those things would be available to you.

17:02.730 --> 17:04.020
So what did we do?

17:04.050 --> 17:09.210
We tried to protect the tunnel with IPsec.

17:10.260 --> 17:11.700
It's called over IPsec

17:14.400 --> 17:15.060
Over IPsec.

17:15.060 --> 17:20.970
So you have running on top of that, you will run IPsec to protect your tunnel, which will support

17:20.970 --> 17:23.940
your routing, which will support your keepalives.

17:25.410 --> 17:28.440
You can do your keepalives you can do your routing Keepalives Why?

17:28.470 --> 17:34.620
Because let's say you keep keepalives for 10s every 10s it will send a keepalive packet that will do

17:34.660 --> 17:35.250
least of all.

17:35.250 --> 17:38.340
What you will do is it will make sure that the tunnel never goes down.

17:39.390 --> 17:44.130
When your system goes down after 24 hours, the keepalive will come back, trigger it back up again.

17:45.840 --> 17:47.100
So your tunnel will never stay down.

17:50.360 --> 17:50.660
Okay.

17:52.970 --> 17:55.700
Gary, what do you mean by unidirectional?

17:58.940 --> 18:01.630
We are not defining if we are not defining.

18:01.850 --> 18:03.500
Even not even.

18:03.500 --> 18:03.650
Not.

18:03.650 --> 18:07.250
But usually why we use gray is we use ijp or something over it.

18:08.240 --> 18:10.600
And they will go through.

18:10.610 --> 18:12.400
Yes, they will bring it back up again.

18:12.410 --> 18:16.550
That is the whole point of using every five seconds it goes right.

18:16.970 --> 18:19.940
The packets will go, so I'll bring it back up again.

18:20.750 --> 18:26.270
You can tune that if you don't want a lot of traffic to go through ijp, you can tune that to 40s.

18:26.300 --> 18:28.040
It doesn't affect the neighbor relationship.

18:28.580 --> 18:28.820
Hello.

18:28.820 --> 18:34.040
Timers don't affect the neighbor relationship, so you can increase that to a higher value and you can

18:34.040 --> 18:38.390
make sure as per your company's norms, how do you want the tunnel to be up and how do you want it to

18:38.390 --> 18:39.500
go down and stuff like that?

18:41.300 --> 18:48.560
Okay, that is what XLR over IP set that will do tomorrow, right?

18:49.220 --> 18:51.600
Plus we'll also do Natting and the MTA.

18:52.830 --> 18:56.490
We'll see how MTA affects your your tunnel.

18:57.180 --> 18:58.860
How does it make it go down?

18:59.730 --> 19:05.330
Okay, now we won't have an actual switch which does double tagging or even tagging in that case, right?

19:05.340 --> 19:07.470
Sometimes Mpls also adds labels.

19:07.500 --> 19:15.600
You have Mpls running in the service provider and we do Hikvision two is also in your syllabus as the

19:15.600 --> 19:17.640
new one that they're using right now.

19:17.640 --> 19:24.470
And Flex VPN is out there also, which is new, which has taken over all the VPNs out there, right?

19:24.480 --> 19:28.710
But in your syllabus you don't have the complete flex VPN, you only have some part of it.

19:28.800 --> 19:30.720
But I have a video if you want.

19:30.810 --> 19:35.610
I have a video for the Flex VPN also for all the three hub and spoke, spoke, two spoke and server

19:35.610 --> 19:36.180
client.

19:36.210 --> 19:36.780
All three.

19:36.780 --> 19:39.510
I have a video separately which I just created for the sake of the video.

19:40.440 --> 19:43.950
It's not there for your syllabus, but it's I've done it as a video.

19:45.390 --> 19:47.520
Okay, that'd be all for today.

19:47.520 --> 19:49.960
I think this.