WEBVTT 00:01.290 --> 00:03.360 This is hub to spoke and then spoke to spoke. 00:04.930 --> 00:06.160 First a hub and spoke. 00:06.160 --> 00:07.780 Then the spokes will talk directly. 00:09.010 --> 00:09.490 Okay. 00:11.370 --> 00:12.450 My topology. 00:12.750 --> 00:15.210 Same internet. 00:15.660 --> 00:16.230 I too. 00:22.570 --> 00:23.260 R1. 00:25.560 --> 00:25.860 Three. 00:27.240 --> 00:35.430 And our what we have done until now is created static tunnels with this guy. 00:36.270 --> 00:37.450 SVT is with this guy. 00:37.470 --> 00:38.850 We'll do the same right now. 00:40.290 --> 00:44.630 We create the same tunnels with this guy as well as this guy from here and here. 00:44.640 --> 00:50.370 But we'll do it in a way so that when the folks have to talk to each other, they create. 00:57.810 --> 01:01.270 I create a DVD, I change. 01:05.480 --> 01:06.200 The creator. 01:07.770 --> 01:08.240 DVD. 01:10.080 --> 01:11.760 If I have another spoke here. 01:14.710 --> 01:19.540 Create a DVT and even between these. 01:22.350 --> 01:23.970 So different duties. 01:26.560 --> 01:29.600 This will be one between R3 and R5. 01:29.620 --> 01:31.990 One between these two and between these two. 01:33.840 --> 01:37.270 Virtual tunnels between different different vehicles. 01:39.700 --> 01:44.830 Okay, This point here, is it going to be a TV or a SVT? 01:46.440 --> 01:53.720 This point, this will be a DVD because one guy is not the only one who will create a tunnel with him. 01:53.740 --> 01:54.790 Many different will. 01:55.720 --> 01:58.240 So the same like we did right now, a DVD. 01:59.200 --> 02:02.980 But the one different thing here is now this. 02:03.040 --> 02:04.330 I'm going to have a different color tunnel. 02:04.600 --> 02:06.160 These are static tunnels. 02:08.630 --> 02:14.090 Right from down street from up duties, but I'll have to make all of them part of. 02:19.150 --> 02:21.910 Same group, which is done by network command. 02:24.250 --> 02:28.720 Why, if they are not part of the same group, they will not be able to share information of nature 02:29.470 --> 02:33.100 that is important in this hub and spoke topology. 02:33.490 --> 02:39.040 The other thing is NLP is not supported on Pure IPsec. 02:39.190 --> 02:42.790 This is going to be a kind of a setup. 02:44.260 --> 02:45.760 So I will never do tunnel mode. 02:45.790 --> 02:47.050 IPsec IPV four. 02:47.650 --> 02:50.830 I will always be doing an Mgr, which is a default mode. 02:55.590 --> 02:59.490 Tunnel protection will definitely be there with the tunnel protection. 03:02.260 --> 03:02.800 Okay. 03:05.260 --> 03:06.700 Gary, is not Cisco proprietary? 03:06.730 --> 03:07.660 Gary is open. 03:08.900 --> 03:09.410 IPsec. 03:09.470 --> 03:11.510 Cisco IPsec Profile. 03:11.510 --> 03:12.320 The one which we create. 03:12.320 --> 03:13.040 Crypto IPsec. 03:13.070 --> 03:13.820 That is Cisco. 03:14.240 --> 03:15.920 It's also a part of everything else. 03:15.920 --> 03:18.920 But this this thing that we're doing is Cisco. 03:21.580 --> 03:24.970 Is Cisco's IPsec is a suite is not Cisco's. 03:25.480 --> 03:27.070 The implementation is Cisco's. 03:30.320 --> 03:31.850 With Gary Moore is open. 03:31.850 --> 03:32.390 Yes. 03:32.420 --> 03:34.340 Gary Moore as a whole is an open strategy. 03:36.610 --> 03:40.450 Okay, then let's do this. 03:41.050 --> 03:41.890 Clear this all. 03:42.100 --> 03:45.490 Close this and don't need this now. 03:48.420 --> 03:50.730 We'll do some policies before the break and some after. 03:52.230 --> 03:53.610 First things first. 03:53.610 --> 03:57.990 I need to push down my pool in MVP and we don't do it. 03:57.990 --> 03:59.250 But here I'm going to do it. 03:59.280 --> 03:59.670 Why? 03:59.700 --> 04:03.210 Because I need to have similarities between the MVP and an server hub. 04:03.240 --> 04:06.870 Server Hub and server client and hub. 04:06.870 --> 04:07.590 And spoke. 04:08.160 --> 04:14.850 So the similarities will be that both will be providing the pool, but at that time you need a username 04:14.910 --> 04:15.710 and password. 04:15.720 --> 04:19.800 Here, you don't need one here, you just need a tunnel from that side to here. 04:21.160 --> 04:22.690 Okay, let's do this. 04:23.170 --> 04:24.550 First things first. 04:26.040 --> 04:29.640 Authorize the network. 04:31.770 --> 04:37.740 To use the parameters for policies locally. 04:41.570 --> 04:50.060 How a new model, a authorization network. 04:50.510 --> 04:54.260 I can use money, but I said for this for an app to work, it has to be. 04:57.150 --> 04:57.740 The following. 04:59.900 --> 05:00.410 Okay. 05:01.420 --> 05:02.020 To. 05:07.680 --> 05:11.640 Configure the default crypto. 05:13.700 --> 05:14.900 Ikev2 policy. 05:16.390 --> 05:17.500 So that. 05:18.620 --> 05:22.520 It sends pushes down. 05:26.670 --> 05:29.400 A pool of addresses. 05:34.970 --> 05:35.990 And also. 05:40.050 --> 05:46.110 Install a static route to the local. 05:49.460 --> 05:50.270 On the remote. 05:52.490 --> 05:52.850 Playing. 05:57.870 --> 05:59.010 For this. 06:00.280 --> 06:00.880 Step. 06:02.510 --> 06:03.650 I make this Step three. 06:04.970 --> 06:10.370 Step two will be create a local pool. 06:11.180 --> 06:12.320 That will be. 06:13.860 --> 06:16.110 Send it down to the. 06:20.330 --> 06:20.820 That's. 06:23.770 --> 06:25.090 Local school. 06:26.650 --> 06:30.670 Flex pool ten. 06:37.470 --> 06:38.850 What is the crypto policy? 06:38.850 --> 06:41.460 Crypto Ikev2. 06:41.940 --> 06:43.440 No crypto authorization. 06:45.580 --> 06:46.090 Policy. 06:49.010 --> 06:50.550 IP through authorization process. 06:53.370 --> 06:54.470 Authorization policy. 06:56.360 --> 06:57.290 Call it anything. 06:57.980 --> 07:04.010 I call the outside interface and pull. 07:07.880 --> 07:13.850 The only difference between this and the last one that we did was this one will push down a pool. 07:15.050 --> 07:17.000 He will also push down the static route. 07:17.960 --> 07:25.820 Plus, he will push down that pool one by one, first 11, ten, then 11, then 12, then 13. 07:27.940 --> 07:29.770 Okay, let's copy this. 07:33.770 --> 07:36.560 Paste it here on our one. 07:42.750 --> 07:42.970 Done. 07:43.830 --> 07:45.720 Everything is okay for now until now. 07:46.380 --> 07:47.550 What is the other thing? 07:48.060 --> 07:51.270 The other thing, you know, from the back of your head. 07:54.730 --> 07:55.360 What is it? 08:00.360 --> 08:03.800 Proposal Encryption. 08:05.100 --> 08:05.730 Three Tests. 08:06.630 --> 08:07.680 Integrity. 08:08.640 --> 08:13.020 MD five and Group two. 08:13.230 --> 08:13.980 Then. 08:16.320 --> 08:20.130 Speak up for proposal. 08:20.430 --> 08:22.410 Proposal is prop. 08:26.560 --> 08:28.260 Crypto ik v2. 08:29.200 --> 08:32.460 KeyRing here is any. 08:35.450 --> 08:37.410 Address one nine. 08:43.120 --> 08:44.100 0.0.0. 08:44.100 --> 08:44.740 This is the hub. 08:45.670 --> 08:46.240 The hub? 08:46.240 --> 08:48.550 Anyone can come in, right? 08:54.890 --> 08:55.550 Pre-shared key. 08:58.390 --> 09:00.700 Then follows the second part. 09:02.900 --> 09:05.960 Crypto like V2 profile. 09:06.920 --> 09:07.490 Mycroft. 09:09.690 --> 09:11.670 Match Identity. 09:12.600 --> 09:14.790 Remote Address. 09:15.240 --> 09:16.200 0000. 09:17.910 --> 09:19.230 Authentication Local. 09:24.680 --> 09:31.610 Authentication remote pre-shared then key ring local. 09:31.790 --> 09:33.830 I always forget that. 09:35.600 --> 09:37.250 Then virtual template. 09:37.370 --> 09:37.820 Why? 09:37.850 --> 09:38.900 Virtual template. 09:40.910 --> 09:43.250 This is a DVD DVD on this side. 09:43.580 --> 09:44.150 Right. 09:44.240 --> 09:51.500 And finally, a authorization group. 09:53.920 --> 09:55.690 Group I'm using. 09:56.860 --> 10:02.230 List is default, which is pointing to the local and the username is. 10:02.380 --> 10:04.980 Default which is pointing to the policy server. 10:08.320 --> 10:09.570 That is a mistake. 10:09.580 --> 10:13.900 If I did that, I should create the policy with the name of. 10:15.840 --> 10:16.890 A good thing. 10:18.220 --> 10:19.050 Should be default. 10:21.620 --> 10:22.070 Okay. 10:22.340 --> 10:23.210 It should be default. 10:25.040 --> 10:25.420 Done. 10:25.610 --> 10:27.800 This is the same thing I did before. 10:28.010 --> 10:34.550 The only thing I did was choose a default here and push a pull down. 10:36.180 --> 10:38.040 Pulled on to the users who are going to come up. 10:39.390 --> 10:39.990 Okay. 10:41.020 --> 10:41.380 Done. 10:42.970 --> 10:44.050 What is the next step? 10:45.070 --> 10:52.270 This was for five D IPsec specified. 10:54.820 --> 11:01.600 The IPsec parameters to be used for. 11:03.020 --> 11:03.740 Child. 11:08.690 --> 11:08.840 If. 11:08.930 --> 11:09.170 Set. 11:10.160 --> 11:10.850 Transform. 11:10.850 --> 11:11.330 Set. 11:12.220 --> 11:12.670 Please sit. 11:14.020 --> 11:16.060 PSP three. 11:16.640 --> 11:18.770 PSP and V5. 11:22.240 --> 11:27.250 Create the IPsec profile. 11:29.070 --> 11:35.480 The IPsec profile, which calls the transform set. 11:38.120 --> 11:48.290 And high profile that points to the local group. 11:52.240 --> 11:53.110 Artist authorization. 11:55.450 --> 11:55.900 Okay. 11:56.500 --> 11:57.490 What is the command? 11:58.720 --> 11:59.230 Crypto. 12:00.990 --> 12:06.000 Leipzig transform said no, sorry, not transform. 12:06.270 --> 12:07.350 IPCC profile. 12:08.130 --> 12:08.540 I. 12:08.730 --> 12:09.300 Prof. 12:11.400 --> 12:11.910 Set. 12:13.590 --> 12:14.100 Transform. 12:14.100 --> 12:15.360 Set t. 12:15.530 --> 12:16.230 Set. 12:16.480 --> 12:17.060 Set. 12:17.080 --> 12:18.510 I v2. 12:19.390 --> 12:22.420 Profile like. 12:25.830 --> 12:26.640 Good until now. 12:27.870 --> 12:28.560 Is it the name? 12:28.560 --> 12:29.100 Yes, I. 12:29.130 --> 12:29.550 Prof. 12:29.830 --> 12:30.090 I. 12:30.120 --> 12:30.540 Prof. 12:31.050 --> 12:32.280 Let's copy this. 12:33.000 --> 12:34.110 From the proposal. 12:35.570 --> 12:36.320 And paste it. 12:37.620 --> 12:39.300 Nothing new that I'm doing. 12:39.930 --> 12:41.400 You have done this before. 12:41.710 --> 12:42.830 There's nothing new. 12:42.840 --> 12:45.470 That is the best thing about Flex. 12:45.480 --> 12:46.740 That is the beauty of it. 12:48.000 --> 12:53.400 The only thing one thing I added was that food, everything else is the same. 12:53.400 --> 12:54.570 So if you know one, you know. 12:54.570 --> 12:57.090 All right. 12:57.750 --> 13:00.360 One thing I need to do right now, the last thing is. 13:02.950 --> 13:06.160 Create the virtual template. 13:09.290 --> 13:15.860 Which will give out the pool as well as. 13:17.680 --> 13:20.170 Be used for. 13:21.360 --> 13:22.440 Hub to spoke. 13:25.420 --> 13:25.780 Communication. 13:28.350 --> 13:29.490 What was the virtual lemonade number? 13:29.490 --> 13:37.530 I used ten interface virtual template. 13:37.950 --> 13:39.480 Then do not forget the 13:43.080 --> 13:44.310 I did not create the loopback. 13:44.310 --> 13:45.450 I need to create it. 13:49.410 --> 13:50.340 Is the same concept. 13:50.370 --> 13:50.730 Why? 13:52.540 --> 13:52.820 Right. 13:53.230 --> 13:54.850 The same concept the last time. 13:55.240 --> 14:00.400 Back and call it IP numbered loopback 11. 14:01.990 --> 14:03.010 Tunnel source. 14:05.570 --> 14:08.960 12.1 Tunnel Protection. 14:10.490 --> 14:11.360 IPsec IP. 14:12.340 --> 14:13.180 High profile. 14:14.260 --> 14:17.040 High cross. 14:17.380 --> 14:18.490 No tunnel mode. 14:19.240 --> 14:19.540 Why? 14:19.570 --> 14:25.660 Because I'll be using network ID ten and. 14:30.460 --> 14:31.750 No, not in this one. 14:32.260 --> 14:34.480 He chose chooses a different by itself. 14:34.570 --> 14:37.480 You don't need to do in this case. 14:38.160 --> 14:38.630 Okay. 14:38.640 --> 14:47.610 This Why do I need this for the spoke to spoke communication so he'll tell the spoke Hey listen go direct. 14:49.750 --> 14:52.180 Okay, Let's see if this works. 14:54.720 --> 14:55.110 Yeah. 14:56.960 --> 14:58.130 Am I missing something? 14:58.490 --> 14:59.240 Which one? 15:03.530 --> 15:05.680 I in to the profile? 15:06.830 --> 15:07.180 Let's see. 15:07.210 --> 15:08.950 I'm calling the profile here. 15:09.940 --> 15:13.360 That is done in crypto maps set to profile. 15:13.390 --> 15:15.940 Here we do it inside the this profile. 15:16.360 --> 15:19.480 This calls to check here like we do profile. 15:23.300 --> 15:24.440 So they should. 15:25.640 --> 15:26.030 Work. 15:30.790 --> 15:31.300 Okay. 15:32.410 --> 15:33.460 It's up. 15:36.340 --> 15:36.790 It's up. 15:39.140 --> 15:41.480 So my server side is done forever. 15:44.030 --> 15:46.090 This is all I had to do on the server side. 15:46.100 --> 15:47.690 Everything is done on the server side. 15:49.220 --> 15:49.730 Okay. 15:49.730 --> 15:53.330 I just need to go to the client side to do the other stuff. 15:55.330 --> 15:56.890 I'll run routing protocol also. 16:07.260 --> 16:08.040 From the client. 16:08.040 --> 16:08.880 I'll just run. 16:10.350 --> 16:11.160 Spoke to, spoke to. 16:12.180 --> 16:13.830 Spoke to Hub Tunnel right now. 16:14.100 --> 16:14.460 Spoke to. 16:14.460 --> 16:14.700 Spoke. 16:14.700 --> 16:15.840 We'll do after the break. 16:18.080 --> 16:20.210 The policies that I need on the client. 16:21.620 --> 16:22.460 Let's check those out. 16:26.480 --> 16:29.120 Or we can call it spoke. 16:31.770 --> 16:32.310 Let's go. 16:33.370 --> 16:34.420 Do I need this? 16:35.460 --> 16:36.940 Yes, I will use it. 16:36.970 --> 16:37.480 Why? 16:37.630 --> 16:41.860 To set my root set interface command so that he gets a static routes to me. 16:41.890 --> 16:42.370 Not. 16:42.370 --> 16:43.390 Not for the pool. 16:44.110 --> 16:45.970 I do not require the pool. 16:45.970 --> 16:46.870 So no pool. 16:47.200 --> 16:47.830 I need this. 16:47.830 --> 16:49.630 But only until here. 16:53.810 --> 16:55.310 Only until here. 16:56.570 --> 16:57.400 Then. 16:57.410 --> 16:58.160 Proposal. 16:58.160 --> 16:58.850 Yes. 16:58.880 --> 16:59.570 Policy. 16:59.570 --> 17:00.200 Yes. 17:00.230 --> 17:01.070 KeyRing. 17:01.100 --> 17:02.060 Yes. 17:02.300 --> 17:04.130 What about the address on the keyring? 17:10.410 --> 17:10.980 12.1. 17:14.100 --> 17:15.580 But I. 17:19.280 --> 17:21.590 We'll use a DVD also for those. 17:21.590 --> 17:23.210 We'll use the same policies. 17:24.150 --> 17:27.700 Where you can see for every pair you'll have to do a different key. 17:27.770 --> 17:32.700 Then there'll be a little too complicated because whichever pair, whichever spoke you have, you'll 17:32.700 --> 17:36.030 have to create a separate key here as well as do it here. 17:36.930 --> 17:38.600 Match Identity Remote address. 17:38.610 --> 17:40.170 You'll have to create that many entries. 17:41.550 --> 17:44.040 So you you can do it zero zero. 17:44.070 --> 17:46.770 Whoever comes in and has the same key is fine. 17:48.150 --> 17:51.810 Whoever comes in to me with any source with this key, I'll accept it. 17:52.110 --> 17:53.250 You can do it separate. 17:53.250 --> 17:57.090 But in that case you'll have to create one for the server and one for each client. 17:57.720 --> 17:58.590 A key ring for him. 17:58.590 --> 17:59.370 A key ring for him. 17:59.370 --> 18:01.860 A key ring for him, a keyring for him on that side. 18:01.860 --> 18:05.040 Also, you'll have to create a key ring for him, a keyring for him, a keyring for him. 18:06.000 --> 18:07.080 You understand what I'm saying? 18:07.410 --> 18:12.180 Because it spoke to spoke communication and for each spoke you will have a different virtual access 18:12.180 --> 18:12.600 created. 18:15.360 --> 18:15.870 Okay. 18:15.870 --> 18:16.790 So no need this. 18:16.800 --> 18:24.240 Do I need this also the same, same same same same virtual template. 18:24.240 --> 18:29.520 I guess right now I don't need one right now. 18:29.520 --> 18:30.150 I don't need one. 18:30.150 --> 18:31.830 But right now I need this. 18:33.490 --> 18:33.850 Right. 18:34.060 --> 18:35.830 And this is the same. 18:36.600 --> 18:38.220 This will be different. 18:38.400 --> 18:39.840 So until here, it's the same. 18:39.840 --> 18:41.700 Except for one thing, which I'll change. 18:42.380 --> 18:43.070 From here. 18:47.650 --> 18:51.820 The only one thing is I don't need a virtual template right now because I'll create the straight one 18:51.820 --> 18:52.510 going up. 18:53.410 --> 18:58.870 And this is the same because the default one says push that interface down. 18:59.230 --> 19:00.610 My parameters are same. 19:00.610 --> 19:02.560 My transform set profile is the same. 19:02.710 --> 19:08.620 The seventh step will be create an A static. 19:11.380 --> 19:11.770 Tunnel. 19:13.080 --> 19:15.930 Pointing to the. 19:18.900 --> 19:20.940 Interface Channel zero IP address. 19:20.940 --> 19:22.350 What is the address here going to be? 19:24.490 --> 19:27.390 He'll get it from the other side. 19:27.390 --> 19:31.230 The hub is going to provide him, but I'll have to put an IP address here. 19:36.740 --> 19:37.580 Negotiated. 19:37.940 --> 19:40.670 Negotiate the IP address from the other side. 19:42.800 --> 19:45.010 This is the only one difference I'm doing on the client. 19:45.020 --> 19:48.290 Everything else was the same, except I did not need a virtual template. 19:48.290 --> 19:52.520 I will need it later, but right now I'm just doing hub to spoke. 19:53.390 --> 19:58.430 So right now I don't need one IP address negotiated. 19:59.270 --> 20:00.190 Dinosaurs. 20:03.970 --> 20:07.930 190 21. 20 3.3. 20:08.710 --> 20:09.760 Tunnel Destination. 20:15.530 --> 20:18.770 12 that tunnel protection. 20:24.260 --> 20:25.160 And. 20:26.750 --> 20:32.390 IP and HP Network ID should be the same IP and IP shortcut. 20:35.760 --> 20:38.100 But here with the shortcut? 20:38.130 --> 20:40.520 No, not with the shortcut. 20:40.530 --> 20:41.100 I'll have to. 20:41.250 --> 20:43.830 I'll have to tell him where to take that shortcut from. 20:46.080 --> 20:47.820 Way to take that shot come from. 20:47.820 --> 20:48.630 I'll have to tell him. 20:48.660 --> 20:49.290 Take that shot. 20:49.290 --> 20:52.120 Come from a virtual template, which I'll create on you. 20:52.140 --> 20:54.480 The name of that template is going to be ten. 20:56.900 --> 21:01.480 There's no need to unload because I'm not going to create a pure IPsec tunnel. 21:01.750 --> 21:03.220 I'm going to leave it as a default tunnel. 21:05.020 --> 21:07.420 I'm not doing Mgr also here. 21:07.420 --> 21:07.840 Why? 21:07.870 --> 21:12.670 I'm creating a straight tunnel up and I'm creating a straight tunnel up. 21:13.330 --> 21:14.440 I'm not doing Mgr. 21:14.470 --> 21:16.380 It's not a multi point tunnel on that side. 21:16.390 --> 21:19.120 It's not one interface connected to a lot of interfaces. 21:19.450 --> 21:21.220 It's separate tunnels. 21:21.280 --> 21:22.330 GRE tunnel here. 21:22.360 --> 21:23.380 GRE tunnel here. 21:26.100 --> 21:30.300 Okay, but a normal prior IPCC does not support MHR. 21:30.810 --> 21:32.700 What supports the AP is gryr. 21:32.940 --> 21:35.040 So that's why I have to announce. 21:35.730 --> 21:40.380 I don't I don't need a mapping on the other side because I'm doing it through this tunnel zero interface 21:41.190 --> 21:42.960 with the source and destination right here. 21:43.950 --> 21:49.290 This shortcut is basically when he gets a redirect saying, Go here. 21:49.590 --> 21:52.650 He needs to create a virtual access to go to the other side. 21:53.820 --> 21:56.160 That virtual access will be cloned from where? 22:00.000 --> 22:01.470 So take the redirect. 22:01.920 --> 22:03.210 Take the shortcut. 22:03.240 --> 22:05.550 Take the shortcut using this. 22:05.550 --> 22:09.900 So create your virtual access based on this virtual template, which I'll configure after this. 22:11.340 --> 22:14.490 So why is it not You do not require an NHS. 22:14.520 --> 22:16.650 His mappings will not be solved by here. 22:17.820 --> 22:19.830 His mappings will not be solved here. 22:20.580 --> 22:22.560 The hub will do it automatically. 22:23.860 --> 22:26.640 You'll see how I'll explain how NTP works in this. 22:28.460 --> 22:31.110 You do not need an NHS to solve your mappings. 22:31.130 --> 22:31.430 Why? 22:31.460 --> 22:32.850 Because it's not an mg. 22:35.170 --> 22:38.680 This is not an angry it's a normal hub is in the middle. 22:38.680 --> 22:40.600 And then you have two people going through. 22:41.080 --> 22:46.720 You will see when you run the routing protocols on it, the hub will automatically decide how to do 22:46.720 --> 22:47.530 the mappings. 22:48.820 --> 22:49.930 He'll just send redirects. 22:49.930 --> 22:52.350 He's only capable of sending redirects. 22:52.360 --> 22:57.610 But when these people receive the redirects, where do they go through through these virtual templates 22:58.060 --> 22:59.410 which I just created. 23:01.210 --> 23:01.720 So dropping. 23:03.460 --> 23:04.010 Forgive us. 23:05.420 --> 23:06.080 We don't need to. 23:06.800 --> 23:07.700 We don't need to. 23:07.730 --> 23:08.030 Why? 23:08.060 --> 23:09.890 Because in that case, remember, it was an MG. 23:10.820 --> 23:12.900 So he did not know what the other side is. 23:12.920 --> 23:14.420 Here it's a point to point. 23:14.450 --> 23:16.820 All these tunnels are point to point separate tunnels. 23:18.650 --> 23:20.180 By default, it's a tunnel. 23:20.180 --> 23:21.650 I'm not changing the mode there. 23:21.650 --> 23:23.630 Remember to do, spoke to, spoke. 23:23.660 --> 23:25.520 We didn't create a separate virtual tunnel. 23:26.720 --> 23:28.190 You have a mapping done. 23:28.790 --> 23:33.920 He required the destination map, the destination address, source, source and source address, public 23:33.920 --> 23:34.340 address. 23:34.340 --> 23:37.160 And then he created the header and then he threw out here. 23:37.160 --> 23:38.210 It's not the case here. 23:38.210 --> 23:44.120 He will create a virtual interface between my side and the other side. 23:45.410 --> 23:47.510 We'll see that when we create the tunnel interface. 23:47.510 --> 23:49.670 You'll see what source and destination he uses. 23:50.630 --> 23:53.660 For right now, we'll just create this. 23:55.150 --> 23:57.560 And see does it get the address from the. 23:59.350 --> 24:00.960 At least that should happen right now. 24:04.220 --> 24:05.630 Did I do anything in here? 24:05.630 --> 24:06.740 I did not copy anything. 24:06.740 --> 24:07.220 Right? 24:08.810 --> 24:09.200 Copy? 24:09.200 --> 24:09.710 Nothing. 24:14.250 --> 24:14.850 Copy. 24:16.450 --> 24:16.990 Just checking. 24:16.990 --> 24:18.220 Everything is all right. 24:18.610 --> 24:21.520 Child This, this, this, and this. 24:22.280 --> 24:22.960 So copy. 24:24.820 --> 24:25.190 Done. 24:25.660 --> 24:25.900 I see. 24:25.900 --> 24:26.500 Camp is on. 24:26.830 --> 24:27.610 Tunnel is up. 24:34.620 --> 24:39.090 The tunnel has not got any IP address, so we need to fix that. 24:48.050 --> 24:48.740 Where's my pool? 24:49.400 --> 24:50.000 Flex pool. 24:50.360 --> 24:54.150 Using the I. 24:54.200 --> 24:57.020 I'm not supposed to use the pool I'm supposed to use. 24:59.800 --> 25:00.610 The default. 25:01.730 --> 25:08.360 So this is crypto ikev2 authorization policy. 25:10.060 --> 25:11.280 You can check whether it's. 25:12.210 --> 25:12.840 Which one? 25:16.320 --> 25:16.510 See. 25:16.530 --> 25:20.080 It says this will modify the original IP topology he was using. 25:20.110 --> 25:22.770 I will because I did not configure it in default. 25:22.770 --> 25:24.930 You can change the last default and go like. 25:25.980 --> 25:31.680 Yeah, but I told you it will not work where it will not work when the nrhp is done. 25:31.680 --> 25:33.270 Right now he's using that. 25:34.380 --> 25:37.380 If we check right now, he should be using default because that's what I did. 25:37.380 --> 25:38.670 Remember, I changed it down here. 25:38.670 --> 25:39.240 Right here. 25:39.960 --> 25:42.570 He's using default, so default has no pool that he gives up. 25:42.990 --> 25:50.310 I need to set that pool root set interface and pool is. 25:54.390 --> 25:56.400 Clear crypto sessions. 26:05.440 --> 26:08.530 Since this is a grey tunnel, so I need to shut and no shut. 26:08.650 --> 26:10.180 That was IPsec. 26:10.180 --> 26:14.080 So when I do clear sessions, IPsec takes it down and brings it back up again. 26:14.110 --> 26:17.470 This is a grey one, so it does not care about IPsec. 26:23.870 --> 26:24.490 No address. 26:24.490 --> 26:25.010 Still. 26:26.720 --> 26:27.830 Oh, we got an address. 26:30.620 --> 26:32.300 We have an address. 26:32.930 --> 26:34.880 How did this address come into play? 26:35.090 --> 26:37.400 The policy from there pushed it down to me. 26:38.000 --> 26:38.870 Show IP. 26:38.900 --> 26:40.160 Show IP route. 26:41.660 --> 26:42.590 I have a static route. 26:42.620 --> 26:43.430 Towards whom? 26:44.540 --> 26:46.100 Who set this static route? 26:46.130 --> 26:48.200 The route set interface on that side. 26:49.010 --> 26:51.350 Does that mean our one should also have a static route? 26:51.650 --> 26:52.700 Towards whom? 26:53.510 --> 26:54.180 Towards 11. 27:00.120 --> 27:02.000 So this guy is reachable to me. 27:02.040 --> 27:02.550 Who? 27:08.730 --> 27:09.570 Is reachable too. 27:09.660 --> 27:12.960 If I run a routing protocol through, it should work. 27:13.450 --> 27:15.000 Yes, it should work. 27:15.000 --> 27:15.410 Right? 27:35.430 --> 27:37.800 Do I have a I don't have a loopback. 27:44.740 --> 27:47.590 Everyone should have a new bag. 27:47.620 --> 27:50.740 10.3 Also create another one on our one. 27:57.850 --> 27:58.630 Three should have. 28:00.580 --> 28:00.730 Huh? 28:04.590 --> 28:04.950 Thank you. 28:09.600 --> 28:10.290 Good enough. 28:13.230 --> 28:18.600 Good enough so I can go to what is the difference between the last one and this one? 28:20.100 --> 28:21.730 There's only one difference right now. 28:21.750 --> 28:23.790 Right now I've not done anything else. 28:23.790 --> 28:24.720 It's just the pool. 28:25.200 --> 28:27.690 This in the previous one for tunnel zero. 28:27.720 --> 28:29.460 I said IP address this here. 28:29.460 --> 28:32.520 I said IP address negotiated and I went to the server. 28:32.520 --> 28:33.300 I said pool. 28:33.480 --> 28:34.980 So he pushed that pool down. 28:34.980 --> 28:36.990 Until now, everything else is the same. 28:38.070 --> 28:43.320 The difference will lie with the DVT that I'm going to create now and you'll see how simple it is going 28:43.320 --> 28:43.680 to be. 28:44.730 --> 28:50.850 The only one thing with that is the concept which I will explain to you after the DVT is formed how 28:50.850 --> 28:52.710 the mappings take place. 28:55.390 --> 28:58.780 Okay, I have done this same thing. 28:58.780 --> 28:59.970 I'll do it on R4. 28:59.980 --> 29:01.660 I don't have to do anything. 29:01.690 --> 29:04.960 All I have to do is change the source. 29:05.290 --> 29:06.880 20 4.4. 29:07.060 --> 29:09.730 Everything else is the same. 29:14.570 --> 29:15.470 Nothing else. 29:17.110 --> 29:17.920 Go to four. 29:19.900 --> 29:20.680 And paste. 29:26.200 --> 29:27.250 12 dot two. 29:29.530 --> 29:31.410 Router EGP ten. 29:48.580 --> 29:49.750 Who's my one guy? 29:51.100 --> 29:53.110 The hub is the only neighbor I have. 29:54.910 --> 29:57.460 The hub is the only neighbor that I have. 29:57.670 --> 30:00.940 And the hub will have How many virtual accesses now? 30:05.300 --> 30:05.780 One. 30:08.250 --> 30:11.070 What have I created until now before we go on the break? 30:12.030 --> 30:15.570 Until now, what we have done is this. 30:23.660 --> 30:24.560 Until now. 30:27.220 --> 30:29.380 This is R2, the Internet. 30:30.250 --> 30:32.050 R1, The Hub. 30:35.160 --> 30:35.670 Three. 30:37.830 --> 30:37.970 Right. 30:38.100 --> 30:41.430 So I always mess our four up. 30:49.020 --> 30:49.590 Okay. 30:49.800 --> 30:53.730 So we have what we have done is created a tunnel. 30:54.420 --> 30:55.650 DeVita Here. 30:59.290 --> 31:00.610 Created that tunnel right here. 31:00.610 --> 31:02.320 One this way, one this way. 31:02.650 --> 31:03.970 This end is. 31:06.520 --> 31:07.120 12. 31:07.150 --> 31:08.170 This is. 31:11.530 --> 31:12.010 11. 31:12.460 --> 31:13.480 This side is. 31:15.520 --> 31:16.570 The site is. 31:18.010 --> 31:19.690 But it's all happening on guard. 31:20.080 --> 31:20.470 Why? 31:20.500 --> 31:23.830 Because I'm using Npx Right now. 31:23.830 --> 31:24.790 There is no mappings. 31:24.790 --> 31:26.650 No one has done any mappings until now. 31:27.610 --> 31:29.470 We did not require a mapping. 31:30.040 --> 31:30.210 Why? 31:30.220 --> 31:32.140 Because these were created dynamically. 31:32.440 --> 31:36.580 He received this address from that guy, inserted the static route from this side. 31:36.580 --> 31:39.790 He inserted a static route for 1.1 from this side. 31:40.030 --> 31:41.700 This guy did the same. 31:44.550 --> 31:44.970 Right now. 31:44.970 --> 31:46.650 We did not do anything to NP. 31:46.920 --> 31:48.900 NP will be used. 31:49.650 --> 31:52.410 Now when this guy will want to go. 31:57.100 --> 31:59.320 He will basically be using this source. 32:00.070 --> 32:01.330 So this guy will require a 32:04.410 --> 32:05.470 DVD, a DVD. 32:06.610 --> 32:13.450 He will require a DVD, but he will not require a tunnel source and a tunnel destination that is going 32:13.450 --> 32:19.600 to be provided by the source as well as the destination will be provided by whom? 32:21.430 --> 32:24.520 And we'll see how NP will provide that. 32:26.650 --> 32:29.800 Okay, let's take a break in this. 32:30.280 --> 32:31.900 Yeah, the poll is. 32:33.290 --> 32:35.210 Three and a half or three and a half, four years. 32:37.360 --> 32:41.950 Allocating the same IP address to all because it is downloaded on. 32:42.820 --> 32:47.090 This pool is downloaded to this interface of IP, he says. 32:47.110 --> 32:50.670 Interface Tunnel zero IP address negotiated for that negotiation. 32:50.680 --> 32:52.900 He asks him, Hey, give me an address. 32:53.050 --> 32:55.900 Does this policy allow him to give an address? 32:55.900 --> 32:56.680 Yes, it does. 32:56.980 --> 32:58.930 His policy says root site. 32:58.930 --> 32:59.170 Right. 32:59.170 --> 32:59.850 And the pool. 32:59.860 --> 33:03.160 So he gives them an address he uses that addresses his IP address. 33:03.160 --> 33:07.750 Was just saying the pool on that on that. 33:08.080 --> 33:09.490 Whoever asks you for the pool. 33:09.640 --> 33:11.320 So the tunnel is asking for the pool. 33:11.320 --> 33:11.980 Given the pool. 33:12.400 --> 33:13.900 This tunnel is asking for the pool. 33:13.900 --> 33:14.470 Given the pool. 33:17.110 --> 33:21.650 Which this 111 and 12 because is. 33:23.270 --> 33:25.130 See, this is the pool from the pool. 33:25.130 --> 33:25.970 One at a time. 33:26.990 --> 33:29.240 How does not pool give out IP addresses? 33:29.240 --> 33:29.900 Dynamic pool. 33:30.170 --> 33:31.580 You have a whole pool. 33:32.000 --> 33:33.530 How does Dhcp give out returns? 33:34.070 --> 33:34.880 First it gives ten. 33:35.090 --> 33:36.230 Then he gives 11. 33:36.260 --> 33:37.460 Then he gives 12. 33:37.490 --> 33:38.540 Then he gives 13. 33:38.840 --> 33:39.350 Right. 33:40.790 --> 33:41.750 Which we give over here. 33:42.450 --> 33:42.860 Yeah. 33:44.910 --> 33:54.600 To download the pool to whoever asks him, give him the pool, Give him the pool address where it's 33:54.600 --> 33:55.290 specified. 33:55.290 --> 33:55.650 Here? 33:57.240 --> 33:57.660 No. 33:57.660 --> 33:58.110 Here. 33:58.620 --> 33:59.490 Check this guy. 34:01.500 --> 34:01.860 Right here. 34:04.400 --> 34:04.550 Wait. 34:04.550 --> 34:05.300 Let me remove this. 34:06.590 --> 34:12.560 This is the pool we have specified and we have said pool for authorization policy sent in. 34:12.560 --> 34:12.950 Right. 34:13.100 --> 34:22.190 And we have called this authorization policy where in high profile this profile will call where in virtual 34:22.190 --> 34:22.850 template. 34:23.570 --> 34:30.110 So whoever asks this virtual template for a pool, he will go for his eyebrow to check for his policies. 34:30.110 --> 34:33.920 I will give him transform set and this transform set is okay. 34:33.920 --> 34:36.740 Then he needs to check the height of he goes to his height. 34:36.740 --> 34:37.100 Prof. 34:37.100 --> 34:38.630 Ike Prof is right here I. 34:38.660 --> 34:44.810 Prof says authorization left is default goes to the default list which is right here. 34:44.810 --> 34:50.480 Default list says give him a pool and take the IP out of this pool and give it to him. 34:51.290 --> 34:52.100 The pool is here. 34:52.100 --> 34:52.550 Right. 34:53.360 --> 34:55.280 I understood the pool is downloaded. 34:55.280 --> 34:57.470 Yeah, but from the same pool. 34:57.500 --> 34:59.990 He is getting the address from this pool. 35:00.110 --> 35:00.350 Yes. 35:01.550 --> 35:02.760 I don't understand your question. 35:02.760 --> 35:04.050 Where would he get it from then? 35:04.140 --> 35:04.740 Yes. 35:04.950 --> 35:08.010 Means I was thinking that the pool is downloaded. 35:08.010 --> 35:08.280 Okay. 35:08.430 --> 35:11.430 The part was for downloading the pool on one of the addresses from the pool. 35:11.430 --> 35:12.180 Not the whole pool. 35:13.080 --> 35:14.160 Oh, you mean this? 35:14.160 --> 35:16.350 You mean he is downloading the whole pool here? 35:16.500 --> 35:18.000 He's not downloading the whole pool. 35:18.360 --> 35:21.120 Pool flex means one address from the pool. 35:22.140 --> 35:24.090 It does not mean just push down the whole pool. 35:24.090 --> 35:24.300 Down. 35:24.300 --> 35:26.940 No, just give him an address from the pool. 35:28.200 --> 35:29.430 That is that one address. 35:29.430 --> 35:29.760 12. 35:29.760 --> 35:30.630 So he gives him 12. 35:30.660 --> 35:32.400 The other guy comes, he gives him 30. 35:33.750 --> 35:38.220 After this, they will be communicating to him for the pool. 35:38.820 --> 35:39.390 For who? 35:39.420 --> 35:39.810 Which guy? 35:40.770 --> 35:41.760 No, they don't need a pool. 35:41.760 --> 35:44.430 Now, see, he has an address. 35:47.040 --> 35:47.640 Where's this guy? 35:49.260 --> 35:51.040 Okay, I don't have the thing. 35:51.060 --> 35:52.650 See, R3 has the pool address. 35:52.680 --> 35:53.280 What is it? 35:53.310 --> 35:53.790 12. 35:54.310 --> 35:55.830 Arthur has 13. 35:56.190 --> 35:57.090 11 and 12. 35:57.300 --> 36:01.500 When they want to communicate, they will require a source and destination. 36:01.510 --> 36:02.790 Which one do you think they'll use? 36:03.630 --> 36:05.050 They have 12 and 13. 36:05.070 --> 36:05.480 Okay. 36:06.150 --> 36:07.170 Using that only they will. 36:07.500 --> 36:08.870 Using that only they will directly. 36:08.930 --> 36:11.970 I thought that every time he will get a pool. 36:12.850 --> 36:14.130 No, no, no, not like that. 36:14.310 --> 36:15.360 He will not use a pool. 36:15.360 --> 36:17.910 Then he will use the same source, same source. 36:17.910 --> 36:24.330 And over there would have the the source will be 12 and the source will be 11 and they will communicate 36:24.330 --> 36:24.750 to each other. 36:26.010 --> 36:26.420 Okay. 36:26.430 --> 36:27.630 We'll do that after the break. 36:27.810 --> 36:28.010 Okay. 36:42.410 --> 36:42.650 To. 36:47.340 --> 36:48.700 The breakup video? 36:50.490 --> 36:51.090 I don't think so. 36:56.270 --> 36:58.970 All right, let's move forward. 36:59.660 --> 37:01.130 What am I supposed to do now? 37:01.160 --> 37:04.430 I'm supposed to create that world wheelchair interface. 37:05.120 --> 37:09.260 Virtual interface that will guide my device between the spokes. 37:09.620 --> 37:15.320 I do not need a source and destination which will be provided to me by the Nrhp resolution request and 37:15.320 --> 37:15.980 reply. 37:17.060 --> 37:21.230 I only need to provide which shortcut to take in that also. 37:22.010 --> 37:22.460 Okay. 37:22.460 --> 37:23.570 So I'll go in here. 37:25.600 --> 37:27.810 I have created this tunnel which takes me up. 37:27.820 --> 37:32.320 I also need to create a virtual template. 37:32.980 --> 37:35.890 I believe I have something here which I put in. 37:35.930 --> 37:36.850 No, I did not. 37:37.240 --> 37:38.320 I did not do anything here. 37:38.320 --> 37:41.050 So I'll have to first go inside my profile. 37:43.460 --> 37:48.470 And say virtual name it ten. 37:49.070 --> 37:52.820 So interface virtual template ten type. 37:53.540 --> 38:02.720 No Source and destination Tunnel protection IPsec Profile Graph. 38:03.840 --> 38:04.760 IP, NTP. 38:06.660 --> 38:12.510 Network ID first is ten IP address. 38:14.150 --> 38:15.230 Check this out. 38:16.310 --> 38:17.150 I'll do this here. 38:17.420 --> 38:20.090 What is the IP that I'll use on this virtual interface? 38:23.230 --> 38:24.130 Where's my this? 38:29.500 --> 38:29.780 I have. 38:29.800 --> 38:30.460 Ah, three. 38:32.320 --> 38:32.770 However. 38:35.530 --> 38:41.360 Told you I always mess up the for this and are one. 38:42.920 --> 38:46.130 The address that he got from this tunnel was. 38:50.190 --> 38:50.820 11. 38:50.820 --> 38:52.560 And the one which he got was. 38:55.230 --> 38:55.740 12. 38:56.570 --> 38:56.900 Right. 38:56.900 --> 39:01.970 This is already an address that he has received. 39:03.490 --> 39:06.190 To create this virtual interface with this guy. 39:06.340 --> 39:07.210 This guy. 39:09.020 --> 39:10.580 He needs an IP address. 39:10.760 --> 39:14.330 Does it make sense to get another IP from the pool and then create the tunnel? 39:14.360 --> 39:15.450 Does not make sense. 39:15.470 --> 39:20.570 It makes sense if he uses this to do the tunnel on this side. 39:20.840 --> 39:26.570 Now I could say IP address this guy, but as you know, this is going to be a virtual axis. 39:26.600 --> 39:29.300 Virtual axis only works if you have IP unnumbered. 39:30.590 --> 39:33.740 So my address here, my IP unnumbered. 39:33.770 --> 39:36.710 What is it going to be exactly? 39:37.670 --> 39:41.240 It's going to be IP. 39:43.320 --> 39:46.810 Unnumbered tunnel zero. 39:47.310 --> 39:51.360 This address will be given to the tunnel using negotiated. 39:51.360 --> 39:55.380 So the address that comes here will be used for this virtual axis on the other side. 39:57.030 --> 39:57.480 Right. 39:57.570 --> 40:09.120 And finally, I will also have to say that IP and shortcut will be done using my same interface, virtual 40:09.840 --> 40:14.220 template, the same interface, and that's what I did here. 40:14.220 --> 40:16.710 Also, I'm telling the. 40:17.960 --> 40:22.070 Tunnel that your shortcut is going to be to be through the template. 40:22.070 --> 40:23.590 But I also have to guide the tunnel. 40:23.600 --> 40:24.920 Hey, listen to the shortcut. 40:25.160 --> 40:27.860 I'm guiding this tunnel to listen to the shortcut. 40:27.860 --> 40:30.800 I also have to guide this tunnel to listen to the shortcut. 40:33.790 --> 40:34.070 Right. 40:34.090 --> 40:36.100 And the interface is going to be himself. 40:38.840 --> 40:41.540 Listen to the shortcut, but use the same interface to go out. 40:43.810 --> 40:44.350 Right. 40:44.380 --> 40:44.880 Done. 40:44.890 --> 40:46.480 That is all I have to do. 40:48.260 --> 40:48.980 Which one? 40:49.010 --> 40:51.060 This the shortcut. 40:51.080 --> 40:55.130 See, he will only listen to the shortcut if he gets a redirect. 40:56.120 --> 40:59.360 I have configured this interface right here. 41:00.080 --> 41:05.990 This DVD, to give out the redirects so the redirects will be given out from here and from here. 41:07.210 --> 41:07.680 Right. 41:07.720 --> 41:09.320 I've told him to send the shortcut. 41:09.320 --> 41:10.940 Where to this? 41:10.940 --> 41:13.850 And I've told him to send the shortcut to this. 41:14.540 --> 41:15.200 But he. 41:15.440 --> 41:16.790 It's a redirect coming here. 41:17.090 --> 41:19.340 He also has to listen to that shortcut. 41:21.080 --> 41:21.380 Right. 41:21.380 --> 41:26.450 So I have to manually tell him, Hey, the shortcut you take, but take it from the same interface which 41:26.450 --> 41:27.560 you are creating right now. 41:28.160 --> 41:30.560 I'm not guiding it to throw it out somewhere else. 41:30.560 --> 41:33.050 Telling you to take the shortcut, but take it through this interface. 41:33.050 --> 41:36.290 Which interface template ten, which is himself. 41:38.420 --> 41:38.930 Here. 41:41.150 --> 41:41.570 Right. 41:41.570 --> 41:45.020 So that redirect that he receives, he will take it and go this way. 41:46.160 --> 41:47.960 The same thing will happen on this side. 41:48.160 --> 41:48.830 We don't. 41:50.300 --> 41:56.620 Not only that, I can also include my IP and shortcut will work. 41:56.620 --> 41:56.770 Why? 41:56.800 --> 41:58.390 Because it worked in the VPN. 41:58.390 --> 42:01.120 But on a virtual template you have to specify it this way. 42:01.300 --> 42:02.970 But we already specified over here. 42:03.100 --> 42:04.780 We specified it to come here. 42:05.140 --> 42:05.620 Right. 42:05.650 --> 42:06.550 We can work it. 42:06.550 --> 42:07.990 Yeah, we'll try the next time. 42:07.990 --> 42:11.350 Once we get this working, we'll remove this and we'll see if it works. 42:12.340 --> 42:17.680 Because probably what happens with IP and Sharp on a virtual interface on virtual template, you have 42:17.680 --> 42:19.000 to provide which side to go out. 42:19.000 --> 42:22.000 But yeah, shortcut should work like we worked at. 42:22.030 --> 42:23.740 Where in the VPN. 42:25.930 --> 42:26.440 Okay. 42:26.480 --> 42:29.160 This is all I have to do for the VDI. 42:29.510 --> 42:34.190 Everything else will be received from the resolution requests. 42:35.000 --> 42:36.160 Okay, let's try. 42:37.150 --> 42:38.220 So copy this. 42:40.290 --> 42:42.510 Do I have the same thing on both sides? 42:44.870 --> 42:46.250 I have the same thing on both sides. 42:46.250 --> 42:51.120 Same tunnel, zero, same virtual template ten and same network ID ten. 42:52.100 --> 42:52.700 Copy. 42:53.540 --> 43:00.500 First on R3, just to make sure that I have not specified a virtual interface before. 43:00.590 --> 43:01.160 Let's check it. 43:06.370 --> 43:07.860 No virtual template, Right. 43:07.870 --> 43:08.680 So it's all right. 43:14.780 --> 43:16.220 Copied half of it, Is it? 43:23.130 --> 43:24.810 What did I do with the shortcut? 43:28.040 --> 43:30.470 Did I specify template one or template two? 43:31.100 --> 43:31.820 Template ten. 43:31.970 --> 43:32.540 That's good. 43:32.750 --> 43:33.740 So this is fine. 43:36.470 --> 43:41.900 Crypto this virtual level ten interface, virtual template ten all of this and it's all good. 43:42.290 --> 43:47.030 Right now it's down because I need to send a redirect first and I need to create the other side also 43:47.030 --> 43:47.480 the other side. 43:47.480 --> 43:51.490 He tried to create a tunnel, but he could not because I had not done it here. 43:58.100 --> 43:58.820 Also ten. 44:06.450 --> 44:07.020 Copy. 44:08.620 --> 44:09.700 And based. 44:11.590 --> 44:14.860 Done with visual template is done right now. 44:15.550 --> 44:16.570 Check this. 44:17.110 --> 44:22.420 My routing protocols tells me that ten dot three is true. 44:23.740 --> 44:24.790 Let me trace it out. 44:28.470 --> 44:32.040 The first packet is going in here right now and this is happening. 44:32.430 --> 44:36.720 My virtual template should be solved, which is not. 44:38.720 --> 44:39.110 Yeah. 44:39.110 --> 44:39.620 There you go. 44:40.040 --> 44:41.960 Virtual access is turned up. 44:42.450 --> 44:42.680 Yes. 44:43.780 --> 44:45.830 So my neighbor is also come up. 44:49.050 --> 44:49.260 Why? 44:49.290 --> 44:51.300 Because my virtual access is now connected. 44:51.300 --> 44:52.110 From where? 44:52.290 --> 44:57.600 Directly from 11 to 12. 44:58.350 --> 45:00.540 A big tunnel was created from, spoke to, spoke. 45:01.140 --> 45:02.610 If you check your IP route. 45:07.710 --> 45:09.510 This now is from where? 45:11.280 --> 45:11.790 11. 45:13.650 --> 45:15.000 It was from one before. 45:16.350 --> 45:19.730 He was from one before, but now it's from 11. 45:22.530 --> 45:22.920 Right. 45:22.920 --> 45:27.380 So this sign is showing this because of this virtual override. 45:28.010 --> 45:28.440 Override. 45:28.440 --> 45:29.910 But it's still going this way. 45:31.050 --> 45:32.220 It's still going this way. 45:32.220 --> 45:33.240 I know why this is. 45:34.080 --> 45:35.640 Mountain not routing. 45:35.640 --> 45:38.610 The NP is not getting resolved like it should be. 45:40.570 --> 45:42.030 No, I'll have to do one more thing. 45:42.030 --> 45:45.210 I'll show you what redirect is enabled. 45:45.240 --> 45:46.170 No, that's not the problem. 45:46.170 --> 45:47.310 I know what the problem is. 45:47.730 --> 45:49.380 I have to override my user. 45:52.400 --> 45:54.710 Turnout for is going direct. 45:56.820 --> 45:58.220 Darfur is going direct, right. 45:58.520 --> 45:59.120 Why? 46:00.430 --> 46:00.660 Okay. 46:01.590 --> 46:03.180 He has ten over four. 46:03.180 --> 46:03.810 Through which guy? 46:05.700 --> 46:08.370 So spoke to spoke is working one way, but this way is not. 46:10.340 --> 46:11.640 The three is not going the right. 46:14.550 --> 46:16.280 It's a lot of work of of. 46:17.910 --> 46:19.040 The IP. 46:19.050 --> 46:20.040 Next up self. 46:20.340 --> 46:23.460 IP Next up self know that you would use if you have one interface. 46:23.490 --> 46:23.940 Mgr. 46:24.810 --> 46:27.080 Mgr is one interface on one side connecting to all. 46:27.090 --> 46:31.470 Here you have different virtual templates, one going here, one going here and all the others going 46:31.500 --> 46:31.710 there. 46:34.140 --> 46:39.060 No, you can't show IP and I am actually getting some maps here. 46:40.880 --> 46:42.850 I'm actually getting some maps. 46:42.860 --> 46:44.900 10.3 is incomplete. 46:44.930 --> 46:46.550 He has not created 10.3. 46:46.580 --> 46:47.750 There is the complete one. 46:47.870 --> 46:50.120 His NVM addresses. 46:50.270 --> 46:50.480 Okay. 46:51.080 --> 46:53.410 I need to clear up this one. 46:53.420 --> 46:54.740 No, it should work. 46:55.370 --> 47:00.260 Clear IP and NP clear crypto sessions. 47:00.350 --> 47:01.670 Let's create the whole sessions. 47:01.850 --> 47:04.820 Clear the whole sessions then go to my tunnel. 47:05.770 --> 47:06.620 Shut. 47:08.350 --> 47:09.190 I did go down. 47:11.760 --> 47:12.530 And no shirt. 47:15.410 --> 47:16.730 Okay, It's coming up. 47:16.730 --> 47:18.890 He should create a neighbor relationship pretty soon. 47:18.890 --> 47:19.730 One is up. 47:20.210 --> 47:21.980 Show IP route. 47:22.850 --> 47:24.170 I have this guy right now. 47:24.170 --> 47:32.120 No mappings, so trace route ten .3.3.3 Source Loopback zero First should go this way. 47:32.150 --> 47:34.250 Virtual ten interface is up. 47:34.250 --> 47:36.350 You should create a neighbor very soon. 47:37.100 --> 47:40.220 The neighbor is also up and he's going direct. 47:41.950 --> 47:42.130 Okay. 47:42.140 --> 47:43.460 There was a problem with the first mapping. 47:43.460 --> 47:44.420 It was incomplete. 47:45.720 --> 47:48.360 This is an awful awful on R4. 47:49.350 --> 47:51.180 R4 R3 will be the same. 47:52.530 --> 47:53.670 R3 will be the same. 47:54.510 --> 47:55.440 It's going direct. 47:56.470 --> 47:57.160 That was the end. 47:57.700 --> 48:03.760 That was the mapping was incomplete for the first one is going spoke to Spoke with through what? 48:03.790 --> 48:05.010 Through this. 48:07.660 --> 48:10.090 Let me explain to you how this works. 48:10.960 --> 48:16.420 The thing right now, if you look at it right now, there is no NHS. 48:18.070 --> 48:19.310 You don't have any NHS. 48:19.330 --> 48:21.250 How does he resolve these mappings? 48:21.430 --> 48:22.630 That is the question. 48:23.240 --> 48:31.450 If check is mappings, he has the mappings for what, 12, 10 or 3 and 13. 48:31.660 --> 48:33.010 How does he get these mappings? 48:33.010 --> 48:34.150 Who gives it to him? 48:36.310 --> 48:37.120 No, not the pool. 48:37.690 --> 48:38.470 Not the pool. 48:38.680 --> 48:40.420 Look at how the communication takes place. 48:40.420 --> 48:43.210 I'm going to clear this and I'm going to. 48:47.680 --> 48:50.900 Definitely save flex. 48:51.850 --> 48:54.310 This is spoke to. 48:55.800 --> 48:56.230 Spoke. 48:57.120 --> 48:57.810 Check this out. 48:58.590 --> 48:59.550 This is my server. 48:59.550 --> 49:03.360 I will not create the internet in the middle because I've been doing that a lot today. 49:03.810 --> 49:04.980 This is our one. 49:07.510 --> 49:08.170 The Internet. 49:09.020 --> 49:11.000 Are three and. 49:12.060 --> 49:12.310 For. 49:14.310 --> 49:15.210 The address here. 49:17.740 --> 49:19.530 This one. 49:19.550 --> 49:23.020 92 one 6811. 49:23.650 --> 49:25.240 The address here is. 49:27.670 --> 49:30.290 But I think when I refresh the tunnel, it was changed. 49:30.350 --> 49:30.570 Yeah. 49:30.580 --> 49:31.710 So this side is 30. 49:35.120 --> 49:36.620 The site is 30. 49:38.170 --> 49:43.870 Right when my virtual when I think this has a loopback of. 49:45.670 --> 49:46.510 And this has a loop. 49:46.510 --> 49:47.260 Back off. 49:50.050 --> 49:51.130 I think from here. 49:52.630 --> 49:53.520 I think from here. 49:53.530 --> 49:55.180 What is my package look like? 49:57.640 --> 49:58.870 Sources. 49:59.440 --> 50:02.020 Ten, three, three, three. 50:02.050 --> 50:03.070 Destination is. 50:05.090 --> 50:06.140 4.4.4. 50:06.350 --> 50:07.880 Right now he only has one tunnel. 50:08.810 --> 50:09.440 This one. 50:11.870 --> 50:12.320 Right. 50:12.320 --> 50:13.580 That is the only one he has. 50:13.580 --> 50:15.800 So he has no option but to send it through the tunnel. 50:15.830 --> 50:19.190 That's how we saw the first ping goes to 1.1. 50:20.000 --> 50:22.820 The first time I trace route, it goes to 1.1. 50:23.750 --> 50:24.140 Right? 50:24.140 --> 50:31.370 So the whatever is going to be here is ESP and then the outside header is going to be 50:31.880 --> 50:37.280 192.168.1.172. 50:42.060 --> 50:42.780 One dot. 50:44.220 --> 50:46.530 Oh, can we undo? 50:48.300 --> 50:53.760 Controller does not work with Epic to Epic today. 50:55.050 --> 50:57.210 So again our one quickly. 50:59.850 --> 51:00.270 I do. 51:02.130 --> 51:08.100 33431. 51:08.100 --> 51:12.030 92.168 .1. 11. 51:15.410 --> 51:16.010 13. 51:16.790 --> 51:17.240 Ten. 51:17.450 --> 51:19.040 3.3.3. 51:19.820 --> 51:22.130 Ten .4.4.4. 51:22.490 --> 51:26.720 And the packet looks like this from. 51:29.040 --> 51:29.880 Going to. 51:31.920 --> 51:32.550 KSP. 51:35.390 --> 51:35.720 This. 51:37.750 --> 51:40.930 And this is the sources. 51:44.370 --> 51:45.280 Not actually this. 51:45.300 --> 51:46.200 This is not the source. 51:46.380 --> 51:49.500 The outside source is going to be. 51:53.380 --> 52:02.740 20 3.3 with the destination as 12 dot going from here to here. 52:04.300 --> 52:05.400 Why this? 52:05.410 --> 52:08.230 Because the next hop is going to be 182168. 52:08.260 --> 52:09.160 If you check. 52:11.800 --> 52:13.960 For now. 52:13.960 --> 52:14.830 He won't show you. 52:17.330 --> 52:20.990 The next hop is for one and one is one and 21681.1. 52:20.990 --> 52:23.930 So the first time this one was also 1.1. 52:24.200 --> 52:25.820 Now he changed it to 13. 52:26.690 --> 52:30.140 But when I didn't do that traceroute in the first packet this was 1.1. 52:30.620 --> 52:33.200 So he knew he was supposed to go through the virtual access. 52:33.230 --> 52:39.320 The outside header that he puts is this for the virtual access and the packet reaches whom? 52:39.560 --> 52:43.030 This guy right here. 52:43.070 --> 52:44.750 One has to make a routing decision. 52:44.750 --> 52:45.740 Based on whom? 52:46.940 --> 52:47.620 These two. 52:48.770 --> 52:53.180 When he makes the routing decision based on these two, he checks where is 10.4. 52:55.680 --> 52:56.540 Let's go to our one. 53:00.150 --> 53:04.560 He checks west and for he sees 10.4 is through 182 113. 53:04.590 --> 53:05.760 He checks the source. 53:05.790 --> 53:11.670 He sees the source is also he realizes both of them are on the same network. 53:12.420 --> 53:13.950 That is all he realizes. 53:14.100 --> 53:17.850 He realizes one is 1.11, the other is 1.13. 53:17.880 --> 53:19.410 He does forward the packet. 53:20.310 --> 53:21.600 He does forward the packet. 53:21.600 --> 53:27.090 But while he is forwarding the packet, he also forwards something else, not forwards sense. 53:27.570 --> 53:29.220 What is that he sends? 53:30.320 --> 53:30.800 Redirect. 53:31.040 --> 53:31.460 Redirect. 53:31.460 --> 53:32.090 Message. 53:33.230 --> 53:33.980 Redirect. 53:37.820 --> 53:41.000 Redirect, saying if you want to go to 10.4. 53:43.620 --> 53:44.580 You go through. 53:45.570 --> 53:51.060 You go to 192.168.1. 13. 53:51.480 --> 53:55.200 And for him you tell him you want to go to 1.3.3.3. 53:55.200 --> 53:56.010 You go through. 53:58.610 --> 54:00.210 One dot 11. 54:02.320 --> 54:06.250 He tells him that it's an Http redirect message. 54:06.970 --> 54:12.580 So what this message comes wear to this guy, to these guys? 54:15.580 --> 54:16.480 Right now. 54:16.480 --> 54:19.150 He needs to create what that virtual axis here. 54:20.020 --> 54:26.770 But this this resolution request now, this guy came in with this redirect message. 54:26.770 --> 54:29.080 He needs to reply with the resolution message. 54:30.370 --> 54:32.890 That resolution message is not sent straight here. 54:32.980 --> 54:37.960 No, that resolution message say this green is my resolution. 54:37.960 --> 54:42.730 Message is sent through this tunnel to the hub. 54:43.060 --> 54:46.120 The hub forwards it to this guy. 54:47.470 --> 54:49.360 This was a correction in Dmvpn. 54:51.640 --> 54:54.670 It does not The hub does not resolve these requests. 54:55.630 --> 54:56.900 The hub does not resolve it. 54:56.920 --> 54:59.350 He actually takes the request and forwards it. 54:59.350 --> 54:59.920 To whom? 55:00.760 --> 55:03.100 This guy in the request. 55:03.140 --> 55:08.590 He's basically telling him, Hey, listen, I know you are 192, 168, 113. 55:08.950 --> 55:09.520 Right? 55:09.520 --> 55:10.540 This is my source. 55:10.540 --> 55:12.190 In the request, there is a source. 55:12.920 --> 55:14.560 He's telling him my source is. 55:18.130 --> 55:19.870 My e-mail address is. 55:23.130 --> 55:23.900 12 to 1. 55:23.910 --> 55:26.080 I want to know what your address is. 55:26.110 --> 55:27.450 Your address. 55:29.160 --> 55:32.040 Tell them I want to know what your address is. 55:32.070 --> 55:34.710 For him to create this one tunnel. 55:36.810 --> 55:37.760 What does he require? 55:37.770 --> 55:39.430 A source and a destination. 55:39.450 --> 55:40.920 That's all he needs, right? 55:41.040 --> 55:42.300 To create the DVD. 55:42.420 --> 55:43.800 Does he have the source now? 55:45.810 --> 55:46.290 Sorry? 55:46.290 --> 55:47.130 The destination. 55:47.610 --> 55:48.990 He has the destination now. 55:49.380 --> 55:50.760 Does he have a source? 55:51.270 --> 55:59.160 He has the public source as his source destination was received by PNP resolution request. 56:01.350 --> 56:01.890 Right. 56:02.010 --> 56:04.710 He doesn't even throw it this way. 56:04.740 --> 56:07.290 This guy also sends him a resolution request this way. 56:08.490 --> 56:15.000 Comes to this guy saying, Hey, listen, I am 1.13. 56:15.030 --> 56:18.930 My name address is one dot. 56:21.590 --> 56:22.250 What is it? 56:22.850 --> 56:25.280 24.4. 56:27.080 --> 56:28.430 What is your address? 56:28.460 --> 56:30.530 To reply to this resolution request. 56:30.560 --> 56:31.910 They don't go through the hub now. 56:33.110 --> 56:36.350 To reply to this resolution request, they create this tunnel. 56:38.440 --> 56:41.060 Now they have the source and destination from their side. 56:41.080 --> 56:43.240 In the meantime, the other guy also receives it. 56:44.020 --> 56:46.120 He has the source and destination also. 56:46.660 --> 56:47.620 So they create. 56:47.650 --> 56:54.460 They negotiate this tunnel here with all the Ike Ike initial message and Ike Ike message is exchanged 56:54.460 --> 56:55.030 over here. 56:55.060 --> 56:55.360 Why? 56:55.390 --> 56:57.160 Because the source and destination is known here. 56:57.190 --> 56:59.200 The source and destination is known here. 56:59.440 --> 57:03.940 So he replies to him saying, Hey, my destination address is this through the tunnel? 57:04.930 --> 57:07.810 And he replies, saying, My destination is this through the tunnel? 57:08.890 --> 57:11.470 When the tunnel is set up, he they don't need anything else. 57:11.470 --> 57:11.770 Why? 57:11.800 --> 57:15.010 Because the virtual access automatically has the source and destination. 57:15.010 --> 57:20.110 The public source becomes from here 23.3 From here. 57:20.110 --> 57:20.650 It's. 57:22.890 --> 57:25.470 How did he know the destination is 23.3. 57:25.500 --> 57:27.420 This resolution request. 57:27.720 --> 57:28.710 How did he know? 57:28.710 --> 57:29.790 It's 24.4. 57:29.820 --> 57:31.350 This resolution. 57:34.040 --> 57:35.070 So he knows to go. 57:35.090 --> 57:40.130 Now he knows that if I want to go now, they don't need to exchange ten or 3 or 10 for Why? 57:40.160 --> 57:41.780 Because they have a neighbor relationship. 57:42.290 --> 57:46.350 The tunnel source address from here is 190 to 113. 57:46.370 --> 57:48.080 From here the source is 11. 57:48.080 --> 57:49.160 I have done EGP. 57:49.550 --> 57:51.470 My EGP is running over here. 57:51.890 --> 57:55.610 So there are these networks will now be shared over whom? 57:56.900 --> 57:58.190 This one interface. 57:58.700 --> 58:00.620 So they don't need the hub anymore. 58:01.220 --> 58:04.220 They are directly neighbors with R3 and R4. 58:07.450 --> 58:08.140 Is this clear? 58:09.370 --> 58:10.540 Any questions? 58:13.090 --> 58:13.560 The DNA. 58:16.600 --> 58:19.360 If R1 goes down, everything goes down. 58:20.360 --> 58:21.850 Here's this tunnel will go down here. 58:21.880 --> 58:22.840 This tunnel will go down. 58:23.380 --> 58:25.390 If this is up, he will stay up. 58:26.680 --> 58:31.150 This will stay up for that amount of time until he has the mappings. 58:32.220 --> 58:34.550 That is, again, 69. 58:35.110 --> 58:37.320 What is two hours? 58:37.590 --> 58:38.160 Two hours? 58:38.160 --> 58:39.120 You can see it here. 58:43.700 --> 58:44.360 Not here. 58:44.460 --> 58:45.920 R1 doesn't have anything. 58:48.100 --> 58:48.320 Ones. 58:48.480 --> 58:49.610 NP is empty. 58:50.180 --> 58:51.740 He does not store any data. 58:51.740 --> 58:55.130 He just forwards requests from here, forwards request from here. 58:55.970 --> 58:58.970 Only data which you have is on R3 and R4. 59:02.440 --> 59:04.000 10.3 is through the tunnel. 59:05.800 --> 59:11.800 192 168 is through 192, 168, 113, which is directly connected to me through the tunnel and the name 59:11.830 --> 59:13.210 addresses 24.4. 59:17.210 --> 59:17.840 Is this clear? 59:18.110 --> 59:19.790 This is myself. 59:20.190 --> 59:20.820 14.3. 59:20.840 --> 59:22.130 This is the mapping for myself. 59:22.790 --> 59:25.000 182 1.23.3 is myself. 59:25.010 --> 59:26.360 So if he wants to bring himself. 59:28.750 --> 59:29.880 Right from R4. 59:29.890 --> 59:34.590 Also, he will have a PNP mapping. 59:35.800 --> 59:36.680 For 10.3. 59:37.130 --> 59:38.360 The time is. 59:40.870 --> 59:44.830 147 through 192 168 1.11. 59:44.830 --> 59:46.420 1.11 is his neighbor. 59:50.350 --> 59:56.110 1.11 is a neighbor through a virtual interface one full time and everything is good. 59:56.320 --> 59:58.930 So he has a direct relationship with the spoke. 1:00:01.830 --> 1:00:05.070 That is your dmvpn summed up as flex. 1:00:06.720 --> 1:00:07.890 It's flexible. 1:00:08.250 --> 1:00:08.640 Why? 1:00:08.670 --> 1:00:11.850 Because remember R1, I did not do a lot of things on our own. 1:00:13.140 --> 1:00:18.600 If you compare this R1 to the R1 in the previous lab, only one thing I added was the pool. 1:00:18.600 --> 1:00:19.230 That's all. 1:00:21.630 --> 1:00:25.590 And obviously I just have to make R1. 1:00:25.590 --> 1:00:34.320 Part of the decision is made by him when he has to forward traffic and he knows that forwarding traffic, 1:00:34.320 --> 1:00:36.860 both of them are part of the same domain. 1:00:37.920 --> 1:00:40.740 He knows this guy is also part of my same domain. 1:00:40.740 --> 1:00:42.770 This guy is also part of the same domain. 1:00:42.780 --> 1:00:44.280 Why don't they talk directly? 1:00:44.610 --> 1:00:47.680 If they are in the same network, why don't they talk directly? 1:00:47.700 --> 1:00:50.310 So he just tells them, hey, listen, he's in your same network. 1:00:50.310 --> 1:00:52.200 He tells him, hey, this is in your same network. 1:00:52.650 --> 1:00:53.580 He doesn't tell him. 1:00:53.580 --> 1:00:55.710 He just sends a redirect saying, Hey, go directly. 1:00:56.160 --> 1:00:57.510 They don't know how to go direct. 1:00:57.510 --> 1:01:01.560 So they go through the hub for the resolution and he goes through the hub for the resolution. 1:01:01.800 --> 1:01:04.080 They get their nbma addresses, create a tunnel. 1:01:07.090 --> 1:01:08.670 So that redirect command. 1:01:08.680 --> 1:01:09.050 Yeah. 1:01:09.880 --> 1:01:10.700 4.4. 1:01:10.750 --> 1:01:11.520 And this is. 1:01:12.240 --> 1:01:22.350 You said that at 1.32 that he has that through his routing table right here, through his routing table, 1:01:23.110 --> 1:01:24.840 because before it was through. 1:01:26.220 --> 1:01:26.700 Yeah. 1:01:26.700 --> 1:01:29.730 No, before also, that's what I wanted to clarify last time. 1:01:29.730 --> 1:01:35.220 What we did, this thing that we did last time, there's a correction in there that at that time also 1:01:35.220 --> 1:01:39.990 it happens the same way through IP table, through the IP routing table. 1:01:40.710 --> 1:01:43.980 At that time, what I had said was R1 resolves everything for them. 1:01:44.850 --> 1:01:49.890 They send their resolutions to R1 and R1 resolves it for them, but that's not the case. 1:01:50.640 --> 1:01:55.080 That time also, he gets the he gets the request from this side. 1:01:55.110 --> 1:01:56.940 He checks the source and destination. 1:01:57.540 --> 1:02:01.080 If they are on the same network, the final networks are the same. 1:02:01.080 --> 1:02:05.730 It's coming from 190 211 end point of the tunnel is 192, 168 111. 1:02:05.760 --> 1:02:08.640 The other end point is 192, 168 113. 1:02:08.670 --> 1:02:09.600 They know they are. 1:02:09.810 --> 1:02:12.010 He knows that in the same data. 1:02:12.850 --> 1:02:16.960 So he says, all right, if they are in the same network and the domain is also the same, they need 1:02:16.960 --> 1:02:17.620 a redirect. 1:02:17.620 --> 1:02:23.890 So it sends out a redirect to them and they don't talk to the hub their request. 1:02:23.890 --> 1:02:31.690 The destination is dot 13, and for him the destination is dot 11, but it's going through the hub because 1:02:31.690 --> 1:02:37.390 at that time they don't know what is the direct address, the NVM address in dmvpn. 1:02:37.420 --> 1:02:39.310 He doesn't create a tunnel back. 1:02:39.340 --> 1:02:41.650 The NTP reply comes back through the hub. 1:02:41.660 --> 1:02:46.690 Also here, the resolution deployed does not come back through the hub here. 1:02:46.690 --> 1:02:52.150 He creates that virtual access and replies through that because they both have everything that they 1:02:52.150 --> 1:02:52.960 need by that time. 1:02:54.950 --> 1:02:58.550 So by the time is resolved, virtual access is also created. 1:03:00.200 --> 1:03:05.330 And then obviously you have routing enabled and the traffic goes through that and creates a neighbor. 1:03:07.040 --> 1:03:09.890 There is a direct communication between both the scopes. 1:03:09.920 --> 1:03:10.730 Now there is, yeah. 1:03:10.730 --> 1:03:15.020 So that's why the routing table is showing the overridden overridden, that's why. 1:03:15.050 --> 1:03:16.850 Because now see. 1:03:22.750 --> 1:03:23.680 This is overridden. 1:03:25.120 --> 1:03:25.920 To whom? 1:03:25.930 --> 1:03:26.230 Why? 1:03:26.260 --> 1:03:28.210 Because this static route was installed. 1:03:28.210 --> 1:03:28.690 Where? 1:03:30.980 --> 1:03:36.950 Root set interface install this root set installs this root. 1:03:36.950 --> 1:03:39.110 If you see this is next hop is overwrite. 1:03:39.560 --> 1:03:39.950 Why? 1:03:39.980 --> 1:03:44.030 Because from R3, this is what 13 was is my address. 1:03:46.810 --> 1:03:47.890 My address is 11. 1:03:48.160 --> 1:03:48.550 Right. 1:03:48.550 --> 1:03:50.950 So this he has it as an AARP neighbor. 1:03:52.090 --> 1:03:54.160 He has this guy as the AARP neighbor. 1:03:54.430 --> 1:03:56.200 He can go there directly. 1:04:01.310 --> 1:04:01.850 13. 1:04:02.750 --> 1:04:03.980 He can go there directly. 1:04:03.980 --> 1:04:04.220 Why? 1:04:04.220 --> 1:04:06.170 It's a it is a next hop for him. 1:04:06.170 --> 1:04:08.600 So he does not need this in the routing table. 1:04:08.630 --> 1:04:11.360 He was installed as a static route, but it's overridden. 1:04:11.360 --> 1:04:11.510 Why? 1:04:11.540 --> 1:04:14.450 Because now he directly connected to me, so I override it. 1:04:14.450 --> 1:04:15.710 I don't use this one. 1:04:15.710 --> 1:04:17.330 This one is not used anymore. 1:04:19.300 --> 1:04:20.860 Override means override this. 1:04:20.890 --> 1:04:21.190 Why? 1:04:21.220 --> 1:04:23.500 Because it's directly connected to me from the other side. 1:04:23.530 --> 1:04:27.010 Through that, virtual access is directly connected now. 1:04:27.430 --> 1:04:31.990 So interface virtual access. 1:04:34.770 --> 1:04:35.970 Can we move this? 1:04:39.520 --> 1:04:40.110 All right. 1:04:41.650 --> 1:04:42.910 I will hide this. 1:04:42.910 --> 1:04:43.510 Oh, yeah. 1:04:43.540 --> 1:04:44.410 Nice. 1:04:44.560 --> 1:04:47.230 So this is my tunnel Zero. 1:04:47.320 --> 1:04:48.640 My endpoint is this. 1:04:48.640 --> 1:04:49.450 And. 1:04:50.130 --> 1:04:51.240 I have this right here. 1:04:53.260 --> 1:04:55.330 Right source and destination is given by whom? 1:04:55.330 --> 1:04:56.860 The NSA told me. 1:04:56.860 --> 1:04:58.750 The other side is this and that side also. 1:04:58.750 --> 1:04:59.470 He told me the NSA. 1:05:02.040 --> 1:05:02.610 Is this clear? 1:05:03.750 --> 1:05:04.560 Any questions? 1:05:06.300 --> 1:05:07.490 This is the most difficult part of. 1:05:10.650 --> 1:05:11.670 That is all. 1:05:12.450 --> 1:05:12.750 This. 1:05:14.750 --> 1:05:18.400 What read was the request goes to the hub. 1:05:19.330 --> 1:05:27.340 However, replies with the destination tool, with the destination to request, and then request goes 1:05:27.340 --> 1:05:28.480 to directory. 1:05:28.750 --> 1:05:30.040 The request goes. 1:05:30.400 --> 1:05:32.980 Let's see how the Cisco docs right here. 1:05:38.950 --> 1:05:42.070 Because you cannot change the packet in destination. 1:05:42.220 --> 1:05:46.300 The source and destination flex spoke to spoke. 1:05:49.970 --> 1:05:54.830 Yeah, there's a whole packet exchange that is explained in these docs, so we'll see that. 1:05:56.310 --> 1:05:58.590 This is the exchange, right? 1:06:00.150 --> 1:06:01.980 This is the description of the exchange. 1:06:02.880 --> 1:06:03.900 This is your. 1:06:05.120 --> 1:06:06.140 Host request. 1:06:06.170 --> 1:06:09.320 Host Request goes to the hub, goes to the other side. 1:06:09.530 --> 1:06:13.280 In the meantime, what this hub does is send a redirect. 1:06:13.310 --> 1:06:15.500 Send a redirect. 1:06:15.710 --> 1:06:19.100 Then the resolution request goes where? 1:06:20.540 --> 1:06:21.950 Straight to the other spoke. 1:06:22.130 --> 1:06:22.630 Right. 1:06:22.640 --> 1:06:25.610 The resolution request from the other spoke comes straight. 1:06:25.610 --> 1:06:29.240 Then the Ike is formed between spokes. 1:06:29.270 --> 1:06:30.440 Nothing is done with the hub. 1:06:31.340 --> 1:06:31.970 The hub is not. 1:06:31.970 --> 1:06:37.640 The only thing the hub is doing is sending the redirect on both sides, as you said, like forwarding 1:06:37.940 --> 1:06:39.650 just forwarding the request. 1:06:39.650 --> 1:06:43.640 This Http request is also forwarded from this side. 1:06:43.640 --> 1:06:49.730 Also even from this side, the moment he receives the resolution, then the reply does not come straight. 1:06:49.760 --> 1:06:52.460 It's through the Ike initialization. 1:06:53.840 --> 1:07:00.560 So that means he only replies with the destination and then the hub replies in the redirect. 1:07:01.220 --> 1:07:02.780 That's what he does in the redirect. 1:07:03.140 --> 1:07:07.860 Again, the a new packet is generated per request and directly goes to the this one. 1:07:07.860 --> 1:07:08.130 Right? 1:07:08.130 --> 1:07:10.800 The resolution and resolution request is a separate packet. 1:07:10.800 --> 1:07:11.940 That's what I showed you here. 1:07:14.170 --> 1:07:14.950 How do you get back? 1:07:16.570 --> 1:07:17.560 That's what I said here. 1:07:18.220 --> 1:07:20.680 See, this was a redirect coming in. 1:07:20.710 --> 1:07:23.470 This resolution Green one was a resolution request. 1:07:23.950 --> 1:07:26.830 The resolution request is not forwarded. 1:07:27.430 --> 1:07:28.600 It's not forwarded. 1:07:28.600 --> 1:07:29.320 It goes straight. 1:07:29.320 --> 1:07:30.400 Yeah, it goes through the hub. 1:07:30.400 --> 1:07:30.750 Why? 1:07:30.750 --> 1:07:32.160 Why did I say forwarded? 1:07:32.170 --> 1:07:33.940 Because it leaves this interface. 1:07:33.970 --> 1:07:35.230 Is this virtual access. 1:07:35.230 --> 1:07:37.330 Then it goes out from the other virtual access. 1:07:38.230 --> 1:07:39.100 That's what I'm saying. 1:07:40.270 --> 1:07:45.160 The request goes to this request the destination to R3 again. 1:07:45.370 --> 1:07:46.150 R3 again. 1:07:46.150 --> 1:07:46.640 Yes. 1:07:46.720 --> 1:07:48.940 And then R3, R3 goes straight. 1:07:49.600 --> 1:07:51.190 But that's not what he shows here, See? 1:07:56.380 --> 1:07:56.570 These. 1:08:00.080 --> 1:08:00.920 Okay again. 1:08:02.830 --> 1:08:03.910 Check right here. 1:08:04.540 --> 1:08:10.060 This resolution request is he is is the hub replying with anything to him? 1:08:13.250 --> 1:08:16.070 The request which I'm sending from here is the hub replying. 1:08:18.720 --> 1:08:19.470 He's not. 1:08:21.270 --> 1:08:22.410 It's the same like this. 1:08:22.410 --> 1:08:26.130 This packet which is going through is the same like that packet going on. 1:08:26.130 --> 1:08:33.930 But now inside the packet, it's a resolution request with the information about my source because he 1:08:33.930 --> 1:08:38.670 knows, the host knows that who's going to take me to the other side, the hub. 1:08:40.290 --> 1:08:46.080 So he sends it to the hub here then see, otherwise he would show you Hub sending something back, and 1:08:46.080 --> 1:08:48.030 then he creates another packet to send back. 1:08:48.630 --> 1:08:48.800 Right? 1:08:48.870 --> 1:08:51.000 So then another resolution request goes out from here. 1:08:51.000 --> 1:08:53.610 But from here, only one resolution request is going. 1:08:54.450 --> 1:09:00.300 And from here also only one resolution request is coming from R3 coming to R1, but through the house 1:09:00.660 --> 1:09:02.670 it's called spoke, Hub spoke. 1:09:03.780 --> 1:09:05.610 The communication is called spoke, Hub spoke. 1:09:05.610 --> 1:09:06.780 It's not meant for the hub. 1:09:06.930 --> 1:09:08.760 The destination is the spoke. 1:09:09.030 --> 1:09:11.790 But the way the path to go through is through the hub. 1:09:13.860 --> 1:09:15.030 The hub does not do anything. 1:09:15.030 --> 1:09:18.810 His destination, when he opens the packet, he sees the destination is the other spoke. 1:09:18.810 --> 1:09:19.890 So he doesn't do anything. 1:09:19.890 --> 1:09:21.360 He knows it's an Http request. 1:09:21.390 --> 1:09:23.940 He just forwards it from the other virtual interface. 1:09:26.060 --> 1:09:28.850 Only the redirect is sent to the spokes. 1:09:29.260 --> 1:09:33.050 That's the only thing that he does is the redirection after the command. 1:09:33.590 --> 1:09:38.150 The redirection is the redirect message is simply it's sent. 1:09:38.150 --> 1:09:40.280 See, the first traffic goes in the moment. 1:09:40.280 --> 1:09:42.650 The first traffic goes in, then the hub can. 1:09:42.650 --> 1:09:48.200 At the same time, the hub realizes when he makes the routing decision, he realizes that both of them 1:09:48.200 --> 1:09:49.310 are in the same network. 1:09:49.550 --> 1:09:52.970 When once he forwards it, he says, All right, if they are in the same network, let me send them 1:09:52.970 --> 1:09:54.170 a redirect. 1:09:54.290 --> 1:09:57.310 So he sends that this redirect packets sent over here. 1:09:57.440 --> 1:09:58.160 Which one? 1:10:01.900 --> 1:10:03.530 No, you know what that one is? 1:10:04.220 --> 1:10:04.880 Excuse me. 1:10:05.970 --> 1:10:06.930 You know what that one is? 1:10:06.960 --> 1:10:10.190 See, this was the first packet sent to that packet. 1:10:10.200 --> 1:10:11.220 This was the reply. 1:10:11.370 --> 1:10:13.020 That is the reply which is going. 1:10:15.190 --> 1:10:16.450 Because the first ping completes. 1:10:16.450 --> 1:10:16.960 Right. 1:10:16.990 --> 1:10:19.810 How will the first ping complete when it comes back? 1:10:20.590 --> 1:10:23.950 This is the echo request and this is the echo reply. 1:10:23.980 --> 1:10:25.110 Now he's cutting off here. 1:10:25.120 --> 1:10:25.270 Why? 1:10:25.300 --> 1:10:28.510 Because first he sends a redirect and then he replies with the. 1:10:29.560 --> 1:10:31.420 So this is the one which he gets back. 1:10:31.450 --> 1:10:31.840 Check. 1:10:31.840 --> 1:10:33.340 This is what the host receives. 1:10:33.490 --> 1:10:34.540 The first he receives. 1:10:34.540 --> 1:10:36.140 Is this right? 1:10:36.160 --> 1:10:37.810 Then he sends the redirect. 1:10:37.840 --> 1:10:39.580 The host is not sending the redirect. 1:10:39.790 --> 1:10:42.550 This guy is the only packets leaving him. 1:10:42.550 --> 1:10:43.510 Is this one. 1:10:45.980 --> 1:10:46.220 Right. 1:10:46.220 --> 1:10:49.190 This is your spoke the only one packet leaving him? 1:10:49.190 --> 1:10:53.930 Is this the only one packet receiving is the request from the other spoke? 1:10:53.960 --> 1:10:54.410 Yes. 1:10:57.170 --> 1:10:58.270 From the other scope. 1:10:58.280 --> 1:11:01.130 What you're saying is the dmvpn in the first one. 1:11:01.160 --> 1:11:01.580 Why? 1:11:01.610 --> 1:11:03.350 Because the spoke at that time. 1:11:03.350 --> 1:11:05.900 The hub has all the mappings here. 1:11:05.900 --> 1:11:07.310 The hub does not have anything. 1:11:07.400 --> 1:11:09.320 He has no mappings here. 1:11:09.320 --> 1:11:11.690 He does not have any mappings, so he does not know what to do with it. 1:11:11.720 --> 1:11:13.610 He does not reply with the mappings. 1:11:14.390 --> 1:11:15.710 What you're saying is dmvpn. 1:11:16.190 --> 1:11:18.080 In that case he replies with the mappings. 1:11:18.080 --> 1:11:20.240 Then they talks directly for the resolution. 1:11:20.900 --> 1:11:22.910 Here it's straight through the hub. 1:11:24.110 --> 1:11:26.360 In that case, it was sending only the destination. 1:11:26.360 --> 1:11:30.980 And then because the hub had everything else here, the hub does not. 1:11:30.980 --> 1:11:32.840 I showed you the NTP table on the hub. 1:11:32.870 --> 1:11:33.890 It was empty. 1:11:35.640 --> 1:11:36.210 Okay. 1:11:37.980 --> 1:11:38.910 Any questions? 1:11:38.910 --> 1:11:40.320 Any more questions? 1:11:42.100 --> 1:11:42.800 Is this clear? 1:11:42.820 --> 1:11:44.980 The communication between the hub and spoke. 1:11:45.130 --> 1:11:45.760 The spoke. 1:11:45.790 --> 1:11:46.750 The spoke communication. 1:11:47.140 --> 1:11:48.940 Is this clear how this is happening? 1:11:49.510 --> 1:11:51.070 The redirect and everything. 1:11:52.970 --> 1:11:54.410 This is in Cisco Ducks. 1:11:56.610 --> 1:11:57.180 Okay. 1:11:57.480 --> 1:12:00.000 That is how your flex spoke. 1:12:00.000 --> 1:12:00.870 The spoke works. 1:12:01.170 --> 1:12:06.000 The only one thing that's left right now is server and client. 1:12:06.270 --> 1:12:08.220 Very subtle differences between the two. 1:12:08.670 --> 1:12:10.200 Very subtle differences. 1:12:10.200 --> 1:12:11.730 But I will not do it today. 1:12:12.960 --> 1:12:16.150 I want you to do this today, so we'll do that tomorrow. 1:12:16.170 --> 1:12:19.500 It'll be a recap of everything from Flex beginning until the end. 1:12:21.100 --> 1:12:21.920 This Two steps. 1:12:22.360 --> 1:12:23.290 Just two more steps. 1:12:23.290 --> 1:12:25.540 But we'll we'll be repeating all of this. 1:12:26.770 --> 1:12:31.120 So all those fill in the blanks that are left in my in our heads will be cleared. 1:12:31.420 --> 1:12:32.410 One step at a time. 1:12:32.830 --> 1:12:35.650 And then we'll also do the theory of SSL VPN. 1:12:37.670 --> 1:12:38.120 Okay.