Hi Peiter Thanks a lot. Now I am clear.
With 12.4(15)T, the IPSec profiles has the support for "set reverse-route" which also has the option to add a tag and an AD. With crytpo maps, the legacy command "reverse route" doesn't support tag and AD options. Hence, if you need them, it should be done as following: crypto dynamic-map mymap set security-association lifetime seconds 300 set transform-set 3dessha set isakmp-profile profile1 set reverse-route distance 20 reverse-route With regards Kings On Wed, Apr 7, 2010 at 12:56 AM, Pieter-Jan Nefkens < [email protected]> wrote: > Hi kings, > > Just googled a bit more on RRI. The reverse-route is used before 12.4(15)T. > > The set reverse-route has then been introduced so you can set it on vti, > but also set a different administrative distance than 1 (default for > static): > > > http://www.ciscosystems.biz/en/US/docs/ios/12_3t/12_3t14/feature/guide/gt_rrie.html > > Hth > PJ > Sent from an iPhone > > Op 6 apr 2010 om 19:52 heeft Kingsley Charles <[email protected]> > het volgende geschreven:\ > > Hi Pieter > > With site to site vpn, if you use "reverse route" without "static"is > keyword, then the routes are installed only when the tunnel up and removed > when the tunnel is torn. > > > With regards > Kings > > On Tue, Apr 6, 2010 at 11:18 PM, Pieter-Jan Nefkens < > [email protected]> wrote: > >> Hi kings, >> >> If i remember correctly you use the set reverse-route to only inject the >> static route when the tunnel is up. >> >> That could be ezvpn, ra clients, but also site-2-sites that are dialin >> only. >> >> You use the >> Reverse-route static >> On two-way site-to-sites where you permanently want to inject the static >> route. >> >> Hth >> Pj >> >> Sent from an iPhone >> >> Op 6 apr 2010 om 18:58 heeft Kingsley Charles <[email protected]> >> het volgende geschreven:\ >> >> Hi Brandon >> >> My question is when do we use "reverse route" and "set reverse-route"? >> >> With regards >> Kings >> >> On Tue, Apr 6, 2010 at 8:44 PM, Brandon Carroll < <[email protected]> >> [email protected]> wrote: >> >>> Kings, >>> >>> Looks to me like you have it down. As for you last question, which one >>> produces the result you are looking for? Ultimately you are going to get a >>> static route introduced to your routing table. You can then take that >>> static route and redistribute it into any routing protocol you are running. >>> I guess I'm not sure what you are asking? >>> >>> Regards, >>> >>> Brandon Carroll - CCIE #23837 >>> Senior Technical Instructor - IPexpert >>> Mailto: <[email protected]>[email protected] >>> Telephone: +1.810.326.1444 >>> Live Assistance, Please visit: <http://www.ipexpert.com/chat> >>> www.ipexpert.com/chat >>> eFax: +1.810.454.0130 >>> >>> IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, >>> Audio Tools, Online Hardware Rental and Classroom Training for the Cisco >>> CCIE (R&S, Voice, Security & Service Provider) certification(s) with >>> training locations throughout the United States, Europe, South Asia and >>> Australia. Be sure to visit our online communities at >>> <http://www.ipexpert.com/communities>www.ipexpert.com/communities and >>> our public website at <http://www.ipexpert.com/>www.ipexpert.com >>> >>> >>> >>> On Apr 6, 2010, at 1:23 AM, Kingsley Charles wrote: >>> >>> > Hi all >>> > >>> > With IOS IPSec, we have two cmds for reverse route injection: >>> > >>> > router2(config-crypto-map)#set reverse-route ? >>> > distance Distance metric for this static route >>> > tag Create route and tag it >>> > >>> > >>> > router2(config-crypto-map)#reverse-route ? >>> > remote-peer Create route in route table for remote tunnel endpoint >>> > static Create routes based on static ACLs permanently >>> > >>> > >>> > My understanding >>> > >>> > For static site to site VPN, we should use "reverse-route" This will >>> add a static route to remote site address in the interesting traffic acl. >>> > The "static" keyword will add the route permanently. Else the route >>> will be removed when the tunnel is torn off. >>> > >>> > For EzVPN server, we should add "set reverse-route". For VTI based >>> EzVPN server, it should added under IPSec profile. >>> > >>> > >>> > >>> > For dynamic vpns configured using dynamic crypto maps (given below), >>> should we use "reverse-route" or "set reverse-route"? >>> > >>> > crypto dynamic-map dynmap 1 >>> > set transform-set tran >>> > match address 123 >>> > >>> > The IOS is inconsistent in it's behavior and hence I am not able to >>> confirm the behaviour. >>> > >>> > >>> > >>> > With regards >>> > Kings >>> > _______________________________________________ >>> > For more information regarding industry leading CCIE Lab training, >>> please visit <http://www.ipexpert.com/>www.ipexpert.com >>> >>> >> _______________________________________________ >> For more information regarding industry leading CCIE Lab training, please >> visit <http://www.ipexpert.com/>www.ipexpert.com >> >> >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
