Thanks Tyson, based on your mail my understanding is as follows: The redundancy scheme is used to move all the stateful information of features configured for stateful redundancy. The features can use the redundancy scheme HSRP group used by the redundancy scheme or any other HSRP groups.
Hence it is not a must for the features to use the redundancy scheme HSRP group. That was the clarification, I was looking for. With regards Kings On Thu, Oct 21, 2010 at 1:31 AM, Tyson Scott <[email protected]> wrote: > It just means that interdevice-redundancy information will be shared with > the redundancy scheme but the isakmp and ipsec sa's will be shared over the > standby name associated with the interface the crypto map is applied to. > > > > They chose to let it work this way. It says it works this way. Not sure > what further clarification you are looking for? > > > > The stateful information will be shared over TCP port 1234 with protocol > SCTP protocol and will be shared based on the standby name of kings2. > > > > Regards, > > > > Tyson Scott - CCIE #13513 R&S, Security, and SP > > Managing Partner / Sr. Instructor - IPexpert, Inc. > > Mailto: [email protected] > > Telephone: +1.810.326.1444, ext. 208 > > Live Assistance, Please visit: www.ipexpert.com/chat > > eFax: +1.810.454.0130 > > > > IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, > Audio Tools, Online Hardware Rental and Classroom Training for the Cisco > CCIE (R&S, Voice, Security & Service Provider) certification(s) with > training locations throughout the United States, Europe, South Asia and > Australia. Be sure to visit our online communities at > www.ipexpert.com/communities and our public website at www.ipexpert.com > > > > *From:* [email protected] [mailto: > [email protected]] *On Behalf Of *Kingsley Charles > *Sent:* Wednesday, October 20, 2010 11:18 AM > *To:* [email protected] > *Subject:* [OSL | CCIE_Security] IPSec with SSO > > > > Hi all > > I am checking out site to site VPN with SSO. I have configured two hsrp > groups, king2 on the outside interface and king on the inside. The VPN is > configured on the outside interface. I have associated the > inside HSRP group king to the redundany. For the crypto map, I am using > outside hsrp group king2. > > This works. But I am wondering, how is it working? > > The HSRP group that I configured for the crypto map is not associated in > the SSO then how come the IPSec stateful information is being passed. The > HSRP group in the crypto map should be HSRP > group in the SSO right? > > The snippet below claims that HSRP group with the crypto map can be > different from the SSO HSRP group. > > Any thoughts? > > > redundancy inter-device > scheme standby king > ! > ipc zone default > association 1 > no shutdown > protocol sctp > local-port 1234 > local-ip 10.20.30.43 > remote-port 1234 > remote-ip 10.20.30.44 > > interface FastEthernet0/0 > ip address 20.10.30.1 255.255.255.0 > duplex auto > speed auto > standby 7 ip 20.10.30.7 > standby 7 priority 123 > standby 7 preempt > standby 7 name king2 > crypto map cisco redundancy king2 stateful > ! > interface FastEthernet0/1 > ip address 10.20.30.43 255.255.255.0 > duplex auto > speed auto > standby 0 ip 10.20.30.70 > standby 0 priority 123 > standby 0 name king > > > > > Snippet from > http://www.cisco.com/en/US/docs/ios/sec_secure_connectivity/configuration/guide/sec_failover_ipsec_ps6441_TSD_Products_Configuration_Guide_Chapter.html > > > > *crypto map **map-name* [*redundancy* *standby-group-name *[*stateful*]] > > This command binds the crypto map on the specified interface to the > redundancy group. > > *Note *Although the standby group does not have to be the same group that > was used when enabling SSO, it does have to be the same group that was used > with the *standby ip* command on this interface. > > This crypto map will use the same VIP address for both IKE and IPsec to > communicate with peers. > > > With regards > Kings >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
