Hi, can I confirm whether "match closed ports" in CPPr is supposed to block IKE and GETVPN 848, even if IPsec is up and running?
I noticed this in, I think, Yusuf's Lab 2- one task has GETVPN running, then later we are asked to configure CPPr dropping traffic to closed ports. I observed that the GETVPN was failing. I found this counter-intuitive as when IPsec is running I assumed IKE-500 or GETVPN-848 count as "open ports". However, listing open ports doesn't show 500 or 848 anyway Anyway, just to confirm that this is expected behaviour. In that case (to satisfy the CPPr) task I have to use !--- task asks to block closed ports; but will stop GETVPN if I don't explicitly open in... class-map CLOSEDPORTS match closed-ports match not udp port 848 ! It's like a gotcha or stupid-router-trick (more like stupid-router-behaviour) where a naive configuration of a later task can screw up an earlier one. Regards Richard
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
