Not sure, which accelerator.. It has been mentioned in one the IPE Vol 2 labs. Check it out.
With regards Kings On Sun, Jun 24, 2012 at 9:14 AM, Eugene Pefti <[email protected]>wrote: > So, if 1841 has a VPN module than I have a chance to fully test IPSec HA > ?**** > > ** ** > > Cisco 1841 (revision 7.0) with 117760K/13312K bytes of memory.**** > > Processor board ID FHK133673MQ**** > > 2 FastEthernet interfaces**** > > 2 Serial(sync/async) interfaces**** > > *1 Virtual Private Network (VPN) Module* > > DRAM configuration is 64 bits wide with parity disabled.**** > > 191K bytes of NVRAM.**** > > 31360K bytes of ATA CompactFlash (Read/Write)**** > > ** ** > > *From:* Kingsley Charles [mailto:[email protected]] > *Sent:* Friday, June 22, 2012 8:12 PM > *To:* Eugene Pefti > *Cc:* Bruno Silva; <[email protected]> > > *Subject:* Re: [OSL | CCIE_Security] Need help understanding "no-alias" > NAT option**** > > ** ** > > For HA to work, you need a specific VPN accelerator card inserted in the > router. I forgot the card's name > > With regards > Kings**** > > On Sat, Jun 23, 2012 at 8:35 AM, Eugene Pefti <[email protected]> > wrote:**** > > What about router platforms? Will I have a chance to test it with 1841 or > 2800 routers? At least IPExperts lab gives an example of statefull IPSec HA > with 2811 routers. **** > > > Eugene > Sent from iPhone**** > > > On Jun 22, 2012, at 7:57 PM, "Kingsley Charles" < > [email protected]> wrote:**** > > Yes, you need a reload for HA to work. > > With regards > Kings**** > > On Sat, Jun 23, 2012 at 12:10 AM, Eugene Pefti <[email protected]> > wrote:**** > > Bruno and all,**** > > I have a stupid question to ask. The white paper given below says that > IPSec HA is supported only by high-end routers.**** > > I didn’t have any problem adding all required commands on 1841 router but > didn’t test it yet because I still don’t understand all the nitty-gritty > details about it specifically about routers to be reloaded for the > configuration to take effects.**** > > Moreover the configs in this white paper miss “local-port” statement that > should go before “local-ip”. **** > > I don’t know who in the sound mind will remember all the commands required > to set interdevice communication to enable stateful IPSec failover.**** > > Hoping that VPN availability guide is accessible during the lab in case > such a task**** > > > http://www.cisco.com/en/US/docs/ios-xml/ios/sec_conn_vpnav/configuration/12-4t/sec-state-fail-ipsec.html > **** > > **** > > Eugene**** > > **** > > *From:* [email protected] [mailto: > [email protected]] *On Behalf Of *Bruno Silva**** > > > *Sent:* Thursday, June 21, 2012 11:12 PM > *To:* <[email protected]>**** > > *Subject:* Re: [OSL | CCIE_Security] Need help understanding "no-alias" > NAT option **** > > **** > > Hi Eugene,**** > > **** > > Apart from who wrotte the solution for this task, what I think is not the > case, I have also came across this task and for some reason this is not the > only wrong thing on it. This is a ipsec ha solution that you're trying to > configure and for some reason the solution not only does not work as it is > also confusing in some parts. Since I came across a lot of problems with > this solution this is what helped me a lot:**** > > **** > > > http://www.cisco.com/en/US/technologies/tk583/tk372/technologies_white_paper0900aecd80278edf.html > **** > > **** > > Hopefully you can find the same help I found in this document.**** > > **** > > BR,**** > > Bruno Silva > > Enviado via iPad**** > > > Em 22/06/2012, às 00:27, Mike Rojas <[email protected]> escreveu:**** > > Yep, > > Anyone who think differently is very appreciated... > > Mike **** > ------------------------------ > > From: [email protected] > To: [email protected]; [email protected] > Subject: RE: [OSL | CCIE_Security] Need help understanding "no-alias" NAT > option > Date: Fri, 22 Jun 2012 03:17:55 +0000**** > > Unfortunately it doesn’t make sense to me either because R2 runs in the > routed mode.**** > > I believe it’s just the faulty solution in the first place. I’m not going > to point fingers who the solution provider is but it’s not IPExperts ;)*** > * > > **** > > *From:* Mike Rojas [mailto:[email protected] <[email protected]>] > *Sent:* Thursday, June 21, 2012 8:13 PM > *To:* Eugene Pefti; [email protected] > *Subject:* RE: [OSL | CCIE_Security] Need help understanding "no-alias" > NAT option**** > > **** > > Hi, > > Assuming that the router 2 is not on transparent mode, taking it out it > wouldnt make much difference, because the packet will be routed to the next > hop (R2), assuming that there is a route for the network of the ASA to be > behind router2 on the HSRP routers. It would make sense if they are all on > the same broadcast domain. > > Mike.**** > ------------------------------ > > From: [email protected] > To: [email protected]; [email protected] > Subject: RE: [OSL | CCIE_Security] Need help understanding "no-alias" NAT > option > Date: Fri, 22 Jun 2012 03:05:49 +0000**** > > Hi Mike,**** > > Yes, I’m familiar with it. It’s the same as you say “sysopt noproxyarp” on > the ASA.**** > > My question is about why would you do it? Can someone will give me a good > example?**** > > **** > > I’m doing a task and it asks to configure a peer for a pair of HSRP > routers. I’ll have to give a sketch of the topology to make it more or less > clear:**** > > **** > > R1----+--- R2-----(163.1.132.0)-----ASA-----R6**** > > R3----|**** > > **** > > So to be precise R1 and R3 should have their IPSec peer set to > 163.1.132.113 which is ASA interface. **** > > The solution configures static NAT on R2 binding 163.1.132.113 to R6 > loopback:**** > > **** > > ip nat inside source static 6.0.0.1 163.1.132.113 no-alias**** > > **** > > If R2 will stop responding to ARP requests sent to 163.1.132.113 how the > whole thing will work ?**** > > **** > > Eugene**** > > **** > > **** > > *From:* Mike Rojas [mailto:[email protected] <[email protected]>] > *Sent:* Thursday, June 21, 2012 7:54 PM > *To:* Eugene Pefti; [email protected] > *Subject:* RE: [OSL | CCIE_Security] Need help understanding "no-alias" > NAT option**** > > **** > > Hey Eugene, > > Are you familiar with proxyARP? Basically, the router will answer arp for > any address that is on its range assigned to a particular interface > associated with a NAT right? well, this command will stop the router so it > doesnt do it anymore. > > Mike **** > ------------------------------ > > From: [email protected] > To: [email protected] > Date: Fri, 22 Jun 2012 02:44:22 +0000 > Subject: [OSL | CCIE_Security] Need help understanding "no-alias" NAT > option**** > > What are use cases of this “no-alias” NAT option. All references I found > in Cisco docs say little to me. **** > > **** > > Quoting:**** > > **** > > • *Autoaliasing of Pool Addresses:***** > > Many customers want to configure the NAT software to translate their local > addresses to global addresses allocated from unused addresses from an > attached subnet.**** > > This requires that the router answer ARP requests for those addresses so > that packets destined for the global addresses are accepted by the router > and translated. **** > > (Routing takes care of this packet delivery when the global addresses are > allocated from a virtual network which isn't connected to anything.) When a > NAT pool used **** > > as an inside global or outside local pool consists of addresses on an > attached subnet, the software will generate an alias for that address so > that the router will answer **** > > ARPs for those addresses.**** > > **** > > This automatic aliasing also occurs for inside global or outside local > addresses in static entries. It can be disabled for static entries can be > disabled by using the "no-alias" keyword:.**** > > ip nat inside source static <local-ip-address> <global-ip-address> no-alias > **** > > **** > > Why would the router NOT reply on behalf of those global addresses ?**** > > **** > > Eugene**** > > > _______________________________________________ For more information > regarding industry leading CCIE Lab training, please visit > www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out > www.PlatinumPlacement.com**** > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > Are you a CCNP or CCIE and looking for a job? Check out > www.PlatinumPlacement.com**** > > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > Are you a CCNP or CCIE and looking for a job? Check out > www.PlatinumPlacement.com**** > > ** ** > > ** ** >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
