SHARIFUL's TECH BLOG

Now comes the next part in IPSec series. This time we will configure IPSec VPN between two Cisco routers. For phase-1 our underlying protocol will be IKEV2 and IPSec will be run in tunnel mode. And we will do the routing by using OSPF protocol. Let's move on to our network topology -  IPSec Tunnel Mode with IKEv2 and OSPF Even though the topology is straight forward, let's have a look at it. Traffic from 192.168.10.0/24 to 192.168.20.0/24 and vice versa will be encrypted by IPSec. For this example, we will assign IP address to our tunnel interface or VTIs. 192.168.30.0/30 network is reserved for that purpose. Then we have a loopback interface in each router which will be used as OSPF router-id. Site-A-Rtr configuration Assign IP address to the physical interface and loopback interface. interface GigabitEthernet0/0  ip address 172.16.51.1 255.255.255.0 ! interface GigabitEthernet0/7  ip address 192.168.10.1 255.255.255.0 ! interface Loop

Today we will configure IPSec VPN between two Cisco routers. For phase-1 our underlying protocol will be IKE V1 and IPSec will be run in tunnel mode. In our previous example , the Cisco router was configured using policy mode. What is actually the difference between IPSec - policy mode and tunnel mode ? I will describe the difference in layman's terms. In policy mode, when to do the packet encryption is done by selecting appropriate traffic by means of ACLs (access control list) and we cannot run dynamic routing protocols over the tunnel. But in tunnel mode - we create a tunnel interface, packet encryption is done by routing (routes which have next-hop as tunnel interface will be encrypted) and we can easily run dynamic routing protocols over tunnel interface. The most obvious difference is that in tunnel mode we will create a VTI (virtual tunnel interface) over which our encrypted traffic will be forwarded. Let's move on to our network topology -  IPSec Tunnel Mod

I have tried a strange combination recently and was very surprised to see that it works - mixing layer-2 and layer-3 over an LACP aggregated interface. I have no explanation why it works. Does any of my reader have any idea? Let's introduce our topology first- Fig 01 - Link-aggregation Topology Now the problem definition -   We are using two Arista  switches. In Arista-SW-L3 we will create a L3 (layer 3) link-aggregation and in Arista-SW-L2 we will create a L2 (layer 2) link-aggregation over the same pair of interfaces ( eth1 and eth2 ). Then we will verify the connectivity by doing ping from the L2 side (vlan interfaces) to the L3 side (port-channel interfaces). And come to conclusion that we can mix and match L2 and L3 over a single link-aggregation interface. Let's configure the L3 side of our aggregated link -  Arista-SW-L3 configuration We configure the switch by running the following commands - interface Ethernet1    no switchport --Creating L3 p