Using igmp-join command is like typing the ip address twice on an interface. Sure you can do it but it doesn't benefit anything.
The GET VPN group policy creates the join request on the device when the multicast group is learned via Group Membership. That is why it lists the multicast address when you issue the show crypto gdoi group... command. The application itself is maintaining the group membership. Regards, Tyson Scott - CCIE #13513 R&S, Security, and SP Technical Instructor - IPexpert, Inc. Mailto: [email protected] Telephone: +1.810.326.1444, ext. 208 Live Assistance, Please visit: www.ipexpert.com/chat eFax: +1.810.454.0130 -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Paul Stewart Sent: Thursday, March 18, 2010 12:30 PM To: [email protected] Cc: [email protected] Subject: Re: [OSL | CCIE_Security] Question about GETVPN multicast rekey ACL. 224.0.0.x is a bit different since it is link local. The same igmp join is not relevant since that traffic wouldn't really be routed. With getvpn rekey, it may need to be routed. In that case I wouldn't use 224.0.0.x and I would issue the join. On Mar 18, 2010, at 12:00 PM, ccie_security- [email protected] wrote: > Send CCIE_Security mailing list submissions to > [email protected] > > To subscribe or unsubscribe via the World Wide Web, visit > http://onlinestudylist.com/mailman/listinfo/ccie_security > or, via email, send a message with subject or body 'help' to > [email protected] > > You can reach the person managing the list at > [email protected] > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of CCIE_Security digest..." > > > Today's Topics: > > 1. Re: Question about GETVPN multicast rekey ACL. (Kingsley Charles) > 2. Re: Advertising NAT subnets? (Tyson Scott) > 3. Re: IPS OS Mapping (Brandon Carroll) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Thu, 18 Mar 2010 16:41:27 +0530 > From: Kingsley Charles <[email protected]> > Subject: Re: [OSL | CCIE_Security] Question about GETVPN multicast > rekey ACL. > To: Simon Baumann <[email protected]> > Cc: [email protected] > Message-ID: > <[email protected]> > Content-Type: text/plain; charset="iso-8859-1" > > Hi Simon > > With OSPF or EIGRP or RIPv2, the router keep listening to a multicast > address for updates. For example for RIP, the router listens to > 224.0.0.9. > > You need not configure "ip igmp join-group" on the router's > interface to > listen to 224.0.0.9 to get RIP routing updates. The router does it > automatically. But for other multicast feeds, you need to configure > the > router using "ip igmp join-group" or "ip igmp static-group". > > > > With GETVPN, to make the Group member automatically start listening > to the > rekey updates, the Key Server has that ACL configured > > I configure the following ACL in the Key server. > > access-list 121 permit ip any host 239.0.1.2 > > > When this ACL is downloaded to Group Member, it start listening to > 239.0.1.2 > from any source. When the Key server sends the rekey using the > multicast > address 239.0.1.2, the Group member recieves it. > > > > With regards > Kings > > On Thu, Mar 18, 2010 at 3:41 PM, Simon Baumann <[email protected] > >wrote: > >> >> Hi, >> if I understand the GETVPN concept correct, the default rekey >> method is >> multicast and you have to define an ACL for the rekey >> configuration. The >> documentation has this example: >> >> >> Example: >> Router(config)# access-list 121 permit udp host 10.0.5.2 eq 848 host >> 239.0.1.2 eq 848 >> >> So in this case, the KS would be 10.0.5.2 and 239.0.1.2 is the >> multicast >> address used for GETVPN. I'm unsure why we have to define this? >> What would >> happen if we would configure this >> ACL with "permit ip any any"? >> >> Cheers >> Simon >> >> >> _______________________________________________ >> For more information regarding industry leading CCIE Lab training, >> please >> visit www.ipexpert.com >> >> > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: http://onlinestudylist.com/pipermail/ccie_security/attachments/20100318/3390 91f4/attachment-0001.htm > > ------------------------------ > > Message: 2 > Date: Thu, 18 Mar 2010 09:01:26 -0400 > From: "Tyson Scott" <[email protected]> > Subject: Re: [OSL | CCIE_Security] Advertising NAT subnets? > To: "'Asif Khan'" <[email protected]>, > <[email protected]> > Message-ID: <037901cac69b$1ee2efe0$5ca8cf...@com> > Content-Type: text/plain; charset="us-ascii" > > Asaf, > > > > You can also use a nat pool with an address with the option > "advertise-route" to add it to the routing table. Then redistribute > static > routes to your routing protocol. When you do lab 2 in Volume 1 you > will see > this technique used. > > > > Regards, > > > > Tyson Scott - CCIE #13513 R&S, Security, and SP > > Technical Instructor - IPexpert, Inc. > > Mailto: <mailto:[email protected]> [email protected] > > Telephone: +1.810.326.1444, ext. 208 > > Live Assistance, Please visit: <http://www.ipexpert.com/chat> > www.ipexpert.com/chat > > eFax: +1.810.454.0130 > > > > IPexpert is a premier provider of Self-Study Workbooks, Video on > Demand, > Audio Tools, Online Hardware Rental and Classroom Training for the > Cisco > CCIE (R&S, Voice, Security & Service Provider) certification(s) with > training locations throughout the United States, Europe, South Asia > and > Australia. Be sure to visit our online communities at > <http://www.ipexpert.com/communities> www.ipexpert.com/communities > and our > public website at <http://www.ipexpert.com/> www.ipexpert.com > > > > From: [email protected] > [mailto:[email protected]] On Behalf Of Asif > Khan > Sent: Thursday, March 18, 2010 4:23 AM > To: [email protected]; Asif Khan > Subject: [OSL | CCIE_Security] Advertising NAT subnets? > > > > Hi all, > > I have this topology: > > R1 <--> R2 <--> R3 > > R1<------192.168.1.0/24------>R2<------192.168.2.0/24------>R3 > > R2 is doing the NAT'ing. When 192.168.1.0/24 pings R3, I want this > subnet to > be translated to 192.168.20.20-192.168.20.100. Is there a way to > advertise > this translated subnet to R3 without BGP ? I tried creating a > loopback on > R2(192.168.20.1/24) and advertise using OSPF but on R3 I only see: > > 192.168.20.0/32 is subnetted, 1 subnets > O 192.168.20.1 [110/11] via 192.168.2.2, 00:10:58, > FastEthernet0/0 > > so R3 cannot reach the whole subnet, only 20.1. > > Thanks in Advance, > - Asif > > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: http://onlinestudylist.com/pipermail/ccie_security/attachments/20100318/1bf5 397c/attachment-0001.htm > > ------------------------------ > > Message: 3 > Date: Thu, 18 Mar 2010 08:22:46 -0700 > From: Brandon Carroll <[email protected]> > Subject: Re: [OSL | CCIE_Security] IPS OS Mapping > To: Michael Davis <[email protected]> > Cc: "[email protected]" > <[email protected]> > Message-ID: <[email protected]> > Content-Type: text/plain; charset="windows-1252" > > I would chose the closest one to what I am trying to match. Since > it's used for the Passive OS fingerprinting and helps the sensor > calculate an ARR I would most likely be similar for the Windows > category, however, it does say the following: > > The vulnerable OS list specifies what OS types are vulnerable to > each signature. The default, general-os, applies to all signatures > that do not specify a vulnerable OS list. > > This could indicate that on a per-signature basis it may make a > difference whether or not the sensor believes the OS you have mapped > is vulnerable. So, you should probably play with it a bit. > > Or....for the CCIE Lab we just do what we are told. > > HTH- > > Regards, > > Brandon Carroll - CCIE #23837 > Senior Technical Instructor - IPexpert > Mailto: [email protected] > Telephone: +1.810.326.1444 > Live Assistance, Please visit: www.ipexpert.com/chat > eFax: +1.810.454.0130 > > IPexpert is a premier provider of Self-Study Workbooks, Video on > Demand, Audio Tools, Online Hardware Rental and Classroom Training > for the Cisco CCIE (R&S, Voice, Security & Service Provider) > certification(s) with training locations throughout the United > States, Europe, South Asia and Australia. Be sure to visit our > online communities at www.ipexpert.com/communities and our public > website at www.ipexpert.com > > > > On Mar 18, 2010, at 3:53 AM, Michael Davis wrote: > >> Hi ? Can anyone tell me how to determine which OS type to choose >> between when defining an OS Map on the IPS appliance: >> A Windows 2K/2003 server could match any of the following: >> Win NT >> Windows >> WinNT/2K/XP >> There is no differentiation between these three in the docs that I >> have found. Does it then matter which one I choose? >> Thanks >> Michael >> _______________________________________________ >> For more information regarding industry leading CCIE Lab training, >> please visit www.ipexpert.com > > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: http://onlinestudylist.com/pipermail/ccie_security/attachments/20100318/f6ac 20c3/attachment-0001.htm > > End of CCIE_Security Digest, Vol 45, Issue 86 > ********************************************* _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
