Je dis aime, la haine je la jette… Bonne écoute Daesh ;)

Sorry, but this time it will be a french article.

Ce qu’il faut que la France reste :

  • Amour ;
  • Diversité culturelle ;
  • Fête ;
  • Liberté !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! ;
  • Laïcité ;
  • Passions et liberté de les exprimer par toutes les manières que se soit dans le respect des autres ;

Redback magic command

For those of you who are working with Redback equipments, this command can be useful :

Then you will have access to all commands the CLI hide you such as : ‘show sub ip’ or ‘show qos meter’ …

GETVPN : Group Encrypted Transport VPN

Schema Here it comes. We will use the same topology as the last two blog posts.
This time we will play with GETVPN. GETVPN is a Cisco technology. One of the advantage of GETVPN is that we are able to build somespoke-to-spoke IPSEC tunnel without Tunnel interface and it is highly scalable.

We could say to me : ok, man ! but you could do this by means of static tunnels. Yes you can, BUT with GETVPN you can maintain easily full mesh networks by means of Key Server and the GETVPN technology.

Tunnel is build between GM (Group Member). The Key Server (KS) maintains security policies and is not part of the Forwarding Path. This server is here to provide security policy and make it possible to GM to build a encrypted tunnel between each other. No need to pass through a central node. GETVPN is a answer, DMVPN phase 3 is another :)

We have R4 as KS with a loopback address :
We have R2 and R3 as our spokes. These routers has each other a loopback 99 with a different /24 subnet.

  • R2 :
  • R3 :

Let’s go and see how it is configured. Begin with the Key Server :

Now R2 and R3 :

GM use and interact with the KS to build their IPSec SA. Here, the security policy is identified by “identity number 12345”.

To make my topology works I have been obliged to add a static route towards my remote endpoints. I have been obliged to due to a bug on my IOS. It crashes if I add a “reverse-route” command in my crypto map.

Now, we could try to ping each other :

Good ! it pings. Let’s see if it is encrypted : or

Great it works :)

Now see some troubleshooting commands :

Ok each SA encrypt and decrypts the correct number of packets :)

KS side :

For more information :

Have fun with GETVPN !!


IPSEC VTI stands for IPSEC Virtual Tunnel Interface.

Besides traditionnal IPSEC configuration with cyrpto map, VTI allows to use an interface. It is useful to apply some policies as we can do as other : service-policy, …

For this example, I will use the previous topology with four routers (R1, R2, R3, R4) : see the blog post below for a diagram.

I will implement a IPSEC VTI tunnel between R2 and R4.

VTI is really simple to implement :


And :

When the two tunnels are implemented the two tunnels states to up/up. Previous state is up/down.

We could do this kind of things and others :



How can DMVPN can make some QOS per spoke ?

It is what we will configure today :

Here is the network :





I will not explain how NHRP works in detail here.

R1, R2, R3, R4 use IS-IS (for fun) as IGP.

Now, here it comes DMVPN configurations :

And for R3 :

!!! WARNING !!!  ‘ip nhrp group’ and ‘ip nhrp map group xxx service-policy output yyy’ commands are not displayed with ‘?’. But the correct way is ‘nhrp group xxx’ and ‘nhrp map group xxx service-policy out pm’.

The mapping of the policy-map on the multipoint tunnel is done when the NHRP request is sent (on the spoke we flag it by means of ‘ip nhrp group toto’). Some extra fields in the NHRP packet show that ‘this’ kind of trafic through this IP must be grouped with ‘this’ spoke.

We can see the mapping by :

And we can see statistics by this command :

Les grandes grandes vacances : enfin un vrai dessin animé pour nos enfants…

Désolé pour les lecteurs anglophones, cela sera un article pour une fois en français et loin des sphères concernant Cisco et la certification CCIE.

Les grandes grandes vacances” est un dessin animé réalisé par la maison de production “Les armateurs“.

Cette série animée traite de la seconde guerre mondiale et de la résistance française. Le fait que les évènements se passent près de Dieppe en Normandie, rajoute à mon intérêt.

Je suis tombé dessus avec mes enfants. Ils sont encore petits et ne comprennent pas tout ce qu’implique ce dessin animé. Mais ce dernier est vraiment de qualité et permet je l’espère aux enfants d’aujourd’hui de comprendre l’époque évoqué, soit la seconde guerre mondiale, la résistance, et la liberté.

Cette époque résonne particulièrement en moi et je voulais partager cet extraordinaire travail et j’espère que ce dessin animé sera utilisé afin d’éduquer nos enfants et donc que cette période de notre histoire reste toujours ancré en nous. Ceci est nécessaire. Vu l’époque difficile où la nous vivons, cette piqure de rappel est vraiment importante.


IPv6 sage certified t-shirt : thank you



Thank you to have send my IPv6 Sage certified T-Shirt.
I really like it. Great quality and thank you to make all of you’ve done for v6 :)

Dia and OSX Yosemite

For those of you whom are using this excellent opensource diagram software, since OS X Yosemite it seems it lacks one line to work correctly.
You must edit : ‘/Applications/’ and add at line 39 : “export DISPLAY=:O” such as :



export DISPLAY=:0
osascript -e ‘tell app “XQuartz” to launch’
for i in seq 1 30; do



Now it must work correctly :)

Source :

OSPF : Outbound filtering

If you read/see videos about OSPF, it will be said that you can only filter on INBOUND or 1/0 on OUTBOUND (via ip ospf database-filter all out / neighbor x.x.x.x database-filter all out).
You will say to me, no problem I can filter by means of “area range xxxxx not-advertise” (LSA Type 3) or “summary-address xxxx no-advertise” (LSA Type 5).
Ok, now let’s say, I want with distribute-list and ACL, you filter out some routes ?

You could do this as :

And you could do more :

Have lot of fun to lab all these great OSPF features.


During these holidays on this beginning of may has been used for work at home and in our garden. Nevertheless, some work has been done on OSPF during these last two weeks. CCIE studies has been indeed slower than in April. It will be at 100% in beginning of the next week.