Cisco Virtual Tunnel Interface (VTI) Design Guide

The above mentioned guide is referenced in a couple of Cisco Design Guides on IPSec VPN but I am unable to find it anywhere on Cisco websites including the links provided by Cisco. Could anyone who has the guide help me with a copy of it.
Thanks

I have this link in my notes from while back, hope it helps
http://www.cisco.com/en/US/docs/ios/sec_secure_connectivity/configuration/guide/sec_ipsec_virt_tunnl_ps6350_TSD_Products_Configuration_Guide_Chapter.html

Similar Messages

Virtual Tunnel Interface (VTI) Hub Router Configuration

When configuring multiple VTI tunnels on a hub router, is it recommended that each tunnnel use a unique transform-set and ipsec profile, or they can all share the same configuration.
Example:
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key ******** address 0.0.0.0 0.0.0.0
crypto isakmp keepalive 10
crypto ipsec transform-set TSET esp-3des esp-sha-hmac
crypto ipsec profile VTI
set transform-set TSET
Thanks.-

Hi,
The IPsec profile can be shared.
You could also create multiple transform set and reference it to IPsec profile and then apply it to a specific VTI.
Sent from Cisco Technical Support iPhone App

Dynamic virtual tunnel interface on 2821

I tried to configure a dynamic virtual tunnel interface on a Cisco 2821 with release 12.4(9)T1 advanced ip services, aiming to terminate VPN client ipsec tunnels on it.
The feature is supported by this software release. Documentation says:
- enter configuration
- configure a virtual-template interface
- type "tunnel mode <mode>"
but the router does not accept this command.
Any hint?
Thank you in advance.
Denis

Try:
just have to take a look at the concentrator's configuration.
http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_configuration_example09186a00801ae24c.shtml
and this one is an example with routers
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080143b0a.shtml

NBAR on Tunnel Interface on ASR1001

Hello all,
I'm trying to implement service policy on our ipsec tunnels on ASR1001. Version: asr1001-universalk9.03.13.01.S.154-3.S1-ext.bin
Here is the typical Tunnel configuration:
interface Tunnel100
ip address 172.x.x.x 255.255.255.252
ip mtu 1450
ip access-group ACL_IN in
ip access-group ACL_OUT out
ip policy route-map ForwardIP
ip ospf network point-to-point
ip ospf mtu-ignore
ip ospf cost 40
qos pre-classify
tunnel source ZZ.ZZ.ZZ.ZZ
tunnel mode ipip
tunnel destination YY.YY.YY.YY
tunnel protection ipsec profile IPSec-AES
service-policy input Tunnel_IN
When I try to add an output service-policy on that interface, I get an error:
(nbar): (err): NBAR is not supported on Tunnel10042
If I try to enable ip nbar protocol-discovery, I get an error:
% NBAR Error: Can not enable Protocol-discovery NBAR is not supported on this interface
Is it possible to use NBAR on that interface?

NBAR is not supported on the following logical interfaces:
Dialer interfaces
Dynamic tunnels such as Dynamic Virtual Tunnel Interface (DVTI)
Fast Etherchannels
IPv6 tunnels that terminate on the device
MPLS
Overlay Transport Virtualization (OTV) overlay interfaces

New enterprise mobility design guide

Hi, anybody knows if there's a newer enterprise mobility design guide than 4.1? Some of Cisco's WLAN new features such as CAPWAP is not included in 4.1. It's time for Cisco to prepare a new design guide.

Hi Matthew,
<a href="http://www.sap.com/mk/get?_EC=DRQ9ocPiuHUaeFthOrrkni">Here is the guide.</a>
Regards,
Austin

DMVPN in Cisco 3945 output drop in tunnel interface

I configured DMVPN in Cisco 3945 and checked the tunnel interface. I found out that I have output drop. How can I remove that output drop? I already set the ip mtu to 1400.
CORE-ROUTER#sh int tunnel 20
Tunnel20 is up, line protocol is up
Hardware is Tunnel
Description: <Voice Tunneling to HO>
Internet address is 172.15.X.X./X
MTU 17878 bytes, BW 1024 Kbit/sec, DLY 50000 usec,
     reliability 255/255, txload 1/255, rxload 1/255
Encapsulation TUNNEL, loopback not set
Keepalive not set
Tunnel source 10.15.X.X (GigabitEthernet0/1)
   Tunnel Subblocks:
      src-track:
         Tunnel20 source tracking subblock associated with GigabitEthernet0/1
          Set of tunnels with source GigabitEthernet0/1, 1 member (includes iterators), on interface <OK>
Tunnel protocol/transport multi-GRE/IP
    Key 0x3EA, sequencing disabled
    Checksumming of packets disabled
Tunnel TTL 255, Fast tunneling enabled
Tunnel transport MTU 1438 bytes
Tunnel transmit bandwidth 8000 (kbps)
Tunnel receive bandwidth 8000 (kbps)
Tunnel protection via IPSec (profile "tunnel_protection_profile_2")
Last input 00:00:01, output never, output hang never
--More--         Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 7487
Queueing strategy: fifo
Output queue: 0/0 (size/max)
30 second input rate 0 bits/sec, 0 packets/sec
30 second output rate 0 bits/sec, 0 packets/sec
     48007 packets input, 4315254 bytes, 0 no buffer
     Received 0 broadcasts (0 IP multicasts)
     0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
     42804 packets output, 4638561 bytes, 0 underruns
     0 output errors, 0 collisions, 0 interface resets
     0 unknown protocol drops
     0 output buffer failures, 0 output buffers swapped out
interface Tunnel20
description <Bayantel Voice tunneling>
bandwidth 30720
ip address 172.15.X.X 255.255.255.128
no ip redirects
ip mtu 1400
no ip next-hop-self eigrp 20
no ip split-horizon eigrp 20
ip nhrp authentication 0r1x@IT
ip nhrp map multicast dynamic
ip nhrp network-id 1002
ip nhrp holdtime 300
ip tcp adjust-mss 1360
tunnel source FastEthernet0/0/1
tunnel mode gre multipoint
tunnel key 1002
tunnel protection ipsec profile tunnel_protection_profile_2 shared

Hi,
Thanks for the input. If the radio is sending out the packet but client did not receive, not output drop should be seen since packet is sent out, right?
From my understanding, output drop is related to congested interface. Outgoing interface cannot take the rate packets coming in and thus droping it. What I don't understand is input and output rate has not reached limit yet. Also input queue is seeing drop of packet as well even though input queue is empty.
Any idea?

Transmit Discards on Tunnel Interface Cisco 2851

Hi, wondered if anyone could shed any light on this?
We have a two 2851 routers at two seperate branches that connect via a vpn tunnel back to the head office. When lookking at the tunnel interface it shows a lot of transmit discards which are there constantly and increase as traffic levels go up.
I have read that this is due to congestion however we are'nt using that much bandwidth at all.
one site has 100mb private circuit and the other has 10mb both of which are never more than 30% utilised
any thoughts?
thanks

[url=http://membres.lycos.fr/ishbjndm/washingtondbd.html] washington [/url]
[url=http://members.lycos.nl/fzxhunpv/washington7bc.html] washington [/url]
[url=http://members.lycos.nl/fzxhunpv/washingtonc17.html] washington [/url]
[url=http://members.lycos.nl/fzxhunpv/washington47d.html] washington [/url]
[url=http://members.lycos.nl/fzxhunpv/washington123.html] washington [/url]
[url=http://members.lycos.nl/fzxhunpv/washingtoncbb.html] washington [/url]
[url=http://members.lycos.nl/fzxhunpv/washington6a2.html] washington [/url]
[url=http://members.lycos.nl/fzxhunpv/washington73f.html] washington [/url]
[url=http://dnbvako.zotzoo.com/washingtondae.html] washington [/url]
[url=http://dnbvako.zotzoo.com/washington844.html] washington [/url]
[url=http://dnbvako.zotzoo.com/washington4e3.html] washington [/url]
[url=http://dnbvako.zotzoo.com/washingtonb8e.html] washington [/url]
[url=http://dnbvako.zotzoo.com/washington206.html] washington [/url]
[url=http://dnbvako.zotzoo.com/washingtond0a.html] washington [/url]
[url=http://dnbvako.zotzoo.com/washington8fa.html] washington [/url]
[url=http://gcqdamu.zizhost.com/washington12f.html] washington [/url]
[url=http://gcqdamu.zizhost.com/washingtond66.html] washington [/url]
[url=http://gcqdamu.zizhost.com/washingtonfc2.html] washington [/url]
[url=http://gcqdamu.zizhost.com/washington55d.html] washington [/url]
[url=http://gcqdamu.zizhost.com/washington1c2.html] washington [/url]
[url=http://gcqdamu.zizhost.com/washington6a6.html] washington [/url]
[url=http://gcqdamu.zizhost.com/washington17d.html] washington [/url]
[url=http://ytieutu.wipou.com/washington03c.html] washington [/url]
[url=http://ytieutu.wipou.com/washingtoneb9.html] washington [/url]
[url=http://ytieutu.wipou.com/washingtonb3f.html] washington [/url]
[url=http://ytieutu.wipou.com/washington4e8.html] washington [/url]
[url=http://ytieutu.wipou.com/washington0c7.html] washington [/url]
[url=http://ytieutu.wipou.com/washington241.html] washington [/url]
[url=http://ytieutu.wipou.com/washingtonfe3.html] washington [/url]
[url=http://poaheif.webheri.net/washington737.html] washington [/url]
[url=http://poaheif.webheri.net/washington3ca.html] washington [/url]
[url=http://poaheif.webheri.net/washingtonda1.html] washington [/url]
[url=http://poaheif.webheri.net/washington474.html] washington [/url]
[url=http://poaheif.webheri.net/washington368.html] washington [/url]
[url=http://poaheif.webheri.net/washington6af.html] washington [/url]
[url=http://poaheif.webheri.net/washington189.html] washington [/url]
[url=http://fztodds.24fast.info/washington09d.html] washington [/url]

Q about flexpod design guide 5.0

Hi all,
In the design guide when you setup the vswitch you only specify one network adapter for the vswitch. I added a second one in failover and reversed them depending on the order of the Vnics.
Is this correct or should I put it back to one?
I don't see how it would failover if I do.
Also I only see two veth interfaces in the port channel as this is a vic 1420 shouldn't there be 4 per fabric?
Thanks
Kev

Nexus 1000v Essential Edition is now free of charge to acquire.
http://blogs.cisco.com/datacenter/new-nexus-1000v-free-mium-pricing-model
For vSwitch implemention, i would have to let someone else step in to discuss their experiences with this setup. The N1K implementation is using mac-pinning which would be an active-active configuration. For vSwitch, you probably can have both nics active with 'Virtual Port ID' or 'Source MAC Hash' for load balancing. 'IP Hash' is a port channel and not supported on servers/blades within UCSM.
33. Type port-profile type ethernet system-uplink.
34. Type vmware port-group.
35. Type switchport mode trunk.
36. Type switchport trunk native vlan .
37. Type switchport trunk allowed vlan , , , , .
>>>>>> 38. Type channel-group auto mode on mac-pinning. <<<<<<<
39. Type no shutdown.
40. Type system vlan , , , , .
41. Type system mtu 9000.
42. Type state enabled.
Thank You,
Dan Laden
Cisco PDI Data Center
Want to know more about how PDI can assist you?
http://www.youtube.com/watch?v=3OAJrkMfN3c
http://www.cisco.com/go/pdihelpdesk

Prime infrastructure 2.0 - Inventory error with Virtual-Access Interface

Hi,
We have recently been trying to resolve a few issues with routers which get partial inventory failures upon discovery. I have managed to narrow this down slightly with the help of the inventory.log file. (With help from this post https://supportforums.cisco.com/thread/2255346 ) I have found the following happnes when this device is added:
[2014-03-04 14:00:27,537] [ICE Service[ 1]Thread: 29] [inventory] [ERROR] - 172.16.3.202 Object detected as SAME but DB Object obtained from the database is NULL For instance id: 0 For generated POJO: PPPEncapsulation[callBack=false,callIn=false,callOut=false,multilink=false,name=Virtual-Access1,oneTime=false,owningEntityId=69757688_172.16.3.202,preferedAuthType=NONE,deployPending=NONE,name=Virtual-Access1,owningEntityId=69757688_172.16.3.202,instanceId=0,_orderedListOEIndex=<Integer>,_creationOrderIndex=<Integer>,instanceVersion=0]
I have highlighted above where it mentions the problem with the virtual access interface. The configuration on the router is for PPPoE and the virtual-access1 interface is bound to Dialer0.
It then goes on to roll back the transaction:
172.16.3.202 persistObjects called with addList size = 307, updateList size = 6
172.16.3.202 Exception while persisting: com.cisco.xmp.persistence.common.util.DMMCRUDException:,message=errorId=12,componentName=CRUD Error Create Object Failed
172.16.3.202 Exception occured while inventory collection for device with id 69757688: com.cisco.xmp.inventory.ice.InventoryException: errorId=12,componentName=CRUD Error Create Object Failed
172.16.3.202 Done with collection. Total call method time: 15308
172.16.3.202 Rolling back the transaction
Has anyone else come accross this issue?
I have attched the log showing just messages from this device.
Thanks,
Mike.

TAC and I found a bug, CSCum05301.
May be that is also helpfull for others.
https://tools.cisco.com/bugsearch/bug/CSCum05301/
Symptom:
Inventory collection will fail if following keywords are used as part on description command on the interface config level of IOS device: 1Gbps, 10Mbps etc.
Following error message is visible on the DWC:
Inventory Collection Status: Partial Collection Failure
Collection Status Failed feature(s)
Unable to configure DSL, Serial, POS, Ethernet, Loopback, Virtual-Interface, Tunnel, Vlan, Switchport and Service Module interfaces on ISR, ASR and Switches.
Conditions:
Speed keywords like 1Gbps, 10Mbps etc. available as part of descrption command in IOS interface level.
For example:
interface FastEthernet0/3
description 10Mbps
Workaround:
Use a space character between number and unit keyword, like 1 Gbps.

Secure Wireless Design Guide 1.0

Has there been any update to this document? This document is dated July 11, 2007.
http://www.cisco.com/application/pdf/en/us/guest/netsol/ns386/c649/ccmigration_09186a0080871da5.pdf
Does anyone have a link to other reference material for designing Wireless Security; integrating WLCs with other Cisco security appliances and software?
Thank you for your help.

You can check the Wireless and Network Security Integration Solution Design Guide on the link below:
http://www.cisco.com/en/US/docs/solutions/Enterprise/Mobility/secwlandg20/sw2dg.html
"niLz"
Nilo Noguera Jr.
| Specialist, Virtual Engineering - Partner Helpline Organization
together we are the human network

LLQ on Virtual-Acces Interfaces

I'm sure this must have been asked before but...
Given service policies with CBWFQ and LLQ aren't allowed on virtual-access interfaces how can a service provider guarantee bandwidth and latency to VoIP or other priority traffic over a single PPP session?
I'm looking at this from the point of view of a broadband service provider using L2TP to tunnel customer PPP sessions to the terminating router so there isn't an individual interface for each customer except the for the virtual-access interface.
I've looked at ppp multilink but I don't see how that can be used in an environment where each customer can only initiate one PPP session?
I'm assuming the only way to go is to use the
"ip rtp priority" command on the virtual-template.
Any ideas on where to look?
Is CBWFQ likely to make it into the whole VPDN system or is it just too resource hungry?
Richard Watson

You can just add 'ip rtp priority' command to the virtual-template. But anyway you will have to shutdown interface and clear virtual-access interface to make it work. Here's the nice description of the command.
http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/120newft/120t/120t5/iprtp.htm

Design guides for Ironport Web Security

Hi All,
I am looking for a proxy solution for our enterprise network, and considering Ironport WebSecurity S370 appliance.
I am just curious if there is any good design guides on how to properly implement Ironport on the network.
I need best practices documents, i.e. can I place two units with one virtual IP address and so on.
Thanks!

WSA's don't cluster, with a shared virtual IP, how you handle mulitple WSA boxes is a function of how you're redirecting traffic to them.
     WCCP - you just add them as multiple WCCP destinations
     PAC file - you add seperate entries and the browser/app figures out which one is available.
     Policy Based Routing (eg. no Cisco router) - I'm not sure, as I've never done it.
You might be able to use a load balancer, but my feeling is that gets too complicated.
I used this to set up one box using WCCP
http://www.cisco.com/en/US/docs/solutions/Enterprise/Borderless_Networks/Smart_Business_Architecture/H1CY11/SBA_Mid_BN_WebSecurityDeploymentGuide-H1CY11.pdf
There's a caveat when you use WCCP for 2 boxes, you need to tweak the ACL so that you don't get loops:
http://ironport.custhelp.com/cgi-bin/ironport.cfg/php/enduser/std_adp.php?p_faqid=1603&p_created=1278697344&p_sid=zzjbITyk&p_accessibility=0&p_redirect=0&p_srch=1&p_lva=772&p_sp=cF9zcmNoPTEmcF9zb3J0X2J5PSZwX2dyaWRzb3J0PSZwX3Jvd19jbnQ9MzA4LDMwOCZwX3Byb2RzPTAmcF9jYXRzPTAmcF9wdj0mcF9jdj0mcF9zZWFyY2hfdHlwZT1hbnN3ZXJzLnNlYXJjaF9ubCZwX3BhZ2U9MSZwX3NlYXJjaF90ZXh0PW11bHRpcGxlIFdTQQ!!&p_li=cF91c2VyaWQ9MXJvblAwcnQmcF9wYXNzd2Q9Zm8wQmE1&p_topview=1

Dual stack on tunnel interface

Is it possible to run dual stack IP schemes over an ipsec-protected tunnel interface on IOS? I am able to assign the IPv6 addresses like a normal interface on both ends however when i try to ping across the tunnel with IPv6 there is no response. Here is an example of my config:
R1
interface Tunnel0
description Tunnel to R2
ip address 172.30.1.237 255.255.255.252
ip mtu 1400
ip nat inside
ip virtual-reassembly
load-interval 30
ipv6 address FE80::172:30:1:1 link-local
ipv6 address 2001:1::172:30:1:1/126
keepalive 5 4
tunnel source GigabitEthernet0/1
tunnel mode ipsec ipv4
tunnel destination 1.2.3.4
tunnel protection ipsec profile protect-gre
R2
interface Tunnel0
description Tunnel to R1
ip address 172.30.1.238 255.255.255.252
ip mtu 1400
ip nat inside
ip virtual-reassembly
load-interval 30
ipv6 address 2001:1::172:30:1:2/126
ipv6 address FE80::172:30:1:2 link-local
keepalive 5 4
tunnel source FastEthernet0/1
tunnel destination 1.2.3.5
tunnel mode ipsec ipv4
tunnel protection ipsec profile protect-gre
The only solution i can clearly see is running a separate tunnel, which i would like to avoid. Any assistance is greatly appreciated!

Hello,
In my System preferences the IPv6 settings are set to "automatic", my DSL router (Cisco 787) supports IPv6. When visiting sites like www.sixxs.net and www.apnic.org (which are reachable by both IPv6 and IPv4), some pages are reached by IPv6 and some by IP4. Even the same page may load in IPv6 first, but a second time via IPv4. This behaviour has changed since my upgrade to Leopard, under Tiger the behaviour was much more stable.
Gerard

Virtual template interface vs Dialer interface?

Hi all,
I am little confusing about virtual template interface and dialer interface. I understood that both of them are logical interface and will be mapped to physical interface dynamically. What is different? When would I use virtual template interface or dialer interface?
Please suggest too.
Thanks a lot,
Nitass

hi
AFAIK we use virtual template in L2TP scenarios where you will have LAC and LNS .
the configs related to VT comes in LNS which is ur local network server for your remote clients from where the L2 tunnel gets orginated.
And about your dialer interfaces we use them very frequently in most of the situations like where you require to club 2 Physical isdn lines and to make use them as a single pipe or using single isdn line and connect it to 2 different locations using 2 B channels using 2 dialers...
if you need to know more about them would suggest to check out this link which will give fair idea about them..
http://www.cisco.com/en/US/tech/tk801/tsd_technology_support_category_home.html
hope this helps u out..
regds

Router Dead , when i applied QOS on virtual-temp interface for vpn !!

hi all ,
i have a simple brief topology below :
PSTN======(R1-7206)>F1=======F2>(R2-7604 catalyst)>>>F1=========Internet
i have two router
R2========>MLS 7604
R1======>cisco 7204
on R2 , Im doing matching to QOS by dscp , im matching acls ips from internet with dscp values :
here is CONFIG for matching :
Gateway7600#sh policy-map LLQX
Policy Map LLQX
    Class YOUTUBE
      set ip dscp af43
    Class FACEBOOKVIDEOS
      set ip dscp af33
    Class HTTP
      set dscp af23
    Class DNSQOS
      set dscp af13
    Class class-default
      set ip dscp af11
================
Gateway7600#sh class-map
Class Map match-all FACEBOOKVIDEOS (id 7)
   Match access-group name facebookvideos
Class Map match-all DNSQOS (id 8)
   Match access-group name dnsqos
Class Map match-all HTTP (id 6)
   Match access-group name browsing
Class Map match-any class-default (id 0)
   Match any
Class Map match-all YOUTUBE (id 5)
   Match access-group name youtube
Gateway7600#
=========================================================
on this router i applied this policy map on interfaxce F1 in direction
and here matching is well :
Gateway7600#sh policy-map interface gigabitEthernet 1/5 in
GigabitEthernet1/5
Service-policy input: LLQX
    class-map: rate-limit (match-all)
      Match: access-group name rate-limit
      police :
        4088000 bps 384000 limit 384000 extended limit
      Earl in slot 1 :
        139044930 bytes
        30 second offered rate 143032 bps
        aggregate-forwarded 134420937 bytes action: transmit
        exceeded 4623993 bytes action: drop
        aggregate-forward 22544 bps exceed 0 bps
    class-map: YOUTUBE (match-all)
      Match: access-group name youtube
      set dscp 38:
      Earl in slot 1 :
        132693939697 bytes
        30 second offered rate 212144928 bps
        aggregate-forwarded 132693939697 bytes
    class-map: FACEBOOKVIDEOS (match-all)
      Match: access-group name facebookvideos
      set dscp 30:
      Earl in slot 1 :
        10726758352 bytes
        30 second offered rate 20682720 bps
        aggregate-forwarded 10726758352 bytes
    class-map: HTTP (match-all)
      Match: access-group name browsing
      set dscp 22:
      Earl in slot 1 :
        56874058537 bytes
        30 second offered rate 92669832 bps
        aggregate-forwarded 56874058537 bytes
    class-map: DNSQOS (match-all)
      Match: access-group name dnsqos
      set dscp 14:
      Earl in slot 1 :
        160308954 bytes
        30 second offered rate 303552 bps
        aggregate-forwarded 160308954 bytes
    class-map: class-default (match-any)
      Match: any
      set dscp 10:
      Earl in slot 1 :
        67394864030 bytes
        30 second offered rate 126884864 bps
        aggregate-forwarded 67394864030 bytes
=================================================================================
now the problem is below
on router 7200 , it is LNS router connected with LAC roiuter for ADSL customers.
now here is config of policy map on 7200 router:
R11#sh policy-map
Policy Map MATCH_MARKS
    Class MATCH_YOUTUBE
      bandwidth 220000 (kbps)
    Class MATCH_FACEBOOKVIDEOS
      bandwidth 20000 (kbps)
    Class MATCH_HTTP
      bandwidth 100000 (kbps)
=========================================================
R1#sh class-map
Class Map match-all MATCH_FACEBOOKVIDEOS (id 2)
   Match ip dscp af33 (30)
Class Map match-all MATCH_HTTP (id 3)
   Match ip dscp af23 (22)
Class Map match-any class-default (id 0)
   Match any
Class Map match-all MATCH_YOUTUBE (id 1)
   Match ip dscp af43 (38)
==========================================================
here is virtual-template interface before i apply the QOS
R1#sh running-config interface virtual-template 1
Building configuration...
Current configuration : 352 bytes
interface Virtual-Template1
bandwidth 1000000
ip unnumbered Loopback0
ip tcp adjust-mss 1412
ip policy route-map private
no logging event link-status
qos pre-classify
peer default ip address pool bitsead1 bitsead2
ppp mtu adaptive
ppp authentication pap vpdn
ppp authorization vpdn
ppp accounting vpdn
max-reserved-bandwidth 90
end
=========================================
when i apply the command
(service-poliy output MATCH_MAKRS ) under virtual-template interface i have console logs :
Insufficient bandwidth 149760 kbps for the bandwidth guarantee (220000)
Insufficient bandwidth 149760 kbps for the bandwidth guarantee (220000)
Insufficient bandwidth 149760 kbps for the bandwidth guarantee (220000)
also i have
*Jul 9 22:28:38.242: Interface Virtual-Access2551 max_reserved_bandwidth config will not
take effect on the queueing features configured via service-policy
*Jul 9 22:28:38.250: Interface Virtual-Access627 max_reserved_bandwidth config will not
take effect on the queueing features configured via service-policy
*Jul 9 22:28:38.258: Interface Virtual-Access786 max_reserved_bandwidth config will not
take effect on the queueing features configured via service-policy
*Jul 9 22:28:38.266: Interface Virtual-Access623 max_reserved_bandwidth config will not
take effect on the queueing features configured via service-policy
*Jul 9 22:28:38.274: Interface Virtual-Access2559 max_reserved_bandwidth config will not
take effect on the queueing features configured via service-policy
*Jul 9 22:28:38.282: Interface Virtual-Access2281 max_reserved_bandwidth config will not
take effect on the queueing features configured via service-policy
*Jul 9 22:28:38.290: Interface Virtual-Access142 max_reserved_bandwidth config will not
take effect on the queueing features configured via service-policy
*Jul 9 22:28:40.262: %SYS-2-INTSCHED: 'suspend' at level 3 -Process= "VTEMPLATE Background Mgr", ipl= 3, pid= 278, -Traceback= 0x756FF0z 0x3439C58z 0x2778D70z 0x2CACCD0z 0x2CC63E0z 0x2CC7FF8z 0x2CADC74z 0x2CBE058z 0x2CA0340z 0x2CA04F8z 0x2E0BB18z 0x2D23378z 0x2D1825Cz 0x2D18738z 0x2E66FE0z 0x2D971ACz
*Jul 9 22:28:40.262: %SYS-2-INTSCHED: 'suspend' at level 3 -Process= "VTEMPLATE Background Mgr", ipl= 3, pid= 278, -Traceback= 0x756FF0z 0x3439C58z 0x2778D70z 0x2CACD28z 0x2CC63E0z 0x2CC7FF8z 0x2CADC74z 0x2CBE058z 0x2CA0340z 0x2CA04F8z 0x2E0BB18z 0x2D23378z 0x2D1825Cz 0x2D18738z 0x2E66FE0z 0x2D971ACz
after i apply it ,
the cpu is 100 % and the router got down !!!
now
what is the problem ????
here is ios for 7200 router
R1#sh version
Cisco IOS Software, 7200 Software (C7200P-ADVENTERPRISEK9-M), Version 12.4(24)T7, RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2012 by Cisco Systems, Inc.
Compiled Tue 28-Feb-12 12:53 by prod_rel_team
ROM: System Bootstrap, Version 12.4(12.2r)T, RELEASE SOFTWARE (fc1)
Bras1 uptime is 13 weeks, 1 day, 9 hours, 24 minutes
System returned to ROM by reload at 16:24:51 GMT+3 Tue Jun 17 2003
System image file is "disk2:c7200p-adventerprisek9-mz.124-24.T7.bin"
Last reload reason: Reload Command
This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to
[email protected].
Cisco 7206VXR (NPE-G2) processor (revision A) with 917504K/65536K bytes of memory.
Processor board ID 36858624
MPC7448 CPU at 1666Mhz, Implementation 0, Rev 2.2
6 slot VXR midplane, Version 2.11
Last reset from power-on
PCI bus mb1 (Slots 1, 3 and 5) has a capacity of 600 bandwidth points.
Current configuration on bus mb1 has a total of 0 bandwidth points.
This configuration is within the PCI bus capacity and is supported.
PCI bus mb2 (Slots 2, 4 and 6) has a capacity of 600 bandwidth points.
Current configuration on bus mb2 has a total of 0 bandwidth points.
This configuration is within the PCI bus capacity and is supported.
Please refer to the following document "Cisco 7200 Series Port Adaptor
Hardware Configuration Guidelines" on Cisco.com <http://www.cisco.com>
for c7200 bandwidth points oversubscription and usage guidelines.
1 FastEthernet interface
3 Gigabit Ethernet interfaces
2045K bytes of NVRAM.
250880K bytes of ATA PCMCIA card at slot 2 (Sector size 512 bytes).
65536K bytes of Flash internal SIMM (Sector size 512K).
Configuration register is 0x2102
==============================================================================
wish to Help ASAP
regards

hi ,
i did
the same issue ,
i did a TEST policymap that has 30 percent gurantee
but the same result!!!!!!!!!!!!!!!!
the router god down agian !
here is logs :
take effect on the queueing features configured via service-policy
*Jul 11 02:40:33.605: Interface Virtual-Access1896 max_reserved_bandwidth config will not
take effect on the queueing features configured via service-policy
*Jul 11 02:40:33.797: Interface Virtual-Access1317 max_reserved_bandwidth config will not
take effect on the queueing features configured via service-policy
*Jul 11 02:40:33.809: Interface Virtual-Access993 max_reserved_bandwidth config will not
take effect on the queueing features configured via service-policy
*Jul 11 02:40:33.817: Interface Virtual-Access1699 max_reserved_bandwidth config will not
take effect on the queueing features configured via service-policy
*Jul 11 02:40:33.981: Interface Virtual-Access254 max_reserved_bandwidth config will not
take effect on the queueing features configured via service-policy
*Jul 11 02:40:33.993: Interface Virtual-Access687 max_reserved_bandwidth config will not
take effect on the queueing features configured via service-policy
*Jul 11 02:40:34.001: Interface Virtual-Access35 max_reserved_bandwidth config will not
take effect on the queueing features configured via service-policy
*Jul 11 02:40:34.009: Interface Virtual-Access160 max_reserved_bandwidth config will not
take effect on the queueing features configured via service-policy
*Jul 11 02:40:34.017: Interface Virtual-Access1337 max_reserved_bandwidth config will not
take effect on the queueing features configured via service-policy
*Jul 11 02:40:34.029: Interface Virtual-Access1670 max_reserved_bandwidth config will not
take effect on the queueing features configured via service-policy
*Jul 11 02:40:34.037: Interface Virtual-Access1948 max_reserved_bandwidth config will not
take effect on the queueing features configured via service-policy
*Jul 11 02:40:34.049: Interface Virtual-Access1669 max_reserved_bandwidth config will not
take effect on the queueing features configured via service-policy
*Jul 11 02:40:34.109: Interface Virtual-Access1334 max_reserved_bandwidth config will not
take effect on the queueing features configured via service-policy
*Jul 11 02:40:34.117: Interface Virtual-Access151 max_reserved_bandwidth config will not
take effect on the queueing features configured via service-policy
*Jul 11 02:40:34.125: Interface Virtual-Access761 max_reserved_bandwidth config will not
take effect on the queueing features configured via service-policy
*Jul 11 02:40:34.137: Interface Virtual-Access810 max_reserved_bandwidth config will not
take effect on the queueing features configured via service-policy
*Jul 11 02:40:34.197: Interface Virtual-Access1522 max_reserved_bandwidth config will not
take effect on the queueing features configured via service-policy
*Jul 11 02:40:34.237: Interface Virtual-Access1692 max_reserved_bandwidth config will not
take effect on the queueing features configured via service-policy
*Jul 11 02:40:34.257: Interface Virtual-Access368 max_reserved_bandwidth config will not
take effect on the queueing features configured via service-policy
*Jul 11 02:40:34.305: Interface Virtual-Access1758 max_reserved_bandwidth config will not
take effect on the queueing features configured via service-policy
*Jul 11 02:40:34.317: Interface Virtual-Access2061 max_reserved_bandwidth config will not
take effect on the queueing features configured via service-policy
*Jul 11 02:40:34.325: Interface Virtual-Access1203 max_reserved_bandwidth config will not
take effect on the queueing features configured via service-policy
*Jul 11 02:40:34.337: Interface Virtual-Access188 max_reserved_bandwidth config will not
take effect on the queueing features configured via service-policy
*Jul 11 02:40:34.345: Interface Virtual-Access1975 max_reserved_bandwidth config will not
take effect on the queueing features configured via service-policy
*Jul 11 02:40:34.357: Interface Virtual-Access1172 max_reserved_bandwidth config will not
take effect on the queueing features configured via service-policy
*Jul 11 02:40:34.509: Interface Virtual-Access1647 max_reserved_bandwidth config will not
take effect on the queueing features configured via service-policy
*Jul 11 02:40:34.517: Interface Virtual-Access458 max_reserved_bandwidth config will not
take effect on the queueing features configured via service-policy
*Jul 11 02:40:34.609: Interface Virtual-Access608 max_reserved_bandwidth config will not
take effect on the queueing features configured via service-policy
*Jul 11 02:40:34.621: Interface Virtual-Access2128 max_reserved_bandwidth config will not
take effect on the queueing features configured via service-policy
*Jul 11 02:40:34.633: Interface Virtual-Access1167 max_reserved_bandwidth config will not
take effect on the queueing features configured via service-policy
*Jul 11 02:40:34.641: Interface Virtual-Access487 max_reserved_bandwidth config will not
take effect on the queueing features configured via service-policy
*Jul 11 02:40:34.653: Interface Virtual-Access1793 max_reserved_bandwidth config will not
take effect on the queueing features configured via service-policy
*Jul 11 02:40:34.665: Interface Virtual-Access2280 max_reserved_bandwidth config will not
take effect on the queueing features configured via service-policy
*Jul 11 02:40:34.769: Interface Virtual-Access839 max_reserved_bandwidth config will not
take effect on the queueing features configured via service-policy
*Jul 11 02:40:34.781: Interface Virtual-Access2311 max_reserved_bandwidth config will not
take effect on the queueing features configured via service-policy
*Jul 11 02:40:34.793: Interface Virtual-Access1788 max_reserved_bandwidth config will not
take effect on the queueing features configured via service-policy
*Jul 11 02:40:34.857: Interface Virtual-Access8 max_reserved_bandwidth config will not
take effect on the queueing features configured via service-policy
*Jul 11 02:40:34.869: Interface Virtual-Access2243 max_reserved_bandwidth config will not
take effect on the queueing features configured via service-policy
*Jul 11 02:40:34.881: Interface Virtual-Access580 max_reserved_bandwidth config will not
take effect on the queueing features configured via service-policy
*Jul 11 02:40:35.057: Interface Virtual-Access6 max_reserved_bandwidth config will not
take effect on the queueing features configured via service-policy
*Jul 11 02:40:35.065: Interface Virtual-Access1331 max_reserved_bandwidth config will not
take effect on the queueing features configured via service-policy
*Jul 11 02:40:35.077: Interface Virtual-Access1235 max_reserved_bandwidth config will not
take effect on the queueing features configured via service-policy
*Jul 11 02:40:35.177: Interface Virtual-Access1748 max_reserved_bandwidth config will not
take effect on the queueing features configured via service-policy
*Jul 11 02:40:35.189: Interface Virtual-Access2262 max_reserved_bandwidth config will not
take effect on the queueing features configured via service-policy
*Jul 11 02:40:35.205: Interface Virtual-Access2136 max_reserved_bandwidth config will not
take effect on the queueing features configured via service-policy
i want to ask a question , could this be from IOS ????

Cisco Virtual Tunnel Interface (VTI) Design Guide

Similar Messages

Maybe you are looking for