Gre tunnel over 2 mpls routers
I have 2 sites and the voice server is in site A and Site B are the remote phones . Right now voice vlan go over the DMVPN we are facing some degraded performance and decided to move voice traffic to mpls .
We need to carry the multicast traffic as well which is not supported over our MPLS circuit. I have no idea why provider is not supporting multicast traffic over mpls circuit.
So we decided to create GRE tunnels to carry multicast traffic over MPLS .We have L3 switches on both sites Site A cisco 4500 and Site B cisco 3850 . and MPLS connectivity is reachable upto L3 core switches. With 3850 we had issue to create tunnels and i have upgraded the IOS after upgrading i came to know no more tunnels are supported on 3850. So cannot have Gre tunnel between our L3 switches over the MPLS.
My Question is can i ask the MPLS provider to setup tunnels on their routers which they are ready to help and point the static routes for voice vlan towards gre tunnels over mpls .
Can you advise any other solution or does this solution would work.?
Aneesh,
Lost of connectivity between the two PEs would indeed cause the GRE tunnel interface to go down, assuming that you configure tunnel keepalives as follow:
int tu0
keepalive
Regards
Similar Messages
-
Tcp mss adjust calculation for GRE tunnel over DSL line
hi guys,
need your advice on this one, as i search on cisco.com and netpro but unable to find the exact info that i required.
First, can anyone confirm the following calculation to find out MSS size.
Mss size = MTU size - encapsulation size - tcp header size
So for normal case;
MSS = 1500 - 48 (48 is the tcp/ip header)
so MSS = 1452
Thus in my case GRE tunnel over DSL connection;
MSS = 1492 - 24 - 48 (24 is the GRE encap; 48 is the tcp/ip header)
MSS = 1420
is this correct?
Secondly, where should the ip tcp mss-adjust to be implemented. Is it at the Dialer(DSL) interface or at Tunnel interface?I don't use the math (it doesn't work for me probably b/c I miss something). Here's how I do it-
C:\>ping 10.125.0.250 -f -l 1600
Pinging 10.125.0.250 with 1600 bytes of data:
Packet needs to be fragmented but DF set.
Packet needs to be fragmented but DF set.
Packet needs to be fragmented but DF set.
Packet needs to be fragmented but DF set.
Ping statistics for 10.125.0.250:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
C:\>ping 10.125.0.250 -f -l 1500
Pinging 10.125.0.250 with 1500 bytes of data:
Packet needs to be fragmented but DF set.
Packet needs to be fragmented but DF set.
Packet needs to be fragmented but DF set.
Packet needs to be fragmented but DF set.
Ping statistics for 10.125.0.250:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
C:\>ping 10.125.0.250 -f -l 1400
Pinging 10.125.0.250 with 1400 bytes of data:
Reply from 10.125.0.250: bytes=1400 time=19ms TTL=251
Reply from 10.125.0.250: bytes=1400 time=19ms TTL=251
Reply from 10.125.0.250: bytes=1400 time=19ms TTL=251
Reply from 10.125.0.250: bytes=1400 time=19ms TTL=251
Ping statistics for 10.125.0.250:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 19ms, Maximum = 19ms, Average = 19ms
C:\>ping 10.125.0.250 -f -l 1450
Pinging 10.125.0.250 with 1450 bytes of data:
Reply from 10.125.0.250: bytes=1450 time=19ms TTL=251
Reply from 10.125.0.250: bytes=1450 time=20ms TTL=251
Reply from 10.125.0.250: bytes=1450 time=19ms TTL=251
Reply from 10.125.0.250: bytes=1450 time=19ms TTL=251
Ping statistics for 10.125.0.250:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 19ms, Maximum = 20ms, Average = 19ms
C:\>ping 10.125.0.250 -f -l 1475
Pinging 10.125.0.250 with 1475 bytes of data:
Packet needs to be fragmented but DF set.
Packet needs to be fragmented but DF set.
Packet needs to be fragmented but DF set.
Packet needs to be fragmented but DF set.
Ping statistics for 10.125.0.250:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
C:\>ping 10.125.0.250 -f -l 1470
Pinging 10.125.0.250 with 1470 bytes of data:
Reply from 10.125.0.250: bytes=1470 time=19ms TTL=251
Reply from 10.125.0.250: bytes=1470 time=22ms TTL=251
Reply from 10.125.0.250: bytes=1470 time=20ms TTL=251
Reply from 10.125.0.250: bytes=1470 time=19ms TTL=251
Ping statistics for 10.125.0.250:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 19ms, Maximum = 22ms, Average = 20ms
C:\>
1470 works and has a little bit of extra room. The tcp mss-adjust should be done on the LAN interface.
Hope it helps. -
Hello,
Has anyone here implemented "GRE function over MPLS"?
Would it be possible to point to some links discussing advantages/disadvantages and some design aspects of the same?
Thanks
Cheers,
~sultanHello Harold,
Thanks for replying, actually just thought about it, considering the existing customer (P2M) who's running GRE on IPLC links, they want to continue the same after migrating to MPLS, just curios to know whether this implementation has been implemented by anyone and whether it could be improved further.
Thanks
Cheers,
~sultan -
Hello people,
im facing problem trying to establish a GRE tunnel over mpls. The topology goes as follows:
(server) ----CE1(6500)-----PE1(6500)----vrf cloud-----CE2(6500)--FW
-server needs to establish a gre tunnel with FW.
-server receives a default route from CE1 via OSPF.
-CE1 has an default static route pointing to the next hop which is an interface VLAN (in a vrf) on PE1.
- PE1 receives a default route generated by CE2 (via mpbgp).
In this situation the GRE tunnel wouldnt come up.The only way i got the GRE to work was replacing the default static route on CE1 with a more specific static route.
On both cases (default AND specific static routes) the connectivity(ping) from end to end was there.
Has anybody seen anything alike?
thanks,
BrunoYou could be looking at some recursive routing throug the GRE interface, so the second it comes up it will try to put the GRE packets through the GRE tunnel, this creating a loop. Are you using a dynamic routing protocol to get network info over the GRE tunnel or a static route if so, how is it setup ?
-
Best way to pass IPv4 and IPv6 traffic over a GRE Tunnel
Hello,
We have two 3825 routers with Advanced Enterprise IOS 12.4.9(T). Each of them serves many IPv4 (private and public) and IPv6 networks on their respective site.
We have created a wireless link between the two, using 4 wireless devices, with IP Addresses 10.10.2.2, 3, 4, 5 respectively (1 and 6 are the two end Ethernet interfaces on the routers).
Then we created a GRE tunnel over this link using addresses 172.16.1.1 and 2 (for the two ends) to route traffic over this link.
Now we want to route IPv6 traffic over the same link. However, we found that simply routing the IPv6 traffic over the above GRE / IP tunnel did not work.
Questions:
Is there a way we can use the same (GRE / IP) tunnel to transport both IPv4 and IPv6 traffic?
If not, can we setup two GRE tunnels over the same wireless link, that is, one GRE / IP for IPv4 traffic and a second one GRE / IPv6 for IPv6 traffic?
In brief, what is the suggested way to transport IPv4 and IPv6 traffic over the aforementioned (wireless) link?
I have read http://www.cisco.com/c/en/us/td/docs/ios/12_4/interface/configuration/guide/inb_tun.html#wp1061361 and other Internet material, however I am still confused.
Please help.
Thanks in advance,
NickWe have set up two tunnels over the same link, one GRE / IP for the IPv4 traffic and one IPv6 / IP ("manual") for the IPv6 traffic. This setup seems to be working OK.
If there are other suggestions, please advise.
Thanks,
Nick -
i have configured a network with ospf and a vpn site to site without gre tunnel and it works very well. I want to know, when do i have to use gre tunnel over ipsec
Jose,
It sounds like you currently have an IPsec Virtual Tunnel Interface (VTI) configured. By this, I mean that you have a Tunnel interface running in "tunnel mode ipsec ipv4" rather than having a crypto map applied to a physical interface. In the days before VTIs, it was necessary to configure GRE over IPsec in order to pass certain types of traffic across an encrypted channel. When using pure IPsec with crypto maps, you cannot pass multicast traffic without implementing GRE over IPsec. Today, IPsec VTIs and GRE over IPsec accomplish what is effectively the same thing with a few exceptions. For example, by using GRE over IPsec, you can configure multiple tunnels between two peers by means of tunnels keys, pass many more types of traffic rather than IP unicast and multicast (such as NHRP as utilized by DMVPN), and you can also configure multipoint GRE tunnels whereas VTIs are point to point.
Here's a document which discusses VTIs in more depth: http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_vpnips/configuration/xe-3s/sec-sec-for-vpns-w-ipsec-xe-3s-book/sec-ipsec-virt-tunnl.html#GUID-A568DA9D-56CF-47C4-A866-B605804179E1
HTH,
Frank -
How to setup GRE tunnel on a 3005
Does the vpn3005 support GRE tunnels and how do I configure it? Reference paper will be fine.
Thanks
/BentYes, VPN 3005 concentrator should support GRE tunnels. Here are some configuration examples for the same.
Configuring a GRE Tunnel over IPSec with OSPF
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00800a43f6.shtml.
For more such examples please refer to:
http://www.cisco.com/en/US/tech/tk583/tk372/tech_configuration_examples_list.html -
Hi folks,
I've to implement two L2TPv3 tunnels over MPLS backbone, primary and backup. I'm thinking about L2 pseudowires, but my question is: with 2 pseudowires, how could I do, if possible, to create a primary and a backup tunnel? Something like FRR?
I've found in a recent post a configuration for two tunnels:
http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Network%20Infrastructure&topic=WAN%2C%20Routing%20and%20Switching&CommCmd=MB%3Fcmd%3Dpass_through%26location%3Doutline%40%5E1%40%40.1ddda49d
but no idea about how to implement a fault tolerance solution.
Any advice will be appreciated
Thanks
AndreaAndrea,
I think I understand where my confusion comes from. You are using L2TPv3 in a context of VPDN rather than using it as a transport a pseudowire, right?
In this case the L2TPv3 session could just be routed as IP traffic through the core. Or if you want to use pseudowires through the core, it would certainly be possible to use MPLS for this purpose.
Let me know if that helps, -
Hi,
Can any one guide me about the benefits of MPLS over GRE Tunnels. Do this serve the purpose of MPLS (except TE, which is suppose is not possible on GRE Tunnels) as Layer-3 is already involved before Label Switching even starts.
thanx and regards,
Shakeel AhmadI have a problem with MPLS over GRE. When i try to apply a policy to shape the traffic it seems that the default-class dosent see the mpls packets.
Im trying to shape the traffic to 256k but it seems that the shaping never are activated.
Anyone have any idea how to solve this?
Example:
class-map match-all PING
match access-group 171
policy-map class-default
class PING
bandwidth percent 15
policy-map PING
class class-default
shape average 256000
service-policy class-default
INterfacexx
service-policy output PING
access-list 171 permit icmp any any -
IPsec over GRE tunnel's line protocol is down but able to ping the tunnel destination
>>both routers are located in different countries and connected with ISP
>>IPsec over GRE tunnel is configured on both the routers
>>tunnel's line protocol is down for both the ends but able to reach the tunnel destination with tunnel source
>>Packet is not receiving on the router_1 and but could see packets are getting encrypting on the Router_2
>>ISP is not finding any issue with their end
>>Please guide me how i can fix this issue and what need to be check on this ????
========================
Router_1#sh run int Tunnel20
Building configuration...
Current configuration : 272 bytes
interface Tunnel20
bandwidth 2048
ip address 3.85.129.141 255.255.255.252
ip mtu 1412
ip flow ingress
delay 1
cdp enable
tunnel source GigabitEthernet0/0/3
tunnel destination 109.224.62.26
end
===================
Router_1#sh int Tunnel20
Tunnel20 is up, line protocol is up>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>Keepalive is not set
Hardware is Tunnel
Description: *To CRPrgEIQbaghd01 - 2Mb GRE over Shared ISP Gateway*
Internet address is 3.85.129.141/30
MTU 17916 bytes, BW 2048 Kbit/sec, DLY 10 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation TUNNEL, loopback not set
Keepalive not set
Tunnel source 195.27.20.14 (GigabitEthernet0/0/3), destination 109.224.62.26
Tunnel Subblocks:
src-track:
Tunnel20 source tracking subblock associated with GigabitEthernet0/0/3
Set of tunnels with source GigabitEthernet0/0/3, 32 members (includes iterators), on interface <OK>
Tunnel protocol/transport GRE/IP
Key disabled, sequencing disabled
Checksumming of packets disabled
Tunnel TTL 255, Fast tunneling enabled
Tunnel transport MTU 1476 bytes
Tunnel transmit bandwidth 8000 (kbps)
Tunnel receive bandwidth 8000 (kbps)
Last input 1w6d, output 14w4d, output hang never
Last clearing of "show interface" counters 2y5w
Input queue: 0/375/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/0 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
1565172427 packets input, 363833090294 bytes, 0 no buffer
Received 0 broadcasts (0 IP multicasts)
0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
1778491917 packets output, 1555959948508 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 unknown protocol drops
0 output buffer failures, 0 output buffers swapped out
=============================
Router_1#ping 109.224.62.26 re 100 sou 195.27.20.14
Type escape sequence to abort.
Sending 100, 100-byte ICMP Echos to 109.224.62.26, timeout is 2 seconds:
Packet sent with a source address of 195.27.20.14
Success rate is 92 percent (92/100), round-trip min/avg/max = 139/142/162 ms
Router_1#
============================================
Router_1#sh cry ip sa pe 109.224.62.26 | in caps
#pkts encaps: 831987306, #pkts encrypt: 831987306, #pkts digest: 831987306
#pkts decaps: 736012611, #pkts decrypt: 736012611, #pkts verify: 736012611
Router_1#sh clock
15:09:45.421 UTC Thu Dec 25 2014
Router_1#
===================
Router_1#sh cry ip sa pe 109.224.62.26 | in caps
#pkts encaps: 831987339, #pkts encrypt: 831987339, #pkts digest: 831987339
#pkts decaps: 736012611, #pkts decrypt: 736012611, #pkts verify: 736012611>>>>>>>>>>>>>>>>>>>>Traffic is not receiving from Router 2
Router_1#sh clock
15:11:36.476 UTC Thu Dec 25 2014
Router_1#
===================
Router_2#sh run int Tu1
Building configuration...
Current configuration : 269 bytes
interface Tunnel1
bandwidth 2000
ip address 3.85.129.142 255.255.255.252
ip mtu 1412
ip flow ingress
load-interval 30
keepalive 10 3
cdp enable
tunnel source GigabitEthernet0/0
tunnel destination 195.27.20.14
end
Router_2#
=======================
Router_2#sh run | sec cry
crypto isakmp policy 10
authentication pre-share
crypto isakmp key Router_2 address 195.27.20.14
crypto isakmp key Router_2 address 194.9.241.8
crypto ipsec transform-set ge3vpn esp-3des esp-sha-hmac
mode transport
crypto map <Deleted> 10 ipsec-isakmp
set peer 195.27.20.14
set transform-set ge3vpn
match address Router_2
crypto map <Deleted> 20 ipsec-isakmp
set peer 194.9.241.8
set transform-set ge3vpn
match address Router_1
crypto map <Deleted>
Router_2#
====================================
Router_2#sh cry ip sa pe 195.27.20.14 | in caps
#pkts encaps: 737092521, #pkts encrypt: 737092521, #pkts digest: 737092521
#pkts decaps: 828154572, #pkts decrypt: 828154572, #pkts verify: 828154572>>>>>>>>>>>>Traffic is getting encrypting from router 2
Router_2#sh clock
.15:10:33.296 UTC Thu Dec 25 2014
Router_2#
========================
Router_2#sh int Tu1
Tunnel1 is up, line protocol is down>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>Down
Hardware is Tunnel
Internet address is 3.85.129.142/30
MTU 17916 bytes, BW 2000 Kbit/sec, DLY 50000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation TUNNEL, loopback not set
Keepalive set (10 sec), retries 3
Tunnel source 109.224.62.26 (GigabitEthernet0/0), destination 195.27.20.14
Tunnel Subblocks:
src-track:
Tunnel1 source tracking subblock associated with GigabitEthernet0/0
Set of tunnels with source GigabitEthernet0/0, 2 members (includes iterators), on interface <OK>
Tunnel protocol/transport GRE/IP
Key disabled, sequencing disabled
Checksumming of packets disabled
Tunnel TTL 255, Fast tunneling enabled
Tunnel transport MTU 1476 bytes
Tunnel transmit bandwidth 8000 (kbps)
Tunnel receive bandwidth 8000 (kbps)
Last input 1w6d, output 00:00:02, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 14843
Queueing strategy: fifo
Output queue: 0/0 (size/max)
30 second input rate 0 bits/sec, 0 packets/sec
30 second output rate 0 bits/sec, 0 packets/sec
1881547260 packets input, 956465296 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
1705198723 packets output, 2654132592 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 unknown protocol drops
0 output buffer failures, 0 output buffers swapped out
=============================
Router_2#ping 195.27.20.14 re 100 sou 109.224.62.26
Type escape sequence to abort.
Sending 100, 100-byte ICMP Echos to 195.27.20.14, timeout is 2 seconds:
Packet sent with a source address of 109.224.62.26
Success rate is 94 percent (94/100), round-trip min/avg/max = 136/143/164 ms
Router_2#
=========================Hello.
First of all, try to reset IPSec (clear crypto isakmp sa ..., clear crypto session ...).
Configure inbound ACL on the router to match esp protocol and check if the packets arrive.
Please provide full output "show crypto ipsec sa"
from both sides. -
Dear expert,
Currently I have problem running bridging over GRE tunnel.We are using cisco 3640 but somehow under tunnel 0, the is no 'bridge-group 1' command.We are trying to get the IOS that support the command under tunnel 0 but to no avail.Can someone help me ? Thanks
--ranIt's a hidden command. Even do, you might get a warning messasge stating this is obsolete and unsupported, it still technically a valid configuration. Legacy, but works.
Keep in mind there are better solutions for this kind of connections. But you can try it, it's simple anyways.
Host1---Fa0/0--R1-------------GRE------------R2--Fa0/0---Host2
1. Create a Loopback intf. on both routers and ensure L3 connectivity between them.
2. Create bridge:
router(config)#bridge 1 protocol ieee
3. Create a GRE tunnel interface (dont configure IP's):
router(config)# interface tun0
router(config-if)# tun source loopback x
router(config-if)# tun destination <other router loopback ip>
router(config-if)# bridge-group 1
**This is a hidden cmd. You will get a warning message, but ignore it**
3. Attach Physical Interface to Bridge as well:
router(config)# interface Fa0/0
router(config-if)# bridge-group 1
4. Configure the Hosts IP addresses to be on the same IP Segment and validate communication between them.
You can try this on GNS3 as well. I made a diagram and a brief explanation at another thread, but really don't remember how to get to it.
Once again, this is legacy and there are better ways to achieve this. But for small implementations this is valid and easier. It also helps to understand the newer versions/enhancements to this as well.
HTH -
URGENT - tag-switching over gre-tunnel - how ??
hi,
my problem is that i want to connect two pe-router
over a gre-tunnel.
this is because between the two pe´s i unfortunatly have two cisco828 router as modemrouter inbetween which do no tag-switching.
so i decided to use a gre tunnel between the two pe´s to do tag-switching.
but if i want to forward packets greater than 1492 bytes and the df-bit is set - no chance.
here is the figure and config of the two tunnels:
c3640 - c828 -LINE- c828 - c3640
<==========TUNNEL===============>
first c3640:
interface Tunnel65052
description PE-PE Verbdg. Hoersching-Pasching
ip unnumbered Loopback0
ip mtu 1512
load-interval 30
tag-switching mtu 1512
tag-switching ip
keepalive 10 3
tunnel source 10.20.192.3
tunnel destination 10.20.192.6
second c3640:
interface Tunnel65052
description PE-PE Verbdg. Hoersching-Pasching
ip unnumbered Loopback0
ip mtu 1512
load-interval 30
tag-switching mtu 1512
tag-switching ip
keepalive 10 3
tunnel source 10.20.192.6
tunnel destination 10.20.192.3
on the 828 router i did no adjustment of mtu !
if i do a ping:
r-enns1#pi vrf lkg 172.16.169.121 size 1492 df
Type escape sequence to abort.
Sending 5, 1492-byte ICMP Echos to 172.16.169.121, timeout is 2 seconds:
Packet sent with the DF bit set
Success rate is 100 percent (5/5), round-trip min/avg/max = 208/211/212 ms
r-enns1#
r-enns1#
r-enns1#
r-enns1#
r-enns1#pi vrf lkg 172.16.169.121 size 1493 df
Type escape sequence to abort.
Sending 5, 1493-byte ICMP Echos to 172.16.169.121, timeout is 2 seconds:
Packet sent with the DF bit set
M.M.M
Success rate is 0 percent (0/5)
r-enns1#
please help - thanksHere's at least two options you could try:
1) Lower the MTU on the tunnel-interface and let PMTU on the endpoints take care of the fragmentation. This could have some serious implications all depending on the systems and applications/protocols used on the network, but in most cases it'll work just fine.
2) Simply remove the DF-bit on incoming packets to the router and lower the MTU on the tunnel-interface and let the router do fragmentation regardless of what the endpoints says. Since you have a 3640 on each end and 828's in the middle, I think it should be capable of this..
You should do a MSS-modification as well in both cases.
Change the MTU like this:
interface Tunnel65052
ip mtu 1488
tag-switching mtu 1500
Then you have set all IP-packets to maximum 1488 bytes (including headers) and let there be room for 3 MPLS labels...
At least I think it should behave like this... please don't kill me if i'm wrong.. :)
Remove the DF-bit with route-map's on the inside interfaces:
interface FastEthernet1/0.100
description inside interface
ip policy route-map clear-df
ip tcp adjust-mss 1424
route-map clear-df permit 10
set ip df 0 -
Is it possible?.
Configure SNA tunnel over GRE tunnelTo my knowledge, no, but it would sure work for me if it was possible. DLSW has always worked like a charm for me to route SNA over an IP network.
-
GRE over MPLS not working...
Hi
I've a GRE tunnel configured between a CE and a PE.
I guess the problem is on the PE side, this is my config:
interface Loopback99
ip vrf forwarding dar
ip address 99.99.99.99 255.255.255.255
interface Tunnel199
ip vrf forwarding dar
ip address 11.11.11.1 255.255.255.252
ip policy route-map dfbit
tunnel source Loopback99
tunnel destination 88.88.88.88
tunnel path-mtu-discovery
Everything is reachable between PE and CE, but on the tunnel interface I wasn't able to find out the "tunnel vrf dar" command...
I've a Cisco 7206VXR (164 ram and 128 flash) and on the software feature navigator I wasn't able to find out an IOS support it..
Can anybody tell me why ?
Tks
RicRiccardo,
This feature is available starting with 12.3(2)T.
Regards -
HI There,
I was wondering if an expert on FlexVPN would be able to comment on this..
I am looking to use FlexVPN hub and spoke deployment using the FLEXoMPLS feature... So I will have hub routers connected to remote routers via IPSec/GRE tunnels. This enables VRFs at hub and spokes to be joined via MPLS point-to-point link.
Can someone please confirm if it would be possible to NAT at the remote site with the VRF interface being on the inside and the IPSec/GRE tunnel in the global VRF on the outside??
Thanks in advance.
Lee.Well thanks for all the help but I am not going to be able to use this method, I am not going to be able to connect a cable at all the sites, I don't know If I can just wire an RJ-45 as a loopback plug maybe but still not a good method. Also when I reconfigure my linux box with both the networks it does not add the second network and I loose ASDM, I guess I shouldnt have changed the management interface. Is there any other method, what I was wondering does it send the syslog with the asa outside interface IP to the remote syslog IP, if so can or would a NAT static with the orig. working on the outside with the asa IP and the dest of the syslog translating to a single IP on the VPN network back on the outside interface... seems like a simple thing to ask to do, I kind of understand what is going on but seems there needs to be a check box to say this syslog server is over a vpn and it takes care of all the magic.
Maybe you are looking for
-
OBI REPORTS DefaultNumericformat is currently $0.00.as It should be integer
We have OBIEE environment setup with version 10.1.3.4.1 and currently For all of our OBIEE reports, for columns where the numeric format is not specified, a default format is used and Currently that default format appears to be currency to 2 decimal
-
How can all the users in my computer (my kids) have access to all the photos I have in I Photo? My photos only appear when I (the administrator) log into the computer. I want my kids to be able to access them also.
-
Hi Experts, Can you please tell me how to do the budgeting against the WBS element. I tried to do with KP06 but it is allowing only agaisnt cost element. AR
-
Where do I get Toshiba Tools for Tecra A9 after HDD formatting?
Hello. I've purchased a Tecra A9 notebook with Vista Business. I'd like to format it because there are a lot of tools and programms on it the notebook already that I do not need, and it's very slow. There is a "hidden partition", but if I use that to
-
Usage Tracking of Hyperion Financial Reporting
I'm on Version 11.1.2. can anyone tell me is there a way to track reports usage in Hyperion Financial Reporting? Thanks in Advance RSG Edited by: RSG on May 23, 2011 10:30 AM Edited by: RSG on May 23, 2011 10:31 AM