MTU Question.

Similar Messages

• WRT54GS MTU Question

  Hi. I owned a WRK54G for a few years and just replaced it with a WRT54GS. I'm not too knowledgeable in the area, but I've been wondering what a good MTU to start off with would be. I have most of the other settings down.

  The Optimum Online website didn't have any info. So, I found a FAQ for Optimum Online on dslreports.com They stated that an MTU value of 1500 should be used as well, so I'll go with them. I have another noob question thats been bothering me. I realized that I purchased version 6 of the router, while the newest version is 7. Looking at Wikipedia, I see that version 7 has a faster clock speed. I won't be using third party firmware, so does it matter?

• ASR - IPSEC, GRE, channel group, and MTU Questions

  I have an ASR1004 and am trying to load-balance a 1.5G data rate over two 1-Gig ports using IPSEC ports, but I have a few questions.
  1. Can GRE support a 9K mtu
  2. Can you run IPSEC on a channel-group
  3. Can the ASR load-balance per- S&D on a channel-group?
  I currently have two separate tunnels, one on each outbound gig link with OSPF running. However, I can't get a 7000 mtu w/ the DF bit set through to the distant end. I am guessing this is because of the GRE interface.
  So is it possible to run IPSEC on a channel-group and have this load balance per S&D? I need to use the BW of both ports.
  Thanks for the help!

  The ASR1004 router we can only send packets with a maximum MTU size of 1438 Bytes over the encrypted tunnel.

• MTU for AToM question...

  Hi:
  I have a question regarding AToM.
  Say I have CE1---PE1----P1----P2----PE2-----CE2
  CE1 to PE1 - Ethernet 802.1Q
  CE2 to PE2 - FR
  To get AToM up and working, would I need to change the mtu on the PE and P routers in the core?
  And if so to what value?
  What command would I use, if I had to: mtu or mpls mtu?
  Thanks for your help.
  Sincerely.

  So you would want to change the mpls mtu on the PE and P routers to accommodate a full ethernet frame plus the two mpls labels and any other additional info, like control words or vlan tag you might be transferring across the backbone, a value like 1514 would work, but if you ever decide to do straight ethernet to ethernet l2vpn with QinQ, then you would be up to 1530. If you maybe did serial links in the future, you'd maybe be up to 4480-4490.
  In most SP environments I've worked it, its standard to set the mpls backbone mpls mtu to 9100 or 9192 at install time to remove any issues with the backbone mtu.
  Mpls mtu only affects handling of labeled packets, not unlabeled packets.

• OSPF 'ip ospf mtu-ignore' Question

  Hey Guys,
  If I have a router with 3 sub interfaces off of a GigabitEthernet interface which is directly connected to a switch via a trunk, would I need to set 'ip ospf mtu-ignore'?
  I'm assuming that if I'm running subinterfaces using dot1q, that the mtu in the DBD packets will be 1504 and which it hits either a router port on a L3 switch or a SVI it would be 1500?

  Disclaimer
  The  Author of this posting offers the information contained within this  posting without consideration and with the reader's understanding that  there's no implied or expressed suitability or fitness for any purpose.  Information provided is for informational purposes only and should not  be construed as rendering professional advice of any kind. Usage of this  posting's information is solely at reader's own risk.
  Liability Disclaimer
  In  no event shall Author be liable for any damages whatsoever (including,  without limitation, damages for loss of use, data or profit) arising out  of the use or inability to use the posting's information even if Author  has been advised of the possibility of such damage.
  Posting
  John the router's subinterface and the switch's trunk should "hide" the VLAN tags.  I.e. there shouldn't be any need for mtu-ignore (as least I never recall a need for it on such configurations).

• MTU - MPLS DS3 Setup Question

  I'm not sure if I am in the correct section.
  We have an MPLS network with DS3s. From what I understand (and correct me if I am wrong), MPLS puts 4 bytes on the packet. Our serial has an MTU size of 4470. Our Ethernet has an MTU size of 1500.
  Do I need to change the MTU size, and if so on which interface do I need to make this change. My thinking is to change it on the serial interface (MTU => 4466).
  Am I right in my assumption?

  Hi,
  MPLS will add 4 bytes extra to the plain IP packet. Aplications of MPLS (MPLS-VPN, AToM, MPLS TE, MPLS QoS) will add stacks of labels to IP packet. So if you are running MPLS applications on your network then your Layer 2 MTU of the physical media should be capable of handling these extra stack of labels.
  In your case since DS3 is having MTU of 4470 and most data packet comes from Ethernet, it is capable of carrying MPLS Labelled packets. You need to increase the MPLS MTU of your Ethernet media = Physical MTU + No. of Label stacks (depend on applications).. It is advisable to configure the MPLS MTU on ethernet interface to 1546 (1500 bytes + 46 bytes extra ...though it is more for basic MPLS, MPLS VPN considering the future development it will be better to keep the MPLS MTU to a higher value).
  Note: MPLS MTU command is applicable only for the labelled packets. If any unlabelled packet with MTU more than of 1500 bytes is entering Ethernet interface then it ll get fragmented or dropped (depends on DF bit flag in IP header)
  int ethernet0
  mpls mtu 1546
  HTH....

• ASA VPN QUESTION

  Hi All
  The question is pretty simple. I can successfully connect  to my ASA 5505  firewall via cisco vpn client 64 bit , i can ping any ip  address on the LAN behind ASA but none of the LAN computers can see or  ping the IP Address which is assigned to my vpn client from the ASA VPN  Pool.
  The LAN behind ASA is 192.168.0.0 and the VPN Pool for the cisco vpn client is 192.168.30.0
  I would appreciate some help pls
  Here is the config:
  ASA Version 7.2(4)
  hostname ciscoasa
  domain-name default.domain.invalid
  enable password J7NxNd4NtVydfOsB encrypted
  passwd 2KFQnbNIdI.2KYOU encrypted
  names
  name 192.168.0.11 EXCHANGE
  name x.x.x.x WAN
  name 192.168.30.0 VPN_POOL2
  interface Vlan1
  nameif inside
  security-level 100
  ip address 192.168.0.1 255.255.255.0
  interface Vlan2
  nameif outside
  security-level 0
  ip address WAN 255.255.255.252
  interface Ethernet0/0
  switchport access vlan 2
  <--- More --->
  interface Ethernet0/1
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  boot system disk0:/asa724-k8.bin
  ftp mode passive
  clock timezone EEST 2
  clock summer-time EEDT recurring last Sun Mar 3:00 last Sun Oct 4:00
  dns server-group DefaultDNS
  domain-name default.domain.invalid
  object-group protocol TCPUDP
  protocol-object udp
  protocol-object tcp
  access-list nk-acl extended permit tcp any interface outside eq smtp
  access-list nk-acl extended permit tcp any interface outside eq https
  access-list customerVPN_splitTunnelAcl standard permit 192.168.0.0 255.255.255.0
  access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 VPN_POOL2 255.255.255.0
  access-list inside_access_in extended permit ip any any
  access-list VPN_NAT extended permit ip VPN_POOL2 255.255.255.0 192.168.0.0 255.255.255.0
  pager lines 24
  logging enable
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  ip local pool VPN_POOL2 192.168.30.10-192.168.30.90 mask 255.255.255.0
  icmp unreachable rate-limit 1 burst-size 1
  asdm image disk0:/asdm-524.bin
  no asdm history enable
  arp timeout 14400
  global (inside) 10 interface
  global (outside) 1 interface
  nat (inside) 0 access-list inside_nat0_outbound
  nat (inside) 1 0.0.0.0 0.0.0.0
  nat (outside) 10 access-list VPN_NAT outside
  static (inside,outside) tcp interface smtp EXCHANGE smtp netmask 255.255.255.255
  static (inside,outside) tcp interface https EXCHANGE https netmask 255.255.255.255
  access-group inside_access_in in interface inside
  access-group nk-acl in interface outside
  route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  aaa authentication enable console LOCAL
  aaa authentication http console LOCAL
  aaa authentication serial console LOCAL
  aaa authentication ssh console LOCAL
  aaa authentication telnet console LOCAL
  aaa authorization command LOCAL
  http server enable
  http 192.168.0.0 255.255.255.0 inside
  snmp-server host inside 192.168.0.16 community public
  no snmp-server location
  no snmp-server contact
  snmp-server community public
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto dynamic-map outside_dyn_map 20 set pfs group1
  crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
  crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
  crypto map outside_map interface outside
  crypto isakmp enable outside
  crypto isakmp policy 10
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  crypto isakmp nat-traversal  20
  telnet 192.168.0.0 255.255.255.0 inside
  telnet timeout 5
  ssh timeout 5
  console timeout 0
  dhcp-client client-id interface outside
  dhcpd dns 217.27.32.196
  dhcpd address 192.168.0.100-192.168.0.200 inside
  dhcpd dns 192.168.0.10 interface inside
  dhcpd enable inside
  group-policy DfltGrpPolicy attributes
  banner none
  wins-server none
  dns-server none
  dhcp-network-scope none
  vpn-access-hours none
  vpn-simultaneous-logins 3
  vpn-idle-timeout 30
  vpn-session-timeout none
  vpn-filter none
  vpn-tunnel-protocol IPSec l2tp-ipsec
  password-storage disable
  ip-comp disable
  re-xauth disable
  group-lock none
  pfs disable
  ipsec-udp disable
  ipsec-udp-port 10000
  split-tunnel-policy tunnelall
  split-tunnel-network-list none
  default-domain none
  split-dns none
  intercept-dhcp 255.255.255.255 disable
  secure-unit-authentication disable
  user-authentication disable
  user-authentication-idle-timeout 30
  ip-phone-bypass disable
  leap-bypass disable
  nem disable
  backup-servers keep-client-config
  msie-proxy server none
  msie-proxy method no-modify
  msie-proxy except-list none
  msie-proxy local-bypass disable
  nac disable
  nac-sq-period 300
  nac-reval-period 36000
  nac-default-acl none
  address-pools none
  smartcard-removal-disconnect enable
  client-firewall none
  client-access-rule none
  webvpn
    functions url-entry
    html-content-filter none
    homepage none
    keep-alive-ignore 4
    http-comp gzip
    filter none
    url-list none
    customization value DfltCustomization
    port-forward none
    port-forward-name value Application Access
    sso-server none
    svc none
    svc keep-installer installed
    svc keepalive none
    svc rekey time none
    svc rekey method none
    svc dpd-interval client none
    svc dpd-interval gateway none
    svc compression deflate
  group-policy customerVPN internal
  group-policy customerVPN attributes
  dns-server value 192.168.0.10
  vpn-tunnel-protocol IPSec
  password-storage enable
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value customerVPN_splitTunnelAcl
  default-domain value customer.local
  username xxx password 8SYsAcRU4s6DpQP1 encrypted privilege 0
  username xxx attributes
  vpn-group-policy TUNNEL1
  username xxx password C6M4Xy7t0VOLU3bS encrypted privilege 0
  username xxx attributes
  vpn-group-policy PAPAGROUP
  username xxx password RU2zcsRqQAwCkglQ encrypted privilege 0
  username xxx attributes
  vpn-group-policy customerVPN
  username xxx password zfP8z5lE6WK/sSjY encrypted privilege 15
  tunnel-group customerVPN type ipsec-ra
  tunnel-group customerVPN general-attributes
  address-pool VPN_POOL2
  default-group-policy customerVPN
  tunnel-group customerVPN ipsec-attributes
  pre-shared-key *
  tunnel-group-map default-group DefaultL2LGroup
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
  service-policy global_policy global
  prompt hostname context
  Cryptochecksum:a4dfbb82008f78756fe4c7d029871ec1
  : end
  ciscoasa#                           

  Well lots of new features have been hinted at for ASA 9.2 but I've not seen anything as far as an Engineering Commit or Customer Commit for that feature.
  Site-site VPN in multiple context mode was added in 9.0(1) and I have customers have been asking for the remote access features as well.
  I will remember to ask about that at Cisco Live next month.

• ASA 5505 Interface Security Level Question

  I am wondering if someone can shed some light on this for me. I have a new ASA 5505 with a somewhat simple config. I want to set up a guest VLAN on it for a guest wireless connection.
  I set up the ASA with the VLAN, made a trunk port, set up DHCP (on the ASA) on the guest VLAN, configured NAT, etc. Everything seem to be working with that. Guests are getting address on the correct subnet, etc.
  The only issue I have is that the Guest VLAN (192.168.22.0) can get to the secure (VLAN1 - 172.16.0.0). I set up the guest VLAN (VLAN 5) with a security level of 10, the secure with a level of 100. I figured that would be enough. To stop the guest from accessing the secure, I had to throw on an ACL (access-list Guest-VLAN_access_in line 1 extended deny ip any 172.16.0.0 255.255.255.0)
  Can someone  show me what I did wrong?
  Thank you for any help!
  To create the VLAN, I did the following:
  int vlan5
  nameif Guest-VLAN
  security-level 10
  ip address 192.168.22.1 255.255.255.0
  no shutdown
  int Ethernet0/1
  switchport trunk allowed vlan 1 5
  switchport trunk native vlan 1
  switchport mode trunk
  no shutdown
  below is the whole config.
  Result of the command: "sho run"
  : Saved
  ASA Version 9.1(3)
  hostname ciscoasa
  enable password zGs7.eQ/0VxLuSIs encrypted
  xlate per-session deny tcp any4 any4
  xlate per-session deny tcp any4 any6
  xlate per-session deny tcp any6 any4
  xlate per-session deny tcp any6 any6
  xlate per-session deny udp any4 any4 eq domain
  xlate per-session deny udp any4 any6 eq domain
  xlate per-session deny udp any6 any4 eq domain
  xlate per-session deny udp any6 any6 eq domain
  passwd 2KFQnbNIdI.2KYOU encrypted
  names
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  switchport trunk allowed vlan 1,5
  switchport trunk native vlan 1
  switchport mode trunk
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  interface Vlan1
  nameif inside
  security-level 100
  ip address 172.16.0.1 255.255.255.0
  interface Vlan2
  nameif outside
  security-level 0
  ip address <External IP/Mask>
  interface Vlan5
  nameif Guest-VLAN
  security-level 10
  ip address 192.168.22.1 255.255.255.0
  boot system disk0:/asa913-k8.bin
  ftp mode passive
  object network obj_any
  subnet 0.0.0.0 0.0.0.0
  object network Inside_Server1_80
  host <Inside_server1_IP>
  object network Inside_Server1_25
  host <Inside_server1_IP>
  object network Inside_Server1_443
  host <Inside_server1_IP>
  object network Inside_Server1_RDP
  host <Inside_server1_IP>
  object service RDP
  service tcp destination eq 3389
  object network Outside_Network1
  host <Outside_Network_IP>
  object network Outside_Network2
  host <Outside_Network_IP>
  object network Outside_Network2
  host <Outside_Network_IP>
  object network TERMINALSRV_RDP
  host <Inside_server2_IP>
  object network Inside_Server2_RDP
  host <Inside_Server2_IP>
  object-group network Outside_Network
  network-object object Outside_Network1
  network-object object Outside_Network2
  object-group network RDP_Allowed
  description Group used for hosts allowed to RDP to Inside_Server1
  network-object object <Outside_Network_3>
  group-object Outside_Network
  object-group network SBS_Services
  network-object object Inside_Server1_25
  network-object object Inside_Server1_443
  network-object object Inside_Server1_80
  object-group service SBS_Service_Ports
  service-object tcp destination eq www
  service-object tcp destination eq https
  service-object tcp destination eq smtp
  access-list inside_access_in extended permit ip any any
  access-list outside_access_in extended permit object-group SBS_Service_Ports any object-group SBS_Services
  access-list outside_access_in extended permit object RDP any object TERMINALSRV_RDP
  access-list outside_access_in extended permit object RDP object-group RDP_Allowed object Inside_Server1_RDP
  access-list outside_access_in extended permit object RDP object-group RDP_Allowed object Inside_Server2_RDP
  access-list Guest-VLAN_access_in extended deny ip any 172.16.0.0 255.255.255.0
  access-list Guest-VLAN_access_in extended permit ip any any
  pager lines 24
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  mtu Guest-VLAN 1500
  no failover
  icmp unreachable rate-limit 1 burst-size 1
  asdm image disk0:/asdm-714.bin
  no asdm history enable
  arp timeout 14400
  no arp permit-nonconnected
  object network obj_any
  nat (inside,outside) dynamic interface
  object network Inside_Server1_80
  nat (inside,outside) static interface service tcp www www
  object network Inside_Server1_25
  nat (inside,outside) static interface service tcp smtp smtp
  object network Inside_Server1_443
  nat (inside,outside) static interface service tcp https https
  object network Inside_Server1_RDP
  nat (inside,outside) static interface service tcp 3389 3389
  object network TERMINALSRV_RDP
  nat (inside,outside) static <TerminalSRV_outside)IP> service tcp 3389 3389
  object network Inside_Server2_RDP
  nat (inside,outside) static interface service tcp 3389 3390
  nat (Guest-VLAN,outside) after-auto source dynamic obj_any interface
  access-group inside_access_in in interface inside
  access-group outside_access_in in interface outside
  access-group Guest-VLAN_access_in in interface Guest-VLAN
  route outside 0.0.0.0 0.0.0.0 <Public_GW> 1
  timeout xlate 3:00:00
  timeout pat-xlate 0:00:30
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  user-identity default-domain LOCAL
  aaa authentication ssh console LOCAL
  http server enable
  http 192.168.1.0 255.255.255.0 inside
  http 172.16.0.0 255.255.255.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec security-association pmtu-aging infinite
  crypto ca trustpool policy
  telnet timeout 5
  ssh timeout 5
  ssh key-exchange group dh-group1-sha1
  console timeout 0
  dhcpd auto_config outside
  dhcpd address 192.168.22.50-192.168.22.100 Guest-VLAN
  dhcpd dns 8.8.8.8 4.2.2.2 interface Guest-VLAN
  dhcpd lease 43200 interface Guest-VLAN
  dhcpd enable Guest-VLAN
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  ntp server 129.6.15.30 prefer
  username <Username> VAn7VeaGHX/c7zWW encrypted privilege 15
  class-map global-class
  match default-inspection-traffic
  policy-map global-policy
  class global-class
    inspect icmp
    inspect icmp error
    inspect pptp
  service-policy global-policy global
  prompt hostname context
  no call-home reporting anonymous
  Cryptochecksum:7f5d70668ebeb94f49f312612f76c943
  : end

  Hi,
  To my understanding they should not be able to connect to the more secure network IF you DONT have an interface ACL configured.
  One very important thing to notice and which I think is the most likely reason this happened is the fact that as soon as you attach an interface ACL to an interface then the "security-level" looses its meaning. The "security-level" has meaning as long as the interface is without an ACL. This makes the "security-level" only usable in very simple setups.
  What I think happend is that you have "permit ip any any" ACL on the interface that allowed all the traffic.
  Your option is to either remove the interface ACL completely or have the ACL configured like you have now. I mean first block traffic to your secure LAN and then allow all other traffic which would allow the traffic to Internet
  Hope this helps
  Please do remember to mark a reply as the correct answer if it answered your question.
  Feel free to ask more if needed.
  - Jouni

• Question in asa site-site vpn about "ident" ??

  hi all ,
  i have a topology as
  (192.168.0.0/24)LAN1----------------asa1---------------internet-----------------------asa2------------------LAN2(192.168.2.0/24)
  now , lan 1 can reach lan 2 by site to site vpn
  but i have a question :
  when i have
  #sh crypto ipsec sa
  ====================================================================
  interface: outside
      Crypto map tag: Azure_IPSecCryptoMap, seq num: 2, local addr: xxxx
        access-list outside_cryptomap extended permit ip 192.168.0.0 255.255.255.0 any
        local ident (addr/mask/prot/port): (192.168.0.0/255.255.255.0/0/0)
        remote ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
        current_peer: xxxxx
        #pkts encaps: 294823, #pkts encrypt: 294823, #pkts digest: 294823
        #pkts decaps: 208795, #pkts decrypt: 208795, #pkts verify: 208795
        #pkts compressed: 0, #pkts decompressed: 0
        #pkts not compressed: 294823, #pkts comp failed: 0, #pkts decomp failed: 0
        #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
        #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
        #send errors: 0, #recv errors: 0
        local crypto endpt.: xxxxxxxxxx/0, remote crypto endpt.: xxxxxxxx/0
        path mtu 1500, ipsec overhead 74, media mtu 1500
        current outbound spi: 81F3ABF6
        current inbound spi : FAE91312
      inbound esp sas:
        spi: 0xFAE91312 (4209578770)
           transform: esp-aes esp-sha-hmac no compression
           in use settings ={L2L, Tunnel, PFS Group 2, }
           slot: 0, conn_id: 10670080, crypto-map: Azure_IPSecCryptoMap
           sa timing: remaining key lifetime (kB/sec): (4373327/621)
           IV size: 16 bytes
           replay detection support: Y
           Anti replay bitmap:
            0xFFFFFFFF 0xFFFFFFFF
      outbound esp sas:
        spi: 0x81F3ABF6 (2180230134)
           transform: esp-aes esp-sha-hmac no compression
           in use settings ={L2L, Tunnel, PFS Group 2, }
           slot: 0, conn_id: 10670080, crypto-map: Azure_IPSecCryptoMap
           sa timing: remaining key lifetime (kB/sec): (4370375/621)
           IV size: 16 bytes
           replay detection support: Y
           Anti replay bitmap:
            0x00000000 0x00000001
  ================================================================================
  my problem is ,
  that my asa1 lan1  only reach asa2 if its destination was to subnet 192.168.2.0/24 , i mean if  requested internet i cant reach it !!!
  note that the crypto_map acl says destination "any" will go to asa2 , but why  when i requested the destioantion of lan2 it responce , and if i requested 8.8.8.8 it dont reach asa2 ??
  i used packet tracer to investigate  , it seems as a stuck !!!
  how to change the remote idnet as in the red line above ??? i think it is the issue that preventing mefrom reaching internet by asa2
  agian ,
  what issue in the asa has relation to the remote idnet and how i can change it ?
  any help ?
  regards

  CSCO,
  The lines below, match the interesting traffic for this VPN. You will not see a specific host address unless, you configure that within you crypto ACL. Basically you have some host in network 192.168.0.0/24(LOCAL) going to 192.168.2.0/24(REMOTE). The REMOTE IDENT is the remote network where the remote host relies, which matches your interesting traffic.
  So lon story short, you have some local host in the 192.168.1.0/24 range going to some host in the 192.168.2.0/24 range.
  This ACL has to do with the address you map to the match address line of you crypto map.
        access-list outside_cryptomap extended permit ip 192.168.0.0 255.255.255.0 any
        local ident (addr/mask/prot/port): (192.168.0.0/255.255.255.0/0/0)
        remote ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)

• Clientless SSL VPN and ActiveX question

  Hey All,
  First post for me here, so be gentle.  I'll try to be as detailed as possible.
  With the vast majority of my customers, I am able to configure an IPSEC L2L VPN, and narrow the traffic down to a very minimal set of ports.  However, I have a customer that does not want to allow a L2L VPN tunnel between their remote site, and their NOC center.  I thought this might be a good opportunity to get a clientless (they don't want to have to launch and log into a separate client) SSL VPN session setup.  Ultimately, this will be 8 individual sites, so setting up SSL VPN's at each site would be cost prohibitive from a licensing perspective.  My focus has been on using my 5510 (v8.2(5)) at my corp site as the centralized portal entrance, and creating bookmarks to each of the other respective sites, since I already have existing IPSEC VPN's via ASA5505, (same rev as the 5510 )setup with each of the sites.
  First issue I've run into is that I can only access bookmarks that point to the external address for the remote web-server (the site has a static entry mapping an external address to the internal address of the web server).  I am unable to browse (via bookmark) to the internal address of the remote web server.  Through my browser at the office, I can access the internal address fine, just not through the SSL VPN portal.  I am testing this external connectivity using a cell card to be able to simulate outside access.  Is accessing the external IP address by design, or do I have something hosed?
  Second issue I face is when I access the external address through the bookmark, I am ultimately able to log onto my remote website, and do normal browsing and javascript-type functions.  I am not able to use controls that require my company's ActiveX controls (video, primarily).  I did enable ActiveX relay, and that did allow the browser to start prompting me to install the controls as expected, but that still didn't allow the video stream through.  The stream only runs at about 5 fps, so it's not an intense stream.
  I have researched hairpinning for this situation, and "believe" that I have the NAT properly defined - even going as far as doing an ANY ANY, just for testing purposes to no avail.  I do see a decent number of "no translates" from a show nat:
    match ip inside any outside any
      NAT exempt
      translate_hits = 8915, untranslate_hits = 6574
  access-list nonat extended permit ip any any log notifications
  access-list nonat extended permit ip 192.168.17.0 255.255.255.0 192.168.2.0 255.255.255.0
  access-list nonat extended permit ip 192.168.16.32 255.255.255.224 192.168.2.0 255.255.255.0
  access-list nonat extended permit ip 192.168.17.0 255.255.255.0 192.168.16.32 255.255.255.224
  access-list nonat extended permit ip 192.168.16.32 255.255.255.224 192.168.17.0 255.255.255.0
  access-list nonat extended permit ip 192.168.17.0 255.255.255.0 172.16.250.0 255.255.255.0
  access-list nonat extended permit ip 192.168.16.32 255.255.255.224 172.16.250.0 255.255.255.0
  access-list nonat extended permit ip 192.168.16.32 255.255.255.224 172.16.254.0 255.255.255.0
  access-list nonat extended permit ip 192.168.17.0 255.255.255.0 172.16.254.0 255.255.255.0
  access-list nonat extended permit ip 192.168.17.0 255.255.255.0 host A-172.16.9.34
  access-list nonat extended permit ip 192.168.18.0 255.255.255.0 192.168.2.0 255.255.255.0
  access-list nonat extended permit ip 192.168.18.0 255.255.255.0 192.168.16.32 255.255.255.224
  access-list nonat extended permit ip 192.168.18.0 255.255.255.0 192.168.17.0 255.255.255.0
  access-list nonat extended permit ip 192.168.18.0 255.255.255.0 172.16.250.0 255.255.255.0
  access-list nonat extended permit ip 192.168.18.0 255.255.255.0 172.16.254.0 255.255.255.0
  access-list nonat extended permit ip 192.168.18.0 255.255.255.0 host A-172.16.9.34
  access-list nonat extended permit ip 192.168.17.0 255.255.255.0 192.168.18.0 255.255.255.0
  access-list nonat extended permit ip 192.168.16.32 255.255.255.224 192.168.18.0 255.255.255.0
  access-list nonat extended permit ip 192.168.16.32 255.255.255.224 host 172.16.62.57
  access-list nonat extended permit ip 192.168.17.0 255.255.255.0 host 172.16.62.57
  access-list nonat extended permit ip 192.168.18.0 255.255.255.0 host 172.16.62.57
  access-list nonat extended permit ip 192.168.17.0 255.255.255.0 172.16.8.0 255.255.254.0
  access-list nonat extended permit ip 192.168.16.32 255.255.255.224 172.16.8.0 255.255.254.0
  access-list D_Traffic extended permit ip 192.168.16.32 255.255.255.224 192.168.2.0 255.255.255.0
  access-list D_Traffic extended permit ip 192.168.16.32 255.255.255.224 192.168.17.0 255.255.255.0
  access-list D_Traffic extended permit ip 192.168.16.32 255.255.255.224 192.168.18.0 255.255.255.0
  access-list D_Traffic extended permit ip 192.168.16.32 255.255.255.224 172.16.250.0 255.255.255.0
  access-list D_Traffic extended permit ip 192.168.17.0 255.255.255.0 192.168.2.0 255.255.255.0
  access-list D_Traffic extended permit ip 192.168.17.0 255.255.255.0 192.168.16.32 255.255.255.224
  access-list D_Traffic extended permit ip 192.168.17.0 255.255.255.0 192.168.18.0 255.255.255.0
  access-list D_Traffic extended permit ip 192.168.18.0 255.255.255.0 192.168.2.0 255.255.255.0
  access-list D_Traffic extended permit ip 192.168.18.0 255.255.255.0 192.168.16.32 255.255.255.224
  access-list D_Traffic extended permit ip 192.168.18.0 255.255.255.0 192.168.17.0 255.255.255.0
  access-list D_Traffic extended permit ip 192.168.18.0 255.255.255.0 172.16.250.0 255.255.255.0
  access-list D_Traffic extended permit ip 192.168.17.0 255.255.255.0 172.16.250.0 255.255.255.0
  access-list outside_1_cryptomap extended permit ip 192.168.16.32 255.255.255.224 host A-172.16.9.34
  access-list outside_1_cryptomap extended permit ip 192.168.17.0 255.255.255.0 host A-172.16.9.34
  access-list outside_1_cryptomap extended permit ip 192.168.18.0 255.255.255.0 host A-172.16.9.34
  access-list outside_1_cryptomap extended permit ip 192.168.16.32 255.255.255.224 host 172.16.62.57
  access-list outside_1_cryptomap extended permit ip 192.168.17.0 255.255.255.0 host 172.16.62.57
  access-list outside_1_cryptomap extended permit ip 192.168.18.0 255.255.255.0 host 172.16.62.57
  access-list External_VPN extended permit ip 192.168.16.32 255.255.255.224 172.16.254.0 255.255.255.0
  access-list External_VPN extended permit ip 192.168.17.0 255.255.255.0 172.16.254.0 255.255.255.0
  access-list outside_in extended permit icmp any any log notifications
  access-list outside_in extended permit tcp any any log notifications
  pager lines 24
  logging enable
  logging asdm informational
  logging ftp-server 192.168.16.34 / syslog *****
  mtu inside 1500
  mtu outside 1500
  ip local pool Remote 172.16.254.1-172.16.254.25 mask 255.255.255.0
  icmp unreachable rate-limit 1 burst-size 1
  asdm image disk0:/asdm-645.bin
  no asdm history enable
  arp timeout 14400
  global (inside) 1 interface
  global (outside) 1 interface
  nat (inside) 0 access-list nonat
  nat (inside) 1 192.168.16.32 255.255.255.224
  nat (inside) 1 192.168.17.0 255.255.255.0
  nat (inside) 1 0.0.0.0 0.0.0.0
  access-group outside_in in interface outside
  192.168.2.0 is my corp network range
  192.168.2.171 is my internal IP for corp ASA5510
  97.x.x.x is the external interface for my corp ASA5510
  192.168.16.34 is the internal interface for the remote ASA5505
  64.x.x.x is the external interface for the remote ASA5505
  192.168.17.0, and 192.168.18.0 are two other private LANS behind the remote 5505
  As you can see, I have things reasonably wide open - with no port restrictions on this one yet - this is for troubleshooting purposes, and it will get restrictive as soon as I figure this out   Right now, the ASA5510 is pretty restrictive, and to be brutally honest, I'm not certain I'm even using the packet tracer 100% proper to be able to simulate coming from the outside of the network through my ASA5510, out to a remote ASA5505, and to a web server behind that 5505.  I'm sure that the issue is probably going to be a mix of ACL's between the 5510, and the 5505.
  I guess the main question, is Clientless SSL VPN really a good choice for this, or are there other real alternatives - especially since my client doesn't want to have to install, or use an actual client (like AnyConnect), nor do they want to have an always-on IPSEC VPN.  Am I going about this the right way?  Anyone have any suggestions, or do I have my config royally hosed?
  Thanks much for any and all ideas!

  Hey All,  I appreciate all of the views on this post.  I would appreciate any input - even if you think it might be far-fetched.  I'm grasping at straws, and am super-hesitant to tell my customer this is even remotely possible if I can't have a POC myself.  Thanks, in advance!!

• Netboot will not working, getting globe, then flashing folder with question mark.

  I just created a netboot image which went off without any problems.  I copied the two .nbi folders to my NetBootSP0 folder, and enabled them within netboot.  My OS X server which is my netboot server and dhcp server.  When I boot using N or Option N, I get the flashing globe for several seconds, the request goes through to the server and gets ACK {SELECT} however a few more seconds after, I get the flashing folder and question mark before it does a normal boot.  I have read the other posts about DHCP and Subnets.  My server and and clients are all 255.255.0.0.  Any suggestions would be very helpful as I need this to work for several buildings. 

  This might work for some:
       I had the same problem of the netboot image not mounting/opening, spinning globe then booting back to the Mac HD on the client and it was only when I remembered that we had manually experimented with jumbo frame rates and the MTU settings for our 32TB RAID in the Hardware settings for Ethernet ports on our servers. I turned the settings back to "Automatic" and 1000baseT on, then the whole NetInstall and Neboot was working perfectly again.

• DNS and Static IP Address Question on Solaris v10 X86

  I�ve recently installed Solaris v10 X86 and have two questions. The system is a Dell E521 with 4GB RAM and 1GB SysKonnect NIC, and internet is provided via a cable modem, that�s plugged into a Netgear router, and the Solaris 10 box is plugged into the Netgear router via a CAT5 ethernet cable.
  1. I can connect to my router login page using the following URL:
  http://192.168.1.1/start.htm and I can also connect to various web pages such as yahoo, if I first "ping yahoo.com" (on another machine that�s internet enabled) and then plug the web site�s ip address into the Solaris/Mozilla browser. So it appears that I haven�t been successful at pointing the Solaris x86 at a DNS server to resolve the DNS name.
  2. I've purchased a commercially available software package and it requires a static ip address for this Solaris x86 server. If the ip address changes, it�ll stop working by design and require that I reacquire the license file. When connecting through this Netgear router, how do I lock this Solaris v10 x86 server into a specific ip address? (the ip address floats presently when cycling my PC�s on/off) presently, and assume the Solaris box will too, usually through an ip range of 192.168.1.<1 through 5>
  # ifconfig -a
  lo0: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 8232 index 1
  inet 127.0.0.1 netmask ff000000
  skge0: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2
  inet 192.168.1.3 netmask ffffff00 broadcast 192.168.1.255
  ether 0:0:5a:9b:1f:10
  # netstat -rn
  Routing Table: IPv4
  Destination Gateway Flags Ref Use Interface
  192.168.1.0 192.168.1.3 U 1 1 skge0
  224.0.0.0 127.0.0.1 U 1 0 lo0
  default 192.168.1.1 UG 1 0
  127.0.0.1 127.0.0.1 UH 8 163 lo0
  Some of the present Netgear router settings:
  Internet IP Address
  Get Dynamically From ISP (yes)
  Use Static IP Address      (no)
  IP Address           75.185. CROSSED-OUT3
  IP Subnet Mask      255.255.248.0
  Gateway IP Address      75.185.CROSSED-OUT4
  Domain Name Server (DNS) Address
  Get Automatically From ISP (yes)
  Use These DNS Servers (blank)
  Primary DNS      ... (blank)
  Secondary DNS      ... (blank)
  Netgear Router Status Page:
  Account Name      WGT624v3
  Hardware Version      V3H1
  Firmware Version      V2.0.16_1.0.1NA
  Internet Port
  MAC Address      00:40:ca:a8:CROSSED-OUT2
  IP Address           75.185.CROSSED-OUT3
  DHCP           DHCPClient
  IP Subnet Mask      255.255.248.0
  Domain Name Server      65.24.7.3
            65.24.7.6
  LAN Port
  MAC Address      00:18:4D:85:CROSSED-OUT1
  IP Address           192.168.1.1
  DHCP                ON
  IP Subnet Mask      255.255.255.0
  Excerpt from doing a prtconf -D command:
  pci10de,26f, instance #0 (driver name: pci_pci)
  pci1028,8010, instance #0 (driver name: hci1394)
  pci1148,5021, instance #0 (driver name: skge)
  pci1028,1ed
  pci1022,1100
  The NIC is a SysKonnect 9821 1GB Ethernet card. The drivers in Solaris 10 were apparently very old and didn't install drivers or configure/plumb when I installed Solaris 10, so I downloaded the
  latest drivers (hard to find!), followed the instructions and got the NIC drivers installed and then plumbed.
  My router's ip address appears to be 192.168.1.1 and in one of the articles I've read, there is a recommendation to create a file (touch) within /etc named defaultrouter and enter the router's ip address. I did this, and the file now contains:
  192.168.1.1
  I also read where another file called resolv.conf needed to be pointed to a DNS server, which in this case, according to my Netgear router, and according to ipconfig/all on another WinBox on the same network, also shows the same 192.168.1.1 address for the DNS, so I created that file too (wasn't there) and it contains:
  nameserver 192.168.1.1
  There is a host name file called hostname.skge0 and it contains one line:
  INTHOST
  There is a hosts file, and it contains:
  127.0.0.1 localhost loghost homex86
  192.168.1.3 INTHOST
  There is a netmasks file, and other than the commented out lines, it appears to contain one relevant line:
  192.168.1.0 255.255.255.0
  There is a nsswitch.conf file and other than the commented out lines, it contains:
  passwd: files
  group: files
  hosts: files
  ipnodes: files
  networks: files
  protocols: files
  rpc: files
  ethers: files
  netmasks: files
  bootparams: files
  publickey: files
  netgroup: files
  automount: files
  aliases: files
  services: files
  printers: user files
  auth_attr: files
  prof_attr: files
  project: files
  tnrhtp: files
  tnrhdb: files
  There is an nsswitch.dns file:
  passwd: files
  group: files
  ipnodes: files dns
  networks: files
  protocols: files
  rpc: files
  ethers: files
  netmasks: files
  bootparams: files
  publickey: files
  netgroup: files
  automount: files
  aliases: files
  services: files
  printers: user files
  auth_attr: files
  prof_attr: files
  project: files
  tnrhtp: files
  tnrhdb: files
  Finally, I've also seen some advice using the folling command (and I tried it):
  "route add default 192.168.1.1" as an alternative method of setting up route table
  The only other command I've tried is:
  "ifconfig skge0 192.168.1.1 netmask 255.255.255.0 up" but I suspect that was redundant as the plumb command I used to get the NIC functioning earlier probably already provided what was needed.
  Finally, on this small network, I ran an ipconfig/all on a Windows based PC, to see what network settings were reported through the wireless connection, and this is an excerpt of that information:
  C:\Documents and Settings\mark_burke>ipconfig/all
  Windows IP Configuration
  Ethernet adapter Local Area Connection:
  Media State . . . . . . . . . . . : Media disconnected
  Description . . . . . . . . . . . : Broadcom NetXtreme 57xx Gigabit Controller
  Physical Address. . . . . . . . . : (withheld)
  Ethernet adapter {xxxxxxxx}:
  Connection-specific DNS Suffix . :
  Description . . . . . . . . . . . : Nortel IPSECSHM Adapter - Packet Scheduler Min
  iport
  Physical Address. . . . . . . . . : (withheld)
  Dhcp Enabled. . . . . . . . . . . : No
  IP Address. . . . . . . . . . . . : 0.0.0.0
  Subnet Mask . . . . . . . . . . . : 0.0.0.0
  Default Gateway . . . . . . . . . :
  Ethernet adapter Wireless Network Connection:
  Connection-specific DNS Suffix . :
  Description . . . . . . . . . . . : Dell Wireless 1370 WLAN Mini-PCI Card
  Physical Address. . . . . . . . . : (withheld)
  Dhcp Enabled. . . . . . . . . . . : Yes
  Autoconfiguration Enabled . . . . : Yes
  IP Address. . . . . . . . . . . . : 192.168.1.2
  Subnet Mask . . . . . . . . . . . : 255.255.255.0
  Default Gateway . . . . . . . . . : 192.168.1.1
  DHCP Server . . . . . . . . . . . : 192.168.1.1
  DNS Servers . . . . . . . . . . . : 192.168.1.1

  I�ve recently installed Solaris v10 X86 and have two
  questions. The system is a Dell E521 with 4GB RAM
  and 1GB SysKonnect NIC, and internet is provided via
  a cable modem, that�s plugged into a Netgear router,
  and the Solaris 10 box is plugged into the Netgear
  router via a CAT5 ethernet cable.
  1. I can connect to my router login page using the
  following URL:
  http://192.168.1.1/start.htm and I can also connect
  to various web pages such as yahoo, if I first "ping
  yahoo.com" (on another machine that�s internet
  enabled) and then plug the web site�s ip address into
  the Solaris/Mozilla browser. So it appears that I
  haven�t been successful at pointing the Solaris x86
  at a DNS server to resolve the DNS name.You can either copy nsswitch.dns to nsswitch.conf, or you can modify nsswitch.conf so that 'dns' is used for hostname lookups.
  2. I've purchased a commercially available software
  package and it requires a static ip address for this
  Solaris x86 server. If the ip address changes, it�ll
  stop working by design and require that I reacquire
  the license file. When connecting through this
  Netgear router, how do I lock this Solaris v10 x86
  server into a specific ip address? (the ip address
  floats presently when cycling my PC�s on/off)
  presently, and assume the Solaris box will too,
  usually through an ip range of 192.168.1.<1 through
  5>One method is setting the router so that the server's MAC address is tied to a specific IP.
  Otherwise you can edit /etc/hostname.<interface> and place a static address there, forgoing DHCP services from the router. You may want the address to appear outside the router's DHCP range.
  Darren

• 1760 Router Questions

  Essentially, I've been studying for the CCNA and I've decided to purchase some older equipment to set up in my house so I can get some additional practice with the IOS interface. I've been looking at 1760 routers on ebay, and it seems like a pretty good place to start as I would like to actually use the devices in my current LAN, rather than simply setting up a lab.
  My question is, could I take a 1760 and connect it to my cable modem, and then connect a switch (say a 2950 that I'll purchase a later date) to another interface? What add-in cards will I need to make this possible?
  Here's a graphic representation of what I'd like to do.
  If the 1760 isn't a good choice for this sort of setup, what would you reccomend? I'd prefer 100Mbit/sec capable routers if possible.
  Thanks for the help/suggestions.

  Taylor,
  if you have a VLAN capable switch and proper IOS support, you can configure PPPoE client on a subinterface hence you can use the 1760 (or any other router) to connect to the ISP and route between VLANs.
  This is my current setup:
  interface GigabitEthernet0/1
  no ip address
  duplex auto
  speed auto
  interface GigabitEthernet0/1.4
  encapsulation dot1Q 4
  ip pim dense-mode
  ip igmp query-interval 125
  pppoe enable group global
  pppoe-client dial-pool-number 9
  interface Dialer9
  mtu 1490
  bandwidth 4672
  bandwidth receive 480
  ip address negotiated
  ip nat outside
  ip virtual-reassembly in
  encapsulation ppp
  ip policy route-map RM-loop1
  dialer pool 9
  crypto map CM-1
  crypto ipsec client ezvpn witopia_IAD
  As you can see I use a subinterface to do PPPoE client and have the Dialer 9 interface receive the public IP address then I route traffic to other dubinterfaces. I used to do that on a 1751 nd on a 1721 this is now a 1921.
  You need to ensure the pppoe client on 803.1q subinterfaces is supported in the ios version you run and obviously that 803.1q subinterfaces are supported.
  You can do all of that in the cisco feature nav.
  Enjoy
  Fabio

• DMVPN w/ Multicasting setup/questions

  Hello
  I have a lot of questions, so bare with me as i puke them out of my head.
  I have been doing some testing with DMVPN inconjuction with multicasting video (Hub and spoke, w/ no spoke to spoke). The test setup is using 2 cisco 2811 w/out the vpn module.  I understand the performance hit with not having the module. With that being said here are my questions.
  1. With encryption on both the HUB and spoke routers are using 90-97% cpu (8Mb multicast stream).  With encryption off, the Hub is around 60%, and spoke around 75%.  Here is where i'm confused.  If i send that same stream as a unicast stream, w/ encryption on, both the Hub and spoke are only using around 30-35% cpu.  Why is there so much more cpu need when its a multicast stream?
  2. In the current config i'm seeing input, throttles, and ignore errors on the Hub and spoke.  The Hub has these errors on the LAN interface, and the spoke has these errors on the WAN interface. All other interfaces are totally clean.  I have checked and there are no duplex or speed mismatches.  Any ideas?
  HUB:
  Current configuration : 1837 bytes
  version 12.4
  service timestamps debug datetime msec
  service timestamps log datetime msec
  no service password-encryption
  hostname Hub
  boot-start-marker
  boot-end-marker
  logging message-counter syslog
  enable password
  no aaa new-model
  clock timezone Central -6
  dot11 syslog
  ip source-route
  ip cef
  no ip domain lookup
  ip name-server 8.8.8.8
  ip multicast-routing
  no ipv6 cef
  multilink bundle-name authenticated
  voice-card 0
  archive
  log config
    hidekeys
  interface Tunnel1
  bandwidth 100000
  ip address 192.168.11.1 255.255.255.0
  no ip redirects
  ip mtu 1400
  no ip next-hop-self eigrp 1
  ip pim sparse-mode
  ip nhrp map multicast dynamic
  ip nhrp network-id 1
  ip nhrp holdtime 450
  no ip route-cache cef
  ip tcp adjust-mss 1360
  no ip split-horizon eigrp 1
  delay 1000
  tunnel source FastEthernet0/0
  tunnel mode gre multipoint
  tunnel key 100000
  tunnel bandwidth transmit 100000
  tunnel bandwidth receive 100000
  interface FastEthernet0/0 (WAN)
  ip address 216.x.x.x 255.255.255.192
  ip pim sparse-mode
  load-interval 30
  duplex auto
  speed auto
  interface FastEthernet0/1 (LAN)
  ip address 128.112.64.5 255.255.248.0
  ip pim sparse-mode
  load-interval 30
  duplex auto
  speed auto
  router eigrp 1
  network 128.112.0.0
  network 192.168.11.0
  auto-summary
  ip forward-protocol nd
  ip route 0.0.0.0 0.0.0.0 216.x.x.x
  ip http server
  ip http authentication local
  ip http secure-server
  ip pim rp-address 128.112.64.5 10
  access-list 10 permit 239.10.0.0 0.0.255.255
  snmp-server community public RO
  Spoke:
  Current configuration : 1857 bytes
  version 12.4
  service timestamps debug datetime msec
  service timestamps log datetime msec
  no service password-encryption
  hostname Spoke
  boot-start-marker
  boot-end-marker
  logging message-counter syslog
  enable password
  no aaa new-model
  clock timezone central -6
  dot11 syslog
  ip source-route
  ip cef
  no ip domain lookup
  ip multicast-routing
  no ipv6 cef
  multilink bundle-name authenticated
  voice-card 0
  archive
  log config
    hidekeys
  interface Tunnel1
  bandwidth 100000
  ip address 192.168.11.2 255.255.255.0
  no ip redirects
  ip mtu 1400
  ip pim sparse-mode
  ip nhrp map 192.168.11.1 216.x.x.x
  ip nhrp map multicast 216.x.x.x
  ip nhrp network-id 1
  ip nhrp holdtime 450
  ip nhrp nhs 192.168.11.1
  no ip route-cache cef
  ip tcp adjust-mss 1360
  no ip split-horizon eigrp 1
  delay 1000
  tunnel source FastEthernet0/0
  tunnel destination 216.x.x.x
  tunnel key 100000
  tunnel bandwidth transmit 100000
  tunnel bandwidth receive 100000
  interface FastEthernet0/0 (WAN)
  ip address 65.x.x.x 255.255.255.192
  ip pim sparse-mode
  load-interval 30
  duplex auto
  speed auto
  interface FastEthernet0/1  (LAN)
  ip address 128.124.64.1 255.255.248.0
  ip pim sparse-mode
  ip igmp join-group 239.10.10.10
  load-interval 30
  duplex auto
  speed auto
  router eigrp 1
  network 128.124.0.0
  network 192.168.11.0
  auto-summary
  ip forward-protocol nd
  ip route 0.0.0.0 0.0.0.0 65.x.x.x
  no ip http server
  no ip http secure-server
  ip pim rp-address 128.112.64.5 10
  access-list 10 permit 239.10.0.0 0.0.255.255
  snmp-server community public RO

  Joe,
  You ask the right question.
  CPU ultization = CPU consumed by processes + IO operations (in a huge simplification - CEF) 
  Typically when a packet is processed by router we expect it to be be processed by CEF, i.e. very fast.
  Packet is not processed by CEF:
  - when there is something missing to route the packet properly (think missing ARP/CAM entry) i.e. additional lookup needs to be done.
  - a feature requests that a packet is for processing/mangling
  - Packet is destined to the router
  (And several other, but those are the major ones).
  When a packet is recived, but cannot be processed by CEF, we "punt the packet to CPU" this in turn will cause the CPU for processes to go up.
  Now on the spoke this seems to be the problem:
  Spoke#show ip cef switching stati       Reason                          Drop       Punt  Punt2HostRP LES Packet destined for us             0       1723          0RP LES Encapsulation resource             0    1068275          0
  There were also some failures on one of the buffer outputs you've attached.
  Typically at this stage I would suggest:
  1) "Upgrade" the device to 15.0(1)M6 or 12.4(15)T (latest image in this branch) and check if the problem persists there.
  2) If it does, swing it by TAC. I don't see any obvious mistakes, but I'm just a guy in a chair same as you ;-)
  Marcin

• A question about Performance Settings

           Dear all.
                         Hi all,I want add a performance poller about Environmental Temperature.
                          There is an error as shown in the figur:
                          The device is Nexus 7010.  Is it support  this poller ?
                            If support,how to setting ?
                           Thank you very much

  Peanuts
   Thank you for your time and help.
  Dumb question  Reflash the firm ware
  Means Install the new firm ware list on this web site
  my old is v3.0.02 build 003 june 4, 2009
  The new one is v3.0.02 build 4 12/10/09
   The MTU thing  Ican figure out. click save OK. But what the heck  is
  Power cycle the router
  Un-plug it ?
  Sorry to  a pain.  Ready to throw this out the window.  It works good/great then very poor or not at all. In wireless mode.
   The other day on the lap top  a  friend was connected to a inter-active training video. for about 30 minutes, worked great.
   Then today the Dell with windows 7 lost the wireless conection.
  Thanks