Tunnel interface selection

Similar Messages

• Looking for a better solution that tunnel interface

  Hi
  acctualy I have a Vsat connection between my remote site and central office
  on both site we have router and sat modem
  I have now a tunnel interface between my two routers,I am looking for a better idea,,

  hi...
  so you have tunnel interface between your two router so now what are you looking for...?
  secure IPsec connection or what???
  please explaine in details
  regards
  Devang

• DLSW and Tunnel Interfaces problem

  We have a pair of routers with tunnel interfaces and DLSW between them.
  Some times the tunnel interface goes down thus loosing service trough DLSW.
  Is there any problem reported between DLSW and this kind of tunel interfaces ?

  Hi,
  i assume you are using dlsw tcp peers.
  In general dlsw does not know over what infrastucture the connection really runs. Dlsw gives data to tcp and tcp is responsible for doing the actual transmission.
  I dont know of any problems with dlsw and tunnel interfaces in general.
  Some more information might help to understand the problem.
  What type of tunnel are you using? GRE?
  What version of ios are you running?
  Do you use additional encapsulation overhead like ipsec ect?
  Does tcp on this router use path mtu discovery?
  thanks...
  Matthias

• 'no ip route-cache' on Tunnel interfaces

  Hi,
  A quick and hopefully simple question. Is there any reason why 'no ip route-cache' and 'no ip mroute-cache' should be configured on Tunnel interfaces?
  Generally, when should 'no ip route-cache' be configured on an interface?
  Many thanks,
  Andy

  Andy, no easy question, and prety much send some of us back to basics.. one have to take a deeper look at this command to barely get a good picture. See first link thread , good discussion on your question.. generaly no ip- route-catch improves performance for router forwarding processing desitions.
  http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Network%20Infrastructure&topic=WAN%2C%20Routing%20and%20Switching&topicID=.ee71a06&fromOutline=&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.2cbfa166
  You can find more details on three types of switching methods such as ( fast switching by ip route catch command ), I believe it helps understand better the commands.
  http://www.cisco.com/en/US/tech/tk827/tk831/technologies_white_paper09186a00800a62d9.shtml
  Another instance where you would have IP route catch enable on an interface would be for the use of netflow, IP route-cacth command on an interface is requirement for implementing netflow .
  Rgds
  -Jorge

• Where did these tunnel interfaces come from?!?

  Hello,
  just wondering why one of our routers creates tunnel interfaces dynamically.
  I was setting up a GRE tunnel to transport multicast traffic over network. After I was done, I found two extra tunnel interfaces with command show ip interfaces brief and those extra interfaces uses my original tunnel interface as their IP addresses. There is no any configuration regarding to these extra interfaces in running config. How did this happen? Any explanations? Is it relating somehow to my multicast solution?
  If I got two dynamically created tunnels does that mean that I have at least two concurrent multicast groups on my router in active state?
  Sorry for dummy questions but I have almost zero experience what comes for multicast and last time I studied it in school about 8 year ago...
  -JJ

  Hi,
  These are created dynamically, one to encapsulate multicast packets and the other one to decapsulate. You can see them with the command < show ip pim tunnel > . You can find the description and purpose of these tunnels here:
  http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipmulti/command/imc-cr-book/imc_s1.html#wp9533023710
  Hope this helps,
  Jose.

• Odd Tunnel Interface behavior - one end requires "no keepalive"

  Where's the quick version.  Tunnel between sites A & B.  This is GRE o IPSEC, but I don't think that's the issue.  Tunnel comes up and works great when:  site A has no keepalives and site B has no keepalives,  and it works when Site A has keepalives turned on and Site B does not.  The moment I turn on keepalives on site B, the tunnel goes down.
  This isn't a simple config.  Site A is an MPLS PE, meaning the Tunnel interface is configured with an fVRF and iVRF.  Site B has no VRF's - it is the CE.
  Any ideas on how to fix?  I need Site B's Tunnel interface to go down when connectivity fails.  My current workaround is to use EIGRP to update the routing tables.  I need to be able to support redundant paths with static and floating routes.

  Like this;
  Core1-r1#sh access-list ironport2
  Extended IP access list ironport2
      10 deny tcp host 10.247.254.174 any
      20 deny tcp any 192.168.0.0 0.0.255.255
      30 deny tcp any 10.0.0.0 0.255.255.255
      40 deny tcp host 10.230.3.250 any
      50 permit tcp 10.139.60.0 0.0.0.255 any (119568304 matches)
      60 permit tcp 10.230.32.0 0.0.0.255 any (9290669 matches)
      70 permit tcp host 10.230.48.12 any (141403 matches)
      80 permit tcp host 10.230.36.62 any (1456 matches)
      90 permit tcp host 10.150.18.7 any (741 matches)
  Core1-r1#
  10= P1 interface
  20= network we don't want to be sent to ironport
  30= " "
  40= M1 interface
  50->90=All testing subnets to go to ironport
  Thanks for the feedback! jc

• Using Tunnel interface on Router

  Hi Everyone,
  I see hew Tunnel  interface on Router.
  Router is Running OSPF.
  It has no crypto statemets.
  tunnel configuration
  interface Tunnel1
  ip address 10.4.x.x x.x.x.x
  delay 7
  tunnel source Loopback1
  tunnel destination 10.4.x.x
  My question is when we use Tunnel interface without any crypto statemets?
  Thanks
  MAhesh

  This Tunnel is a plain GRE-Tunnel. These are typically used without crypto when:
  1) The traffic is not sent through an untrusted network and a cryptographic protection is not needed.
  2) The GRE-traffic gets encrypted on a separate device if the GRE-Endpoint is not capable of doing the needed cryptographic protection.
  Sent from Cisco Technical Support iPad App

• Monitoring tunnel interface traffic

  We've integrated WLSM with IDSM-2 and want to monitor wireless traffic terminating on tunnel interfaces. Can't find a way to configure SPAN or VACL on IOS 6500 to capture traffic. Any suggestions?

  Try this:
  http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/products_configuration_guide_chapter09186a0080459221.html

• Dynamic virtual tunnel interface on 2821

  I tried to configure a dynamic virtual tunnel interface on a Cisco 2821 with release 12.4(9)T1 advanced ip services, aiming to terminate VPN client ipsec tunnels on it.
  The feature is supported by this software release. Documentation says:
  - enter configuration
  - configure a virtual-template interface
  - type "tunnel mode <mode>"
  but the router does not accept this command.
  Any hint?
  Thank you in advance.
  Denis

  Try:
  just have to take a look at the concentrator's configuration.
  http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_configuration_example09186a00801ae24c.shtml
  and this one is an example with routers
  http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080143b0a.shtml

• Transmit Discards on Tunnel Interface Cisco 2851

  Hi, wondered if anyone could shed any light on this?
  We have a two 2851 routers at two seperate branches that connect via a vpn tunnel back to the head office. When lookking at the tunnel interface it shows a lot of transmit discards which are there constantly and increase as traffic levels go up.
  I have read that this is due to congestion however we are'nt using that much bandwidth at all.
  one site has 100mb private circuit and the other has 10mb both of which are never more than 30% utilised
  any thoughts?
  thanks

  [url=http://membres.lycos.fr/ishbjndm/washingtondbd.html] washington [/url]
  [url=http://members.lycos.nl/fzxhunpv/washington7bc.html] washington [/url]
  [url=http://members.lycos.nl/fzxhunpv/washingtonc17.html] washington [/url]
  [url=http://members.lycos.nl/fzxhunpv/washington47d.html] washington [/url]
  [url=http://members.lycos.nl/fzxhunpv/washington123.html] washington [/url]
  [url=http://members.lycos.nl/fzxhunpv/washingtoncbb.html] washington [/url]
  [url=http://members.lycos.nl/fzxhunpv/washington6a2.html] washington [/url]
  [url=http://members.lycos.nl/fzxhunpv/washington73f.html] washington [/url]
  [url=http://dnbvako.zotzoo.com/washingtondae.html] washington [/url]
  [url=http://dnbvako.zotzoo.com/washington844.html] washington [/url]
  [url=http://dnbvako.zotzoo.com/washington4e3.html] washington [/url]
  [url=http://dnbvako.zotzoo.com/washingtonb8e.html] washington [/url]
  [url=http://dnbvako.zotzoo.com/washington206.html] washington [/url]
  [url=http://dnbvako.zotzoo.com/washingtond0a.html] washington [/url]
  [url=http://dnbvako.zotzoo.com/washington8fa.html] washington [/url]
  [url=http://gcqdamu.zizhost.com/washington12f.html] washington [/url]
  [url=http://gcqdamu.zizhost.com/washingtond66.html] washington [/url]
  [url=http://gcqdamu.zizhost.com/washingtonfc2.html] washington [/url]
  [url=http://gcqdamu.zizhost.com/washington55d.html] washington [/url]
  [url=http://gcqdamu.zizhost.com/washington1c2.html] washington [/url]
  [url=http://gcqdamu.zizhost.com/washington6a6.html] washington [/url]
  [url=http://gcqdamu.zizhost.com/washington17d.html] washington [/url]
  [url=http://ytieutu.wipou.com/washington03c.html] washington [/url]
  [url=http://ytieutu.wipou.com/washingtoneb9.html] washington [/url]
  [url=http://ytieutu.wipou.com/washingtonb3f.html] washington [/url]
  [url=http://ytieutu.wipou.com/washington4e8.html] washington [/url]
  [url=http://ytieutu.wipou.com/washington0c7.html] washington [/url]
  [url=http://ytieutu.wipou.com/washington241.html] washington [/url]
  [url=http://ytieutu.wipou.com/washingtonfe3.html] washington [/url]
  [url=http://poaheif.webheri.net/washington737.html] washington [/url]
  [url=http://poaheif.webheri.net/washington3ca.html] washington [/url]
  [url=http://poaheif.webheri.net/washingtonda1.html] washington [/url]
  [url=http://poaheif.webheri.net/washington474.html] washington [/url]
  [url=http://poaheif.webheri.net/washington368.html] washington [/url]
  [url=http://poaheif.webheri.net/washington6af.html] washington [/url]
  [url=http://poaheif.webheri.net/washington189.html] washington [/url]
  [url=http://fztodds.24fast.info/washington09d.html] washington [/url]

• Crypto Map on Tunnel interface

  hi guys, when i trying to apply crypto map on tunnel interface , debug is (
  crypto map is configured on tunnel interface.  Currently only GDOI crypto map is supported on tunnel interface )
  why i can't apply simple crypto map on tunnel interface? anyone knows?
  thanks

  This was proven to break CEF in the past and is a bad design choice by default.
  Newer release do not allow you to configure this.
  If you're curious if it will work for you check releases prior to 15.x.
  M.

• Netflow with tunnel interfaces

  Hi I have a customer who is using tunnel interfaces with IPSEC on their WAN. They are collecting Netflow stats and exporting them to a server.Under the tunnel interface I have specified the bandwidth to be 1000.When I did not specify the bandwidth the tunnel speed came up on the management software as being 9kb. This was obviously not a true reflection when observing the data. The far end remote office is terminating via dsl and my question is should I specify the bandwidth under the tunnel interface to be closer to the dsl connection they have there ie 512k? There are many other tunnels coming from the main site and I have not configured Netflow on the this particular remote end.

  Hi Justin,
  If we would define bandwidth on tunnel interface it will manipulate routing decisions also and tunnel recursiuon issue could also occur where tunnel would see that the best way to reach teh destination is via tunnel itself. Beside taht the actual bandwidth used by the tunnel is based on the physical interface associated with it.

• BW showing under Tunnel Interface

  Hi,
  I've been looking through our VPN Tunnel Interfaces and noticed all of them have the same BW of 9Kbit. Where is this figure derived from?
  sh int tu17
  Tunnel17 is up, line protocol is up
    Hardware is Tunnel
    Description: Tunnel to M
    Internet address is 172.27.240.61/30
    MTU 1514 bytes, BW 9 Kbit, DLY 500000 usec,
       reliability 255/255, txload 180/255, rxload 110/255
    Encapsulation TUNNEL, loopback not set
    Keepalive not set
    Tunnel protocol/transport GRE/IP

  Disclaimer
  The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
  Liability Disclaimer
  In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.
  Posting
  It's a platform/IOS default.  It can be changed using the interface bandwidth statement (on the tunnel interface).

• Mystery Tunnel Interfaces on 2921 Router

  Hi All,
  I need some help.
  For some reason it seems we have 3 Tunnel interfaces on the router, not sure how it got there but we are unable to delete them or configure them.
  They seem to take the loopback ip as source and if I delete the loopback interface it chooses another IP.
  Output from sh ip int brief, not sure where it gets those IP's from as well.
  Tunnel0                    172.16.0.1      YES unset  up                    up     
  Tunnel1                    172.16.0.1      YES unset  up                    up     
  Tunnel2                    172.16.0.1      YES unset  up                    up    
  See below when I try to enter interface config mode:
  Router1(config)#int tunnel 0
  % This interface cannot be modified
  Any suggestions or help will be appreciated.
  Regards
  Z

  Hi Zubair,
  this is due to WCCP. You have WCCP for service 61 and 62 so my guess is you have an optimizer appliance (like WAAS) talking WCCP with this router. The tunnel interfaces are the result of WCCP using GRE encapsulation to redirect the traffic to the WAN optimizers.
  you can find more info here:
  https://supportforums.cisco.com/docs/DOC-15782
  thanks,
  Fabrizio

• EEM Tracking two tunnel interfaces at the same time

  Hi Everyone,
  luckly i just got introduced to EEM lately, and i was wondering how life saver this would be in alot of enviroments..
  I am trying to write an EEM to monitor two out of three tunnel interfaces if they went down i'd like to perform an action on the third interface.
  i went through online posts and saw there was "event track" under the EEM, but when i login to  any of my routers i can't see this, i dont get the option track.
  here is what i want to do..
  monitor tunnel 100 and tunnel 200 - if the line protocol went down or there are no routing information recieved on them action is to unshut tunnel 300 and tunnel 400
  thanks guys for help in advance

  Hi,
  Here is an example that does something similar:
  track 10 interface Ethernet0/0 line-protocol
  delay up 10
  track 11 interface Ethernet0/1 line-protocol
  delay up 10
  track 12 interface Ethernet0/2 line-protocol
  delay up 10
  track 13 interface Ethernet0/3 line-protocol
  delay up 10
  track 19 list threshold percentage
  object 10
  object 11
  object 12
  object 13
  threshold percentage down 51 up 100
  event manager applet DOWN
  event track 19 state down
  action 1.0 cli command "enable"
  action 1.1 cli command "conf t"
  action 2.0 cli command "int lo100"
  action 2.1 cli command "shut"
  action 9.0 syslog priority alerts msg "SWITCHOVER TRIGGER"
  event manager applet UP
  event track 19 state up
  action 1.0 cli command "enable"
  action 1.1 cli command "conf t"
  action 2.0 cli command "int lo100"
  action 2.1 cli command "no shut"
  action 9.0 syslog priority alerts msg "PREEMPT TRIGGER“