Virtual Tunnel Interface (VTI) Hub Router Configuration

When configuring multiple VTI tunnels on a hub router, is it recommended that each tunnnel use a unique transform-set and ipsec profile, or they can all share the same configuration.
Example:
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key ******** address 0.0.0.0 0.0.0.0
crypto isakmp keepalive 10
crypto ipsec transform-set TSET esp-3des esp-sha-hmac
crypto ipsec profile VTI
set transform-set TSET
Thanks.-

Hi,
The IPsec profile can be shared.
You could also create multiple transform set and reference it to IPsec profile and then apply it to a specific VTI.
Sent from Cisco Technical Support iPhone App

Similar Messages

Cisco Virtual Tunnel Interface (VTI) Design Guide

The above mentioned guide is referenced in a couple of Cisco Design Guides on IPSec VPN but I am unable to find it anywhere on Cisco websites including the links provided by Cisco. Could anyone who has the guide help me with a copy of it.
Thanks

I have this link in my notes from while back, hope it helps
http://www.cisco.com/en/US/docs/ios/sec_secure_connectivity/configuration/guide/sec_ipsec_virt_tunnl_ps6350_TSD_Products_Configuration_Guide_Chapter.html

Dynamic virtual tunnel interface on 2821

I tried to configure a dynamic virtual tunnel interface on a Cisco 2821 with release 12.4(9)T1 advanced ip services, aiming to terminate VPN client ipsec tunnels on it.
The feature is supported by this software release. Documentation says:
- enter configuration
- configure a virtual-template interface
- type "tunnel mode <mode>"
but the router does not accept this command.
Any hint?
Thank you in advance.
Denis

Try:
just have to take a look at the concentrator's configuration.
http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_configuration_example09186a00801ae24c.shtml
and this one is an example with routers
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080143b0a.shtml

Mystery Tunnel Interfaces on 2921 Router

Hi All,
I need some help.
For some reason it seems we have 3 Tunnel interfaces on the router, not sure how it got there but we are unable to delete them or configure them.
They seem to take the loopback ip as source and if I delete the loopback interface it chooses another IP.
Output from sh ip int brief, not sure where it gets those IP's from as well.
Tunnel0                    172.16.0.1      YES unset up                    up
Tunnel1                    172.16.0.1      YES unset up                    up
Tunnel2                    172.16.0.1      YES unset up                    up
See below when I try to enter interface config mode:
Router1(config)#int tunnel 0
% This interface cannot be modified
Any suggestions or help will be appreciated.
Regards
Z

Hi Zubair,
this is due to WCCP. You have WCCP for service 61 and 62 so my guess is you have an optimizer appliance (like WAAS) talking WCCP with this router. The tunnel interfaces are the result of WCCP using GRE encapsulation to redirect the traffic to the WAN optimizers.
you can find more info here:
https://supportforums.cisco.com/docs/DOC-15782
thanks,
Fabrizio

DMVPN Hub Router QoS

Hello DMVPN Experts,
As we knew DMVPN Hub routers can have per-tunnel QoS configuration for the spokes.
But I am not sure the QoS configuration for the Hub site itself. I assume it should be seperated from the per-tunnel QoS and the service-policy should be applied at the physical WAN interfaces and tunnel interfaces? Need help please. Some sample configuration would be appreciated.
Thanks
Cedar

Hi Joseph,
I am afraid I am having a bit difficulty to understand and would like to hear more if you don't mind.
We are on the same page that Per-Tunnel QoS let the spokes to control the traffics toward the hub site, which is considered inbound traffic from the WAN/Tunnel interfaces of hub router point of view. However, in order to control the inbound and/or outbound traffic of the WAN/Tunnel interfaces of the hub router, how should we configure seperate QoS configuration other than Per-Tunnel QoS templates, if we should?
Here is what I know so far based on ASR1000 document.
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_dmvpn/configuration/xe-3s/asr1000/sec-conn-dmvpn-xe-3s-asr1000-book/sec-conn-dmvpn-per-tunnel-qos.html
Restrictions for Per-Tunnel QoS for DMVPN
• The class default shaper with the QoS service policy on a physical interface that is applied to the DMVPN tunnel does not support point-to-point generic routing encapsulation (GRE) tunnels, shaper on physical interfaces, and shaper on VLAN/subinterfaces.
• QoS on a physical interface is limited only to the class default shaper on the physical interface. No other QoS configurations on the physical interface are supported when two separate QoS policies are applied to the physical and tunnel interfaces.
• Addition of a QoS policy with a class default shaper on a physical interface is not supported when multiple QoS policies are utilized.
• You can attach a per-tunnel QoS policy on the tunnel only in the egress direction.
• The class default shaper policy map on the main interface must be applied before the tunnel policy map is applied.
• The class default shaper policy map must contain only the class class-default and shape commands.
• The main interface policy map is checked for validity only when a QoS service policy is applied on the tunnel interface. The main interface policy map is not checked during a tunnel move or modification.
• Adding new classes or features to the main interface policy map is not supported. Doing so, however, will not be blocked.
After reading the above document, my understanding is that
1. We could have seperate policy map for physical WAN interface.
2. The policy-map for the physical WAN interface is limited to a class default shaper only.
3. The policy-map for physical WAN interface must be applied at the physical WAN interface before the tunnel policy-maps are applied at the tunnel interface.
But I am not 100% sure if it's correct.
Thanks,
Cedar

NBAR on Tunnel Interface on ASR1001

Hello all,
I'm trying to implement service policy on our ipsec tunnels on ASR1001. Version: asr1001-universalk9.03.13.01.S.154-3.S1-ext.bin
Here is the typical Tunnel configuration:
interface Tunnel100
ip address 172.x.x.x 255.255.255.252
ip mtu 1450
ip access-group ACL_IN in
ip access-group ACL_OUT out
ip policy route-map ForwardIP
ip ospf network point-to-point
ip ospf mtu-ignore
ip ospf cost 40
qos pre-classify
tunnel source ZZ.ZZ.ZZ.ZZ
tunnel mode ipip
tunnel destination YY.YY.YY.YY
tunnel protection ipsec profile IPSec-AES
service-policy input Tunnel_IN
When I try to add an output service-policy on that interface, I get an error:
(nbar): (err): NBAR is not supported on Tunnel10042
If I try to enable ip nbar protocol-discovery, I get an error:
% NBAR Error: Can not enable Protocol-discovery NBAR is not supported on this interface
Is it possible to use NBAR on that interface?

NBAR is not supported on the following logical interfaces:
Dialer interfaces
Dynamic tunnels such as Dynamic Virtual Tunnel Interface (DVTI)
Fast Etherchannels
IPv6 tunnels that terminate on the device
MPLS
Overlay Transport Virtualization (OTV) overlay interfaces

Tunnel interface to physical interface

Hi All,
I was wondering if it is possible to build a site to site vpn connection one side using tunnel interface and the other end using a physical interface.
My plan is to use a 3945 router, build multiple tunnel interfaces on the router to connect 50 clients. By using tunnel interface on the router i could leverage on the vrf feature to isolate clients but if i use tunnel interface on my end i am not certain if the tunnel will come up if my client is using 1) ASA 2) PIX 3) vpn concentrator - which doesnt support tunnel interface.
Thanks for your help in advance.
Lou

Mark Mattix wrote:I did some reading on EIGRP and is it correct that the EIGRP Header and Payload (TLV) are encapsulated in an IP packet and addressed to the address, 224.0.0.10? Is this the reason why multicast traffic must be encapsulated first in GRE to travel over the internet? Olivier Pelerin> This is correct
When I set up a site to site VPN using GRE tunnels and an IPSec config on the interfaces would this be considered, IPSec over GRE, or GRE over IPSec? I don't understand that difference.
Olivier Pelerin> See the diagram below - this explain GRE over IPSEC. That's a diagram I did here for a training
On the example packet I posted above, is the public address that's routed over the internet part of the IPSec packet/suite? I guess a better question is, what portions of the packet make up IPSec and which portion is just regular IPv4 addressing?
Olivier Pelerin> the diagram below should answer that
I've been wrong in thinking that GRE and IPSec go hand in hand when infact it's possible to only use IPSec and no type of tunnel. If IPSec is set up on the interfaces and the tunnels are configured at both end points, what does your information first get encapsulated by, GRE or IPSec? In your example packet format Olpeleri, is looks like the IP packet is first encapsulated in GRE then encapsulated by IPSec. Is this correct? If so when information leaves our LAN and heads to the internet, does it first go through the tunnel to be encapsulated by GRE then out the physical link that adds the IPSec encapsulation?
Olivier Pelerin> Correct. GRE first then encryption
Sorry for all these questions, I'm just trying to learn how this works! Thanks again for the help!
[red = encrypted]

What is virtual template interface

hi all
Please explain me what is vitual template interface and when should used.how can someone used it to bind physical intfaces under virtual templte int?

Hi,
A virtual template interface is used to provide the configuration for dynamically created Virtual-Access interfaces. It is created by users and can be saved in nonvolatile RAM (NVRAM).
Once the virtual template interface is created, it can be configured in the same way as a serial interface.
To create a virtual template interface that can be configured and applied dynamically in creating virtual access interfaces, use the interface virtual-template command in global configuration mode.
Virtual template interfaces can be created and applied by various applications such as Virtual Profiles, virtual private dialup networks (VPDN), PPP over ATM, PPP over Frame Relay, protocol translation, and Multichassis Multilink PPP (MMP).
Following are FR and ATM examples:
interface Serial1/0.1 point-to-point
bandwidth 128
frame-relay interface-dlci 51 ppp Virtual-Template1
class FRTS
interface ATM1/0.52 point-to-point
ip vrf forwarding customer
pvc 101/52
abr 167 167
oam-pvc manage
encapsulation aal5ciscoppp virtual-Template 1
http://www.cisco.com/en/US/products/sw/iosswrel/ps1831/products_command_reference_chapter09186a0080080d36.html#wp1017915
HTH, please do rate all helpful replies,
Mohammed Mahmoud.

ASA 5505 Logging Issue - Warning: Configured logging host interface conflicts with route table entry

I am getting this warning on my ASA 5505 when I try to set up logging from my off site FW to the central FW, which is a 5510. What I am trying to do is send the FW logs through the VPN Tunnel into the central 5510 to our logging server at 192.168.22.99, but allow all other traffic out the outside interface so customers can hit our web servers down there. Here is an example of my config with fake IP's. I get this error when trying to do "logging inside host 192.168.22.99". If I try to put in "logging Tunnel host 192.168.22.99" I get the "Warning:Security Level is 1" message
5505
ethe0/0
desc To LA ISP (217.34.122.1)
switchport access vlan2
ethe0/1
desc To Redwood City HQ via VPN Tunnel
switchport access vlan1
ethe0/2
desc To Internal Web Server
switchport access vlan3
VLAN1
desc Tunnel to HQ
ifinterface Tunnel
security level 1
217.34.122.3 255.255.255.248
VLAN3
desc Internal Web Server
ifinterface inside
security level 100
192.168.0.1 255.255.255.0
access-list LosAngeles extended permit ip 192.168.0.0 255.255.255.0 192.168.22.0 255.255.255.0
(No access-group is performed, as I match from the crypto map instead since I have multiple sites going out of HQ - see HQ configs)
route Tunnel 192.168.22.0 255.255.255.0 65.29.211.198
crypto map TO-HQ 10 match address LosAngeles
crypto map TO-HQ set peer ip 65.29.211.198
5510 at HQ
access-list LA extended permit ip 192.168.22.0 255.255.255.0 192.168.0.0 255.255.255.0
(again no access-group, since I have a couple other off sites)
crypto map TO-LA 20 match address LA
crypto map TO-LA 20 set peer ip 217.34.122.3

Hi Jouni,
I have the following configs in place with fake IPs
5505
1 outside interface with security level 0 (vlan1 direct connect to isp 217.33.122.2/30) - goes to ISP
1 Tunnel interface with security level 1 (vlan 2 direct connect to isp 217.33.122.6/30) - goes to Tunnel to our 5510
1 inside interface with security level 100 (servers connected to hub, with vlan3 ip of 192.168.0.1)
access-list LosAngeles extended permit ip 192.168.0.0 255.255.255.0 192.168.22.0 255.255.255.0 - acl to 5510 inside network
route outside 0.0.0.0 0.0.0.0 217.33.122.1 - route for all traffic (except for 192.168.22.0/24) to take the outside connection
route Tunnel 192.168.22.0 255.255.255.0 65.29.211.198 - route for 192.168.22.0 destined traffic to take the Tunnel connection
crypto map TO-HQ 10 match address LosAngeles
crypto map TO-HQ 10 set peer ip 65.29.211.198
tunnel-group 65.29.211.198 type ipsec-l2l
5510
1 outside interface with security level 0 (vlan1 direct connect to isp 65.29.211.198) - goes to isp
1 inside interface with security level 100 (vlan2 connection to corporate servers and SIP 192.168.22.0/24)
access-list LA extended permit ip 192.168.22.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list OUTBOUND extended permit icmp host 217.33.122.6 host 192.168.22.99 (allows Nagios monitor to ping the DE interface
access-group OUTBOUND in interface outside
nat (inside,outside) static 192.168.22.99 interface destination static 217.33.122.6
route outside 192.168.0.0 255.255.255.0 217.33.122.6
crypto map TO-LA 20 match address LA
crypto map TO-LA 20 set peer ip 217.33.122.6
tunnel-group 217.33.122.6 type ipsec-l2l
I am mistaken on the 5510 interfaces. They do not have vlans, and the IP address is directly applied to the interfaces for outside and inside.

Router Dead , when i applied QOS on virtual-temp interface for vpn !!

hi all ,
i have a simple brief topology below :
PSTN======(R1-7206)>F1=======F2>(R2-7604 catalyst)>>>F1=========Internet
i have two router
R2========>MLS 7604
R1======>cisco 7204
on R2 , Im doing matching to QOS by dscp , im matching acls ips from internet with dscp values :
here is CONFIG for matching :
Gateway7600#sh policy-map LLQX
Policy Map LLQX
    Class YOUTUBE
      set ip dscp af43
    Class FACEBOOKVIDEOS
      set ip dscp af33
    Class HTTP
      set dscp af23
    Class DNSQOS
      set dscp af13
    Class class-default
      set ip dscp af11
================
Gateway7600#sh class-map
Class Map match-all FACEBOOKVIDEOS (id 7)
   Match access-group name facebookvideos
Class Map match-all DNSQOS (id 8)
   Match access-group name dnsqos
Class Map match-all HTTP (id 6)
   Match access-group name browsing
Class Map match-any class-default (id 0)
   Match any
Class Map match-all YOUTUBE (id 5)
   Match access-group name youtube
Gateway7600#
=========================================================
on this router i applied this policy map on interfaxce F1 in direction
and here matching is well :
Gateway7600#sh policy-map interface gigabitEthernet 1/5 in
GigabitEthernet1/5
Service-policy input: LLQX
    class-map: rate-limit (match-all)
      Match: access-group name rate-limit
      police :
        4088000 bps 384000 limit 384000 extended limit
      Earl in slot 1 :
        139044930 bytes
        30 second offered rate 143032 bps
        aggregate-forwarded 134420937 bytes action: transmit
        exceeded 4623993 bytes action: drop
        aggregate-forward 22544 bps exceed 0 bps
    class-map: YOUTUBE (match-all)
      Match: access-group name youtube
      set dscp 38:
      Earl in slot 1 :
        132693939697 bytes
        30 second offered rate 212144928 bps
        aggregate-forwarded 132693939697 bytes
    class-map: FACEBOOKVIDEOS (match-all)
      Match: access-group name facebookvideos
      set dscp 30:
      Earl in slot 1 :
        10726758352 bytes
        30 second offered rate 20682720 bps
        aggregate-forwarded 10726758352 bytes
    class-map: HTTP (match-all)
      Match: access-group name browsing
      set dscp 22:
      Earl in slot 1 :
        56874058537 bytes
        30 second offered rate 92669832 bps
        aggregate-forwarded 56874058537 bytes
    class-map: DNSQOS (match-all)
      Match: access-group name dnsqos
      set dscp 14:
      Earl in slot 1 :
        160308954 bytes
        30 second offered rate 303552 bps
        aggregate-forwarded 160308954 bytes
    class-map: class-default (match-any)
      Match: any
      set dscp 10:
      Earl in slot 1 :
        67394864030 bytes
        30 second offered rate 126884864 bps
        aggregate-forwarded 67394864030 bytes
=================================================================================
now the problem is below
on router 7200 , it is LNS router connected with LAC roiuter for ADSL customers.
now here is config of policy map on 7200 router:
R11#sh policy-map
Policy Map MATCH_MARKS
    Class MATCH_YOUTUBE
      bandwidth 220000 (kbps)
    Class MATCH_FACEBOOKVIDEOS
      bandwidth 20000 (kbps)
    Class MATCH_HTTP
      bandwidth 100000 (kbps)
=========================================================
R1#sh class-map
Class Map match-all MATCH_FACEBOOKVIDEOS (id 2)
   Match ip dscp af33 (30)
Class Map match-all MATCH_HTTP (id 3)
   Match ip dscp af23 (22)
Class Map match-any class-default (id 0)
   Match any
Class Map match-all MATCH_YOUTUBE (id 1)
   Match ip dscp af43 (38)
==========================================================
here is virtual-template interface before i apply the QOS
R1#sh running-config interface virtual-template 1
Building configuration...
Current configuration : 352 bytes
interface Virtual-Template1
bandwidth 1000000
ip unnumbered Loopback0
ip tcp adjust-mss 1412
ip policy route-map private
no logging event link-status
qos pre-classify
peer default ip address pool bitsead1 bitsead2
ppp mtu adaptive
ppp authentication pap vpdn
ppp authorization vpdn
ppp accounting vpdn
max-reserved-bandwidth 90
end
=========================================
when i apply the command
(service-poliy output MATCH_MAKRS ) under virtual-template interface i have console logs :
Insufficient bandwidth 149760 kbps for the bandwidth guarantee (220000)
Insufficient bandwidth 149760 kbps for the bandwidth guarantee (220000)
Insufficient bandwidth 149760 kbps for the bandwidth guarantee (220000)
also i have
*Jul 9 22:28:38.242: Interface Virtual-Access2551 max_reserved_bandwidth config will not
take effect on the queueing features configured via service-policy
*Jul 9 22:28:38.250: Interface Virtual-Access627 max_reserved_bandwidth config will not
take effect on the queueing features configured via service-policy
*Jul 9 22:28:38.258: Interface Virtual-Access786 max_reserved_bandwidth config will not
take effect on the queueing features configured via service-policy
*Jul 9 22:28:38.266: Interface Virtual-Access623 max_reserved_bandwidth config will not
take effect on the queueing features configured via service-policy
*Jul 9 22:28:38.274: Interface Virtual-Access2559 max_reserved_bandwidth config will not
take effect on the queueing features configured via service-policy
*Jul 9 22:28:38.282: Interface Virtual-Access2281 max_reserved_bandwidth config will not
take effect on the queueing features configured via service-policy
*Jul 9 22:28:38.290: Interface Virtual-Access142 max_reserved_bandwidth config will not
take effect on the queueing features configured via service-policy
*Jul 9 22:28:40.262: %SYS-2-INTSCHED: 'suspend' at level 3 -Process= "VTEMPLATE Background Mgr", ipl= 3, pid= 278, -Traceback= 0x756FF0z 0x3439C58z 0x2778D70z 0x2CACCD0z 0x2CC63E0z 0x2CC7FF8z 0x2CADC74z 0x2CBE058z 0x2CA0340z 0x2CA04F8z 0x2E0BB18z 0x2D23378z 0x2D1825Cz 0x2D18738z 0x2E66FE0z 0x2D971ACz
*Jul 9 22:28:40.262: %SYS-2-INTSCHED: 'suspend' at level 3 -Process= "VTEMPLATE Background Mgr", ipl= 3, pid= 278, -Traceback= 0x756FF0z 0x3439C58z 0x2778D70z 0x2CACD28z 0x2CC63E0z 0x2CC7FF8z 0x2CADC74z 0x2CBE058z 0x2CA0340z 0x2CA04F8z 0x2E0BB18z 0x2D23378z 0x2D1825Cz 0x2D18738z 0x2E66FE0z 0x2D971ACz
after i apply it ,
the cpu is 100 % and the router got down !!!
now
what is the problem ????
here is ios for 7200 router
R1#sh version
Cisco IOS Software, 7200 Software (C7200P-ADVENTERPRISEK9-M), Version 12.4(24)T7, RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2012 by Cisco Systems, Inc.
Compiled Tue 28-Feb-12 12:53 by prod_rel_team
ROM: System Bootstrap, Version 12.4(12.2r)T, RELEASE SOFTWARE (fc1)
Bras1 uptime is 13 weeks, 1 day, 9 hours, 24 minutes
System returned to ROM by reload at 16:24:51 GMT+3 Tue Jun 17 2003
System image file is "disk2:c7200p-adventerprisek9-mz.124-24.T7.bin"
Last reload reason: Reload Command
This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to
[email protected].
Cisco 7206VXR (NPE-G2) processor (revision A) with 917504K/65536K bytes of memory.
Processor board ID 36858624
MPC7448 CPU at 1666Mhz, Implementation 0, Rev 2.2
6 slot VXR midplane, Version 2.11
Last reset from power-on
PCI bus mb1 (Slots 1, 3 and 5) has a capacity of 600 bandwidth points.
Current configuration on bus mb1 has a total of 0 bandwidth points.
This configuration is within the PCI bus capacity and is supported.
PCI bus mb2 (Slots 2, 4 and 6) has a capacity of 600 bandwidth points.
Current configuration on bus mb2 has a total of 0 bandwidth points.
This configuration is within the PCI bus capacity and is supported.
Please refer to the following document "Cisco 7200 Series Port Adaptor
Hardware Configuration Guidelines" on Cisco.com <http://www.cisco.com>
for c7200 bandwidth points oversubscription and usage guidelines.
1 FastEthernet interface
3 Gigabit Ethernet interfaces
2045K bytes of NVRAM.
250880K bytes of ATA PCMCIA card at slot 2 (Sector size 512 bytes).
65536K bytes of Flash internal SIMM (Sector size 512K).
Configuration register is 0x2102
==============================================================================
wish to Help ASAP
regards

hi ,
i did
the same issue ,
i did a TEST policymap that has 30 percent gurantee
but the same result!!!!!!!!!!!!!!!!
the router god down agian !
here is logs :
take effect on the queueing features configured via service-policy
*Jul 11 02:40:33.605: Interface Virtual-Access1896 max_reserved_bandwidth config will not
take effect on the queueing features configured via service-policy
*Jul 11 02:40:33.797: Interface Virtual-Access1317 max_reserved_bandwidth config will not
take effect on the queueing features configured via service-policy
*Jul 11 02:40:33.809: Interface Virtual-Access993 max_reserved_bandwidth config will not
take effect on the queueing features configured via service-policy
*Jul 11 02:40:33.817: Interface Virtual-Access1699 max_reserved_bandwidth config will not
take effect on the queueing features configured via service-policy
*Jul 11 02:40:33.981: Interface Virtual-Access254 max_reserved_bandwidth config will not
take effect on the queueing features configured via service-policy
*Jul 11 02:40:33.993: Interface Virtual-Access687 max_reserved_bandwidth config will not
take effect on the queueing features configured via service-policy
*Jul 11 02:40:34.001: Interface Virtual-Access35 max_reserved_bandwidth config will not
take effect on the queueing features configured via service-policy
*Jul 11 02:40:34.009: Interface Virtual-Access160 max_reserved_bandwidth config will not
take effect on the queueing features configured via service-policy
*Jul 11 02:40:34.017: Interface Virtual-Access1337 max_reserved_bandwidth config will not
take effect on the queueing features configured via service-policy
*Jul 11 02:40:34.029: Interface Virtual-Access1670 max_reserved_bandwidth config will not
take effect on the queueing features configured via service-policy
*Jul 11 02:40:34.037: Interface Virtual-Access1948 max_reserved_bandwidth config will not
take effect on the queueing features configured via service-policy
*Jul 11 02:40:34.049: Interface Virtual-Access1669 max_reserved_bandwidth config will not
take effect on the queueing features configured via service-policy
*Jul 11 02:40:34.109: Interface Virtual-Access1334 max_reserved_bandwidth config will not
take effect on the queueing features configured via service-policy
*Jul 11 02:40:34.117: Interface Virtual-Access151 max_reserved_bandwidth config will not
take effect on the queueing features configured via service-policy
*Jul 11 02:40:34.125: Interface Virtual-Access761 max_reserved_bandwidth config will not
take effect on the queueing features configured via service-policy
*Jul 11 02:40:34.137: Interface Virtual-Access810 max_reserved_bandwidth config will not
take effect on the queueing features configured via service-policy
*Jul 11 02:40:34.197: Interface Virtual-Access1522 max_reserved_bandwidth config will not
take effect on the queueing features configured via service-policy
*Jul 11 02:40:34.237: Interface Virtual-Access1692 max_reserved_bandwidth config will not
take effect on the queueing features configured via service-policy
*Jul 11 02:40:34.257: Interface Virtual-Access368 max_reserved_bandwidth config will not
take effect on the queueing features configured via service-policy
*Jul 11 02:40:34.305: Interface Virtual-Access1758 max_reserved_bandwidth config will not
take effect on the queueing features configured via service-policy
*Jul 11 02:40:34.317: Interface Virtual-Access2061 max_reserved_bandwidth config will not
take effect on the queueing features configured via service-policy
*Jul 11 02:40:34.325: Interface Virtual-Access1203 max_reserved_bandwidth config will not
take effect on the queueing features configured via service-policy
*Jul 11 02:40:34.337: Interface Virtual-Access188 max_reserved_bandwidth config will not
take effect on the queueing features configured via service-policy
*Jul 11 02:40:34.345: Interface Virtual-Access1975 max_reserved_bandwidth config will not
take effect on the queueing features configured via service-policy
*Jul 11 02:40:34.357: Interface Virtual-Access1172 max_reserved_bandwidth config will not
take effect on the queueing features configured via service-policy
*Jul 11 02:40:34.509: Interface Virtual-Access1647 max_reserved_bandwidth config will not
take effect on the queueing features configured via service-policy
*Jul 11 02:40:34.517: Interface Virtual-Access458 max_reserved_bandwidth config will not
take effect on the queueing features configured via service-policy
*Jul 11 02:40:34.609: Interface Virtual-Access608 max_reserved_bandwidth config will not
take effect on the queueing features configured via service-policy
*Jul 11 02:40:34.621: Interface Virtual-Access2128 max_reserved_bandwidth config will not
take effect on the queueing features configured via service-policy
*Jul 11 02:40:34.633: Interface Virtual-Access1167 max_reserved_bandwidth config will not
take effect on the queueing features configured via service-policy
*Jul 11 02:40:34.641: Interface Virtual-Access487 max_reserved_bandwidth config will not
take effect on the queueing features configured via service-policy
*Jul 11 02:40:34.653: Interface Virtual-Access1793 max_reserved_bandwidth config will not
take effect on the queueing features configured via service-policy
*Jul 11 02:40:34.665: Interface Virtual-Access2280 max_reserved_bandwidth config will not
take effect on the queueing features configured via service-policy
*Jul 11 02:40:34.769: Interface Virtual-Access839 max_reserved_bandwidth config will not
take effect on the queueing features configured via service-policy
*Jul 11 02:40:34.781: Interface Virtual-Access2311 max_reserved_bandwidth config will not
take effect on the queueing features configured via service-policy
*Jul 11 02:40:34.793: Interface Virtual-Access1788 max_reserved_bandwidth config will not
take effect on the queueing features configured via service-policy
*Jul 11 02:40:34.857: Interface Virtual-Access8 max_reserved_bandwidth config will not
take effect on the queueing features configured via service-policy
*Jul 11 02:40:34.869: Interface Virtual-Access2243 max_reserved_bandwidth config will not
take effect on the queueing features configured via service-policy
*Jul 11 02:40:34.881: Interface Virtual-Access580 max_reserved_bandwidth config will not
take effect on the queueing features configured via service-policy
*Jul 11 02:40:35.057: Interface Virtual-Access6 max_reserved_bandwidth config will not
take effect on the queueing features configured via service-policy
*Jul 11 02:40:35.065: Interface Virtual-Access1331 max_reserved_bandwidth config will not
take effect on the queueing features configured via service-policy
*Jul 11 02:40:35.077: Interface Virtual-Access1235 max_reserved_bandwidth config will not
take effect on the queueing features configured via service-policy
*Jul 11 02:40:35.177: Interface Virtual-Access1748 max_reserved_bandwidth config will not
take effect on the queueing features configured via service-policy
*Jul 11 02:40:35.189: Interface Virtual-Access2262 max_reserved_bandwidth config will not
take effect on the queueing features configured via service-policy
*Jul 11 02:40:35.205: Interface Virtual-Access2136 max_reserved_bandwidth config will not
take effect on the queueing features configured via service-policy
i want to ask a question , could this be from IOS ????

DMVPN Configuration with ASA 5510 In Front of Cisco 877-K9 HUB Router

Hi Guys,
I'm in a mess, I have Cisco 877-K9 router which sits behind an ASA 5510 FW.
The Design :
Cisco 877-K9 DSL router (DSL with Static IP) ( DMVPN HUB )
||
ASA 5510 Firewall (Outside INT with Static IP / Inside INT LAN) (PAT & ACL)
||
Switch
||
LAN
Now my problem is, My Dmvpn configuration works just fine, I'm able to ping from my Cisco 877 to any Spoke & vise versa.
I'm also able to Ping from my LAN to any Spoke Tunnel IP, but Im not able to ping any LAN IP at Spoke site nor am I able to ping my LAN from any Spoke site.
I've googled alot but have come at designs where the ASA's are behind the Cisco Routers and not infront.
Any help in this regards is highly appreciated. I really need this to work. Attached are the config files....
Thanks,
Aj.

Thanks to both of you guys for replying. I should've been more descriptive in my initial post, but just thought of getting more ideas.
All the troubleshooting was done before posting the problem, and to clearify the things, Please find below the results.
1) what RProtocol r u using?
a) It's OSPF
2) if ur using OSPF, try show ip route on the hub and spoke to verify the hub/spoke routes are learned via OSPF
a) I did the "show ip route" and bothe the HUB and Spokes get their routes defined
(on the HUB if I used "network 192.9.201.0 255.255.255.0 area 0" I coudln't get routes advertised on spokes)
(I changed to "redistribute static subnests" and I was able to get Hub routes advertised")
3) are your tunnels config correctly? try show crypto ipsec sa
a) They are as they should be and "show crypto ipsec sa" comes up with proper in/out encrypted data
4) on your hub'spoke do a debug ip icmp
a) Did that as well, and If I do a debug on a Spoke and ping from my HUB to that spoke on the tunnel IP, I get proper src/dest results, but If I ping from HUB to Spoke on a client IP behind the Spoke, It pings but does not show any result on the Spoke debug.
I'm able to ping all the Spoke's Tunnel IPs and clients behind the Spokes from the HUB router, but not from either the ASA nor the clients on my LAN.
Additional to the info above, Please also note :
I did notice something that, from my HUB router, which is also my DSL Modem, I'm unable to ping any clients behind the ASA.
So I guess I'm stuck on the point that My Cisco HUB is unable to talk to my LAN, If I can get the HUB to talk to the internal LAN, I would be able to ping clients on LAN from any Spoke or clients behind Spokes.
From HUB router I'm able to ping clients behind Spokes.
Does that give any Ideas ?
Thanks in Advance.
Aj.

Is it possible to create a VTI tunnel from my 877 router to my ASA

Hi all
I woulke like to know is it possible to create a VTI tunnel from my 877 router to my ASA, rather than creating a cryptomap on the router ?
cheers
Carl

Yes you can
Forgot to add that it possible when configuring ezvpn where the 877 is a remote client and Asa server
Sent from Cisco Technical Support iPhone App

'no ip route-cache' on Tunnel interfaces

Hi,
A quick and hopefully simple question. Is there any reason why 'no ip route-cache' and 'no ip mroute-cache' should be configured on Tunnel interfaces?
Generally, when should 'no ip route-cache' be configured on an interface?
Many thanks,
Andy

Andy, no easy question, and prety much send some of us back to basics.. one have to take a deeper look at this command to barely get a good picture. See first link thread , good discussion on your question.. generaly no ip- route-catch improves performance for router forwarding processing desitions.
http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Network%20Infrastructure&topic=WAN%2C%20Routing%20and%20Switching&topicID=.ee71a06&fromOutline=&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.2cbfa166
You can find more details on three types of switching methods such as ( fast switching by ip route catch command ), I believe it helps understand better the commands.
http://www.cisco.com/en/US/tech/tk827/tk831/technologies_white_paper09186a00800a62d9.shtml
Another instance where you would have IP route catch enable on an interface would be for the use of netflow, IP route-cacth command on an interface is requirement for implementing netflow .
Rgds
-Jorge

Using Tunnel interface on Router

Hi Everyone,
I see hew Tunnel interface on Router.
Router is Running OSPF.
It has no crypto statemets.
tunnel configuration
interface Tunnel1
ip address 10.4.x.x x.x.x.x
delay 7
tunnel source Loopback1
tunnel destination 10.4.x.x
My question is when we use Tunnel interface without any crypto statemets?
Thanks
MAhesh

This Tunnel is a plain GRE-Tunnel. These are typically used without crypto when:
1) The traffic is not sent through an untrusted network and a cryptographic protection is not needed.
2) The GRE-traffic gets encrypted on a separate device if the GRE-Endpoint is not capable of doing the needed cryptographic protection.
Sent from Cisco Technical Support iPad App

Problem in configuring IPv6 interface with default Router lifetime.

I'm facing Problem in configuring IPv6 interface with default
Router lifetime through a router advertisement.
I'm also see an unusual behavior that even after configuring accept_rtadv=0,
the ipv6 address is configured.
Please help in out .

Mac OS 9 does not support IPv6. While you can have IPv6 on your network, a Macintosh running Mac OS 9.2.2 or earlier cannot make connections to services using this network protocol.
To use IPv6 on a Macintosh, you need Mac OS X 10.1 or later (as far as I know).
—tonza

Virtual Tunnel Interface (VTI) Hub Router Configuration

Similar Messages

Maybe you are looking for