VTI Tunnel Bandwidth Statements

Similar Messages

• Is it possible to create a VTI tunnel from my 877 router to my ASA

  Hi all
  I woulke like to know is it possible to create a VTI tunnel from my 877 router to my ASA, rather than creating a cryptomap on the router ?
  cheers
  Carl

  Yes you can
  Forgot to add that it possible when configuring ezvpn where the 877 is a remote client and Asa server
  Sent from Cisco Technical Support iPhone App

• VTI tunnels vs InterVLAN

  Hi everyone!
  We have 2 Cisco routers - 3925 (office A) and 2921 (office B). There are VTI tunneling (with 3DES encryption), EIGRP dynamic routing (main and reserve optic channels) and 1 default VLAN #2. It`s working model which is used between 2 offices.
  Now I have a task to add VLAN #3 in Office B which is used in Office A and routed to FireWall. VLAN #3 must be routed bypassing VTI tunnel. As I understand I should use InterVLAN feature on both routers. But it doesn`t work. :(
  Here are configs:
  Office A (3925):
  interface GigabitEthernet0/0
   no ip address
  interface GigabitEthernet0/0.2
   encapsulation dot1Q 2
   ip address 192.168.100.181 255.255.255.0
  interface GigabitEthernet0/0.3
   encapsulation dot1Q 3
   ip address 192.168.150.10 255.255.255.0
  interface GigabitEthernet0/1
   no ip address
  interface GigabitEthernet0/1.2
   encapsulation dot1Q 2
   ip address 10.48.101.178 255.255.255.0
  interface GigabitEthernet0/1.3
   encapsulation dot1Q 3
   ip address 10.48.103.178 255.255.255.0
  router eigrp 100
   network 192.168.100.0 0.0.0.255
   network 192.168.104.0 0.0.0.255
   network 192.168.201.176 0.0.0.255
   network 192.168.202.176 0.0.0.255
  ip route 0.0.0.0 0.0.0.0 192.168.100.180
  ip route 10.48.103.0 255.255.255.0 GigabitEthernet0/1.3
  ip route 192.168.150.0 255.255.255.0 192.168.100.2
  Office B (2921):
  interface GigabitEthernet0/0
   no ip address
  interface GigabitEthernet0/0.2
   encapsulation dot1Q 2
   ip address 192.168.104.1 255.255.255.0
  interface GigabitEthernet0/0.3
   description MOWDT Vlan 3
   encapsulation dot1Q 3
   ip address 192.168.150.11 255.255.255.0
  interface GigabitEthernet0/1
   no ip address
  interface GigabitEthernet0/1.2
   encapsulation dot1Q 2
   ip address 10.48.101.179 255.255.255.0
  interface GigabitEthernet0/1.3
   encapsulation dot1Q 3
   ip address 10.48.103.179 255.255.255.0
  router eigrp 100
   network 192.168.100.0 0.0.0.255
   network 192.168.104.0 0.0.0.255
   network 192.168.201.176 0.0.0.255
   network 192.168.202.176 0.0.0.255
  ip route 0.0.0.0 0.0.0.0 192.168.100.180
  ip route 10.48.103.0 255.255.255.0 GigabitEthernet0/1.3
  ip route 192.168.150.0 255.255.255.0 GigabitEthernet0/1.3
  Could you please assist where is the problem?

  These both lines do the same things one is being explicitly value is defined and other is set for auto-discovery, however when it comes tunnel interface all you need is to set the mtu size to 1400.
  one:  ip tcp adjust-mss 1300
  two:  tunnel path-mtu-discovery
  Now when an additional command, which you need to disable split-horizon on eigrp and the "x" is your process ID, which you need for spoke-to-spoke communication, to pass via the hub.
  no ip split−horizon eigrp x
  "If I disable these features won't i have problems with fragmentation ?"
  Which is taken care by setting mtu size to 1400.
  Now you set the "ip tcp adjust-mss 1380" on your physical interfaces facing toward your internal switch.
  Have you tried it?
  thanks
  Message was edited by: Rizwan Mohamed

• Tunnel - using Tunnel Bandwidth

  I have a quick question here what is the purpose of using the Tunnel Bandwidth command for and is it necessary on a point to point connection? Reason why I ask is that we have a point to point connection and a tunnel is riding over this connection. We every now and then I notice high latency on this connection. I noticed that the bandwidth transmit/receive is set up for 8k only while the point-to-point connection is 128k. I'm thinking this is the cause of the latency...your thoughts?

  Hi
  hope this helps..
  http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Network%20Infrastructure&topic=WAN%2C%20Routing%20and%20Switching&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.1dddc3e4
  regds

• VTI tunnel & OSPF

  Hi all,
  I have configured VTI tunnel interfaces (tunnel mode ipsec ipv4) and OSPF on that interfaces.
  VTI is encrypting all data traffic. But what about OSPF traffic?
  Is OSPF traffic encrypted also or I need to configure OSPF authentication?
  Thanks

  OSPF exchange is already encrypted inside of the tunnel, so u don't have to use ospf-authentication. OSPF uses tunnel IP addresses for communications, and traffic flow between those two addresses is possible only throught the secure tunnel.

• VTI tunnel problem

  Hi all,
  We have VTI tunnels between Cisco (3825 and 878) and Juniper (SRX3600).
  Sometimes tunnel is going down and I should manualy shutdown and no shutdown tunnel interface to bring it up.
  This is logs from Cisco:
  %%crypto-4-recvd_pkt_inv_spi: decaps: rec'd ipsec packet has invalid spi for destaddr=X.Y.100.200, prot=50, spi=0xc5d07a33(3318774323), srcaddr=X.Y.100.100
  %%crypto-4-ikmp_no_sa: ike message from X.Y.100.100 has no sa and is not an initialization offer
  X.Y.100.100 is Juniper SRX3600
  X.Y.100.200 is Cisco 3825
  But I see this logs more often, than tunnel is going down!
  So what is problem?
  Thanks

  Hello,
  this should help #crypto           isakmp invalid-spi-recovery
  http://www.cisco.com/en/US/tech/tk583/tk372/technologies_tech_note09186a0080bf6100.shtml
  Best Regards
  Please rate all helpful posts and close solved questions

• Static VTI tunnel to asa

  Hi All,
  I need to connect some routers to an ASA using IPSec tunnels. The goal is to get netflow traffic from the routers to a collector behide an ASA using IPSec tunnels.
  Recently I found out (locally orginated) netflow isn't properly encrypted when send through an IPSec tunnel (http://www.plixer.com/blog/network-traffic-analysis/sending-netflow-over-ipsec-tunnels/. The workaround seems to be using flexible netflow (which my collector doesn't support) or using a real tunnel interface on the router.
  This implies I need to use:
  - IPSec/GRE
  - EzVPN with DVTI
  - SVTI...?
  Since GRE is not supported on the ASA and I want the tunnel to be always active, implementing static VTI tunnels might be a good idea. So I would like to use something like this on the router.
  interface Tunnel0
  ip unnumberd loopback0
  tunnel source x.x.x.x
  tunnel destination y.y.y.y
  tunnel mode ipsec ipv4
  My question is, does anybody know if you can build an IPSec tunnel between an ASA and a router, using a SVTI interface on the router? A code sample for the ASA and the router would be more than welcome.
  Regards

  Hi Hielke ,
  if you managed to match the SAs proposed by the router when using SVTI which is any to any , and you will do this on the ASA using a crypto map access-list as follow :
  access-list crypto VPN permit ip any any
  then all traffic leaving the interface where the crypto map is applied will be subject to encryption , which is not practical in most cases .you may use different  interface (on the ASA) to this tunnel with the SVTI as it will use any any and that traffic is different than the one leaving the outside interface .
  so as Marcin this will not scale for you
  HTH
  Mohammad.

• Tunnel bandwidth

  Hi,
  I have a site to site vpn GRE tunnel from a 2811 router to a 2811 router.
  On the remote site I have 2 routers configured with HSRP. The only way I've founded for the tunnel to work with HSRP is to configure one different tunnel on each router. But both of them are always up.
  Could anybody tell me what is the bandwidth consumed by a tunnel only being up, without traffic?
  Thanks in advance

  Hi
  hope this helps..
  http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Network%20Infrastructure&topic=WAN%2C%20Routing%20and%20Switching&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.1dddc3e4
  regds

• Can QoS be implemented when VPN tunnel bandwidth is unknown?

  Is it possible to have some sort of QoS on both sides of a VPN tunnel when the speed at the endpoint is unknown. In other words is it possible to have QoS bandwidth parameters to be automatically detected/adapted to the actual bandwidth?

  Hey Martin,
  Thanks for your reply. I Think IntServ won't be a solution straight away, I'll try to explain what I would like to do.
  What my issue is that I have a few locations who are kind of mobile, and each location connects to the internet via various links, depending on which is available. This link can be a normal ISP which blocks all traffic except port 80 and 443. The connection could be a simple ISDN dialin or a dedicated T1 link.
  Because there is a Cisco VoIP router on the mobile location and some users' data should have precedence over others' I would like to implement QoS.
  My idea was when I were able to set up a site-to-site SSL VPN tunnel to a router in a datacenter (using Array Network stuff if the Cisco can't do site-to-site SSL) I would have more control over the internetlink. I Would not be limited to using only port 80 and 443: all traffic would just go encrypted and look like normal HTTPS traffic.
  It's likely that this VPN link would always consume the maximum available bandwidth. When it is be possible for some QoS mechanism to "detect" the speed of the VPN I could let's say dedicate bandwidth for 4 VoIP calls and the remaining bandwidth can be made available for normal traffic. Note that this normal traffic should have some priority levels too.
  Assigning dedicated bandwidth to VoIP isn't a big problem I think, however how can I make x percentage of the remaining bandwidth available to user x and y percentage available to user y?
  I Hope I wrote it understandable ;).
  Regards

• Monitoring IPSec Tunnel Bandwidth Utilization

  We have a Cisco ASA 5520 supporting multiple VPNs - both remote-access  and Lan-to-Lan.  We would like to monitor the bandwidth utilization of the IPSec Lan-to-Lan tunnels. How can we do that?
  Thanks,
  Spr

  Hi Spr,
  Check out VPNTTG (VPN Tunnel Traffic Grapher) is a software for SNMP monitoring and measuring the traffic load for IPsec  (Site-to-Site, Remote Access) and SSL (With Client, Clientless) VPN  tunnels on a Cisco ASA. It allows the user to see traffic load on a VPN  tunnel over time in graphical form.
  Advantage of VPNTTG over other SNMP based monitoring software's is  following: Other (commonly used) software's are working with static OID  numbers, i.e. whenever tunnel disconnects and reconnects, it gets  assigned a new OID number. This means that the historical data, gathered  on the connection, is lost each time. However, VPNTTG works with VPN  peer's IP address and it stores for each VPN tunnel historical  monitoring data into the Database.
  For more information about VPNTTG please visit www.vpnttg.com

• MPLS TE tunnel Bandwidth and ip rsvp bandwidth

  I have some questions about how to reserve bandwidth in MPLS TE enviorment.
  1. We must IP RSVP bandwidth in all concern interface in MPLS TE enviroment, right?
  2. What's the goal of ip rsvp bandwidth?
  3. Tunnel MPLS traffic-enginerring bandwitdh XXX, the command define flow bandwidth initiated by head-end, if sending more than XXX flow, how does it work? Drop excessive packet in the flow?
  Any point is welcome! Thanks!

  Hello,
  just today I found some time to read RFCs. and found:
  4124 Protocol Extensions for Support of Diffserv-aware MPLS Traffic Engineering. F. Le Faucheur, Ed.. June 2005. (Format: TXT=79265 bytes) (Status: PROPOSED STANDARD)
  4125 Maximum Allocation Bandwidth Constraints Model for Diffserv-aware MPLS Traffic Engineering. F. Le Faucheur, W. Lai. June 2005. (Format: TXT=22585 bytes) (Status: EXPERIMENTAL)
  4126 Max Allocation with Reservation Bandwidth Constraints Model for Diffserv-aware MPLS Traffic Engineering & Performance Comparisons. J. Ash. June 2005. (Format: TXT=51232 bytes) (Status: EXPERIMENTAL)
  4127 Russian Dolls Bandwidth Constraints Model for Diffserv-aware MPLS Traffic Engineering. F. Le Faucheur, Ed.. June 2005. (Format: TXT=23694 bytes) (Status: EXPERIMENTAL)
  4128 Bandwidth Constraints Models for Differentiated Services (Diffserv)-aware MPLS Traffic Engineering: Performance Evaluation. W. Lai. June 2005. (Format: TXT=58691, PDF=201138 bytes) (Status: INFORMATIONAL)
  4201 Link Bundling in MPLS Traffic Engineering (TE). K. Kompella, Y. Rekhter, L. Berger. October 2005. (Format: TXT=27033 bytes) (Updates RFC3471, RFC3472, RFC3473) (Status: PROPOSED STANDARD)
  Basically these standards allow to combine congestion management and MPLS TE. The standard says a router "may allocate ressources" based on the MPLS TE reservations.
  So MPLS DiffServ-aware TE can deliver both TE and QoS.
  Regards, Martin

• SNMP per-ipsec tunnel bandwidth monitoring

  Whish oid can be used for monitoring bandwidth (bps, kbps...) per ipsec  tunnel, assuming there is now logical tunel interface configured?
  ios supports CISCO-IPSEC-FLOW-MONITOR-MIB, but cannot find oid in ftp://ftp.cisco.com/pub/mibs/oid/CISCO-IPSEC-FLOW-MONITOR-MIB.oid.
  Tnx!           

  Hi Spr,
  Check out VPNTTG (VPN Tunnel Traffic Grapher) is a software for SNMP monitoring and measuring the traffic load for IPsec  (Site-to-Site, Remote Access) and SSL (With Client, Clientless) VPN  tunnels on a Cisco ASA. It allows the user to see traffic load on a VPN  tunnel over time in graphical form.
  Advantage of VPNTTG over other SNMP based monitoring software's is  following: Other (commonly used) software's are working with static OID  numbers, i.e. whenever tunnel disconnects and reconnects, it gets  assigned a new OID number. This means that the historical data, gathered  on the connection, is lost each time. However, VPNTTG works with VPN  peer's IP address and it stores for each VPN tunnel historical  monitoring data into the Database.
  For more information about VPNTTG please visit www.vpnttg.com

• Flash player / bandwidth stats for developing coutries

  Hello Forum
  I am developing a website that will be viewed in countries
  with high bandwidth as well as lower bandwidth (mostly countries in
  South / Central America and South East Asia). I'm trying to settle
  on the appropriate technology (flash vs html) or see how complex /
  fancy we can get without neglecting the audience with slower
  connections and possibly older flash players (or no flash players).
  Are there people on this list who have experience developing
  these kinds of sites?
  Any general insights and leads to statistics is much
  appreciated.
  Thank you in advance.
  stephank

  Hey!
  I am by no means an expert but i'll try and help you anyway.
  http://www.adobe.com/products/player_census/flashplayer/
  Those are adobe's statistics, look around a bit. They say
  emerging markets and by that they mean China, S. Korea, Russia,
  India and Taiwan.. so you judge.
  http://www.swivel.com/data_columns/spreadsheet/3822292
  that's an estimate of the number of computers in countries
  around the world.. which is pretty useless data unless you believe
  you can judge the capabilities of those computers based off how
  common they are.
  That's just my attempt at finding you some statistics.
  Personally, I've had tons of experiences where i presented work in
  flash on computers that just couldn't handle very simple tweens.
  So, i'd be hesitant to use flash depending on the situation. If
  your site is intended to sell something that's worth a considerable
  amount of money then i'd go ahead and go with flash, but if it's a
  service like.. well you know, UNICEF, then i'd probably use HTML.
  That's just my opinion, you know?
  Good luck with your site, and i hope you can find some better
  data.
  Thanks,
  John

• MPLS TE

  Can i create two MPLS TE tunnels from PE A to PE B with the same destination address as the loopback of PE B with "autoroute-announce" enabled being two tunnels have different explicit paths created ?
  e.g
  From PE A:
  int lo0
  ip address 10.10.10.1 255.255.255.255
  int tu1
  ip unnumbered loopback 0
  tunnel mode mpls traffic-eng
  tunnel destination 20.20.20.1
  tunnel mpls traffic-eng autoroute-announce
  int tu2
  ip unnumbered loopback 0
  tunnel mode mpls traffic-eng
  tunnel destination 20.20.20.1
  tunnel mpls traffic-eng autoroute-announce
  PE B:
  int lo 0
  ip address 20.20.20.1 255.255.255.255

  Yes you can. And you can even use unequal cost load balancing, if it is desired. You will need a tunnel bandwidth statement and CEF will be distributing the load acording to the reserved bandwidth ratio of the two tunnels. The routing table would contain two pathes to the destination networks routed across the tunnels. To make sure your IGP selects the tunnels as best path you might want to adjust the metric of the tunnels for IGP path selection:
  int tu1
  ip unnumbered loopback 0
  tunnel mode mpls traffic-eng
  tunnel mpls traffic-eng bandwidth 1000
  tunnel destination 20.20.20.1
  tunnel mpls traffic-eng autoroute-announce
  tunnel mpls traffic-eng autoroute metric relative -1
  The last command will ensure the tunnel is always slightly better than the physical interfaces towards the destination.
  Hope this helps! Please rate all posts.
  Regards, Martin

• Virtual Tunnel Interface (VTI) Hub Router Configuration

  When configuring multiple VTI tunnels on a hub router, is it recommended that each tunnnel use a unique transform-set and ipsec profile, or they can all share the same configuration.
  Example:
  crypto isakmp policy 1
  encr 3des
  authentication pre-share
  group 2
  crypto isakmp key ******** address 0.0.0.0 0.0.0.0
  crypto isakmp keepalive 10
  crypto ipsec transform-set TSET esp-3des esp-sha-hmac
  crypto ipsec profile VTI
  set transform-set TSET
  Thanks.-

  Hi,
  The IPsec profile can be shared.
  You could also create multiple transform set and reference it to IPsec profile and then apply it to a specific VTI.
  Sent from Cisco Technical Support iPhone App