VTI Tunnel Bandwidth Statements
What is the proper way to set bandwidth statements on VTI/GRE tunnels over an MPLS network when different locations have different bandwidth capacities?
For example:
Location 1 - DS3 - 44mbps
Location 2 - DS1 - 1.5mbps
Would I put 'bandwidth 1500' on both ends of the tunnel or would I put 'bandwidth 44000' on the DS3 side and 'bandwidth 1500' on the DS1.
Hi Peter,
To my knowledge, bandwidth statement will not restrict the volume of traffic. Instead it is just a parameter used for control plane calculations. If you really want to restrict the volume of traffic flowing over these interfaces, you may have to think of shaping the same.
HTH,
Nagendra
Similar Messages
-
Is it possible to create a VTI tunnel from my 877 router to my ASA
Hi all
I woulke like to know is it possible to create a VTI tunnel from my 877 router to my ASA, rather than creating a cryptomap on the router ?
cheers
CarlYes you can
Forgot to add that it possible when configuring ezvpn where the 877 is a remote client and Asa server
Sent from Cisco Technical Support iPhone App -
Hi everyone!
We have 2 Cisco routers - 3925 (office A) and 2921 (office B). There are VTI tunneling (with 3DES encryption), EIGRP dynamic routing (main and reserve optic channels) and 1 default VLAN #2. It`s working model which is used between 2 offices.
Now I have a task to add VLAN #3 in Office B which is used in Office A and routed to FireWall. VLAN #3 must be routed bypassing VTI tunnel. As I understand I should use InterVLAN feature on both routers. But it doesn`t work. :(
Here are configs:
Office A (3925):
interface GigabitEthernet0/0
no ip address
interface GigabitEthernet0/0.2
encapsulation dot1Q 2
ip address 192.168.100.181 255.255.255.0
interface GigabitEthernet0/0.3
encapsulation dot1Q 3
ip address 192.168.150.10 255.255.255.0
interface GigabitEthernet0/1
no ip address
interface GigabitEthernet0/1.2
encapsulation dot1Q 2
ip address 10.48.101.178 255.255.255.0
interface GigabitEthernet0/1.3
encapsulation dot1Q 3
ip address 10.48.103.178 255.255.255.0
router eigrp 100
network 192.168.100.0 0.0.0.255
network 192.168.104.0 0.0.0.255
network 192.168.201.176 0.0.0.255
network 192.168.202.176 0.0.0.255
ip route 0.0.0.0 0.0.0.0 192.168.100.180
ip route 10.48.103.0 255.255.255.0 GigabitEthernet0/1.3
ip route 192.168.150.0 255.255.255.0 192.168.100.2
Office B (2921):
interface GigabitEthernet0/0
no ip address
interface GigabitEthernet0/0.2
encapsulation dot1Q 2
ip address 192.168.104.1 255.255.255.0
interface GigabitEthernet0/0.3
description MOWDT Vlan 3
encapsulation dot1Q 3
ip address 192.168.150.11 255.255.255.0
interface GigabitEthernet0/1
no ip address
interface GigabitEthernet0/1.2
encapsulation dot1Q 2
ip address 10.48.101.179 255.255.255.0
interface GigabitEthernet0/1.3
encapsulation dot1Q 3
ip address 10.48.103.179 255.255.255.0
router eigrp 100
network 192.168.100.0 0.0.0.255
network 192.168.104.0 0.0.0.255
network 192.168.201.176 0.0.0.255
network 192.168.202.176 0.0.0.255
ip route 0.0.0.0 0.0.0.0 192.168.100.180
ip route 10.48.103.0 255.255.255.0 GigabitEthernet0/1.3
ip route 192.168.150.0 255.255.255.0 GigabitEthernet0/1.3
Could you please assist where is the problem?These both lines do the same things one is being explicitly value is defined and other is set for auto-discovery, however when it comes tunnel interface all you need is to set the mtu size to 1400.
one: ip tcp adjust-mss 1300
two: tunnel path-mtu-discovery
Now when an additional command, which you need to disable split-horizon on eigrp and the "x" is your process ID, which you need for spoke-to-spoke communication, to pass via the hub.
no ip split−horizon eigrp x
"If I disable these features won't i have problems with fragmentation ?"
Which is taken care by setting mtu size to 1400.
Now you set the "ip tcp adjust-mss 1380" on your physical interfaces facing toward your internal switch.
Have you tried it?
thanks
Message was edited by: Rizwan Mohamed -
Tunnel - using Tunnel Bandwidth
I have a quick question here what is the purpose of using the Tunnel Bandwidth command for and is it necessary on a point to point connection? Reason why I ask is that we have a point to point connection and a tunnel is riding over this connection. We every now and then I notice high latency on this connection. I noticed that the bandwidth transmit/receive is set up for 8k only while the point-to-point connection is 128k. I'm thinking this is the cause of the latency...your thoughts?
Hi
hope this helps..
http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Network%20Infrastructure&topic=WAN%2C%20Routing%20and%20Switching&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.1dddc3e4
regds -
Hi all,
I have configured VTI tunnel interfaces (tunnel mode ipsec ipv4) and OSPF on that interfaces.
VTI is encrypting all data traffic. But what about OSPF traffic?
Is OSPF traffic encrypted also or I need to configure OSPF authentication?
ThanksOSPF exchange is already encrypted inside of the tunnel, so u don't have to use ospf-authentication. OSPF uses tunnel IP addresses for communications, and traffic flow between those two addresses is possible only throught the secure tunnel.
-
Hi all,
We have VTI tunnels between Cisco (3825 and 878) and Juniper (SRX3600).
Sometimes tunnel is going down and I should manualy shutdown and no shutdown tunnel interface to bring it up.
This is logs from Cisco:
%%crypto-4-recvd_pkt_inv_spi: decaps: rec'd ipsec packet has invalid spi for destaddr=X.Y.100.200, prot=50, spi=0xc5d07a33(3318774323), srcaddr=X.Y.100.100
%%crypto-4-ikmp_no_sa: ike message from X.Y.100.100 has no sa and is not an initialization offer
X.Y.100.100 is Juniper SRX3600
X.Y.100.200 is Cisco 3825
But I see this logs more often, than tunnel is going down!
So what is problem?
ThanksHello,
this should help #crypto isakmp invalid-spi-recovery
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_tech_note09186a0080bf6100.shtml
Best Regards
Please rate all helpful posts and close solved questions -
Hi All,
I need to connect some routers to an ASA using IPSec tunnels. The goal is to get netflow traffic from the routers to a collector behide an ASA using IPSec tunnels.
Recently I found out (locally orginated) netflow isn't properly encrypted when send through an IPSec tunnel (http://www.plixer.com/blog/network-traffic-analysis/sending-netflow-over-ipsec-tunnels/. The workaround seems to be using flexible netflow (which my collector doesn't support) or using a real tunnel interface on the router.
This implies I need to use:
- IPSec/GRE
- EzVPN with DVTI
- SVTI...?
Since GRE is not supported on the ASA and I want the tunnel to be always active, implementing static VTI tunnels might be a good idea. So I would like to use something like this on the router.
interface Tunnel0
ip unnumberd loopback0
tunnel source x.x.x.x
tunnel destination y.y.y.y
tunnel mode ipsec ipv4
My question is, does anybody know if you can build an IPSec tunnel between an ASA and a router, using a SVTI interface on the router? A code sample for the ASA and the router would be more than welcome.
RegardsHi Hielke ,
if you managed to match the SAs proposed by the router when using SVTI which is any to any , and you will do this on the ASA using a crypto map access-list as follow :
access-list crypto VPN permit ip any any
then all traffic leaving the interface where the crypto map is applied will be subject to encryption , which is not practical in most cases .you may use different interface (on the ASA) to this tunnel with the SVTI as it will use any any and that traffic is different than the one leaving the outside interface .
so as Marcin this will not scale for you
HTH
Mohammad. -
Hi,
I have a site to site vpn GRE tunnel from a 2811 router to a 2811 router.
On the remote site I have 2 routers configured with HSRP. The only way I've founded for the tunnel to work with HSRP is to configure one different tunnel on each router. But both of them are always up.
Could anybody tell me what is the bandwidth consumed by a tunnel only being up, without traffic?
Thanks in advanceHi
hope this helps..
http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Network%20Infrastructure&topic=WAN%2C%20Routing%20and%20Switching&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.1dddc3e4
regds -
Can QoS be implemented when VPN tunnel bandwidth is unknown?
Is it possible to have some sort of QoS on both sides of a VPN tunnel when the speed at the endpoint is unknown. In other words is it possible to have QoS bandwidth parameters to be automatically detected/adapted to the actual bandwidth?
Hey Martin,
Thanks for your reply. I Think IntServ won't be a solution straight away, I'll try to explain what I would like to do.
What my issue is that I have a few locations who are kind of mobile, and each location connects to the internet via various links, depending on which is available. This link can be a normal ISP which blocks all traffic except port 80 and 443. The connection could be a simple ISDN dialin or a dedicated T1 link.
Because there is a Cisco VoIP router on the mobile location and some users' data should have precedence over others' I would like to implement QoS.
My idea was when I were able to set up a site-to-site SSL VPN tunnel to a router in a datacenter (using Array Network stuff if the Cisco can't do site-to-site SSL) I would have more control over the internetlink. I Would not be limited to using only port 80 and 443: all traffic would just go encrypted and look like normal HTTPS traffic.
It's likely that this VPN link would always consume the maximum available bandwidth. When it is be possible for some QoS mechanism to "detect" the speed of the VPN I could let's say dedicate bandwidth for 4 VoIP calls and the remaining bandwidth can be made available for normal traffic. Note that this normal traffic should have some priority levels too.
Assigning dedicated bandwidth to VoIP isn't a big problem I think, however how can I make x percentage of the remaining bandwidth available to user x and y percentage available to user y?
I Hope I wrote it understandable ;).
Regards -
Monitoring IPSec Tunnel Bandwidth Utilization
We have a Cisco ASA 5520 supporting multiple VPNs - both remote-access and Lan-to-Lan. We would like to monitor the bandwidth utilization of the IPSec Lan-to-Lan tunnels. How can we do that?
Thanks,
SprHi Spr,
Check out VPNTTG (VPN Tunnel Traffic Grapher) is a software for SNMP monitoring and measuring the traffic load for IPsec (Site-to-Site, Remote Access) and SSL (With Client, Clientless) VPN tunnels on a Cisco ASA. It allows the user to see traffic load on a VPN tunnel over time in graphical form.
Advantage of VPNTTG over other SNMP based monitoring software's is following: Other (commonly used) software's are working with static OID numbers, i.e. whenever tunnel disconnects and reconnects, it gets assigned a new OID number. This means that the historical data, gathered on the connection, is lost each time. However, VPNTTG works with VPN peer's IP address and it stores for each VPN tunnel historical monitoring data into the Database.
For more information about VPNTTG please visit www.vpnttg.com -
MPLS TE tunnel Bandwidth and ip rsvp bandwidth
I have some questions about how to reserve bandwidth in MPLS TE enviorment.
1. We must IP RSVP bandwidth in all concern interface in MPLS TE enviroment, right?
2. What's the goal of ip rsvp bandwidth?
3. Tunnel MPLS traffic-enginerring bandwitdh XXX, the command define flow bandwidth initiated by head-end, if sending more than XXX flow, how does it work? Drop excessive packet in the flow?
Any point is welcome! Thanks!Hello,
just today I found some time to read RFCs. and found:
4124 Protocol Extensions for Support of Diffserv-aware MPLS Traffic Engineering. F. Le Faucheur, Ed.. June 2005. (Format: TXT=79265 bytes) (Status: PROPOSED STANDARD)
4125 Maximum Allocation Bandwidth Constraints Model for Diffserv-aware MPLS Traffic Engineering. F. Le Faucheur, W. Lai. June 2005. (Format: TXT=22585 bytes) (Status: EXPERIMENTAL)
4126 Max Allocation with Reservation Bandwidth Constraints Model for Diffserv-aware MPLS Traffic Engineering & Performance Comparisons. J. Ash. June 2005. (Format: TXT=51232 bytes) (Status: EXPERIMENTAL)
4127 Russian Dolls Bandwidth Constraints Model for Diffserv-aware MPLS Traffic Engineering. F. Le Faucheur, Ed.. June 2005. (Format: TXT=23694 bytes) (Status: EXPERIMENTAL)
4128 Bandwidth Constraints Models for Differentiated Services (Diffserv)-aware MPLS Traffic Engineering: Performance Evaluation. W. Lai. June 2005. (Format: TXT=58691, PDF=201138 bytes) (Status: INFORMATIONAL)
4201 Link Bundling in MPLS Traffic Engineering (TE). K. Kompella, Y. Rekhter, L. Berger. October 2005. (Format: TXT=27033 bytes) (Updates RFC3471, RFC3472, RFC3473) (Status: PROPOSED STANDARD)
Basically these standards allow to combine congestion management and MPLS TE. The standard says a router "may allocate ressources" based on the MPLS TE reservations.
So MPLS DiffServ-aware TE can deliver both TE and QoS.
Regards, Martin -
SNMP per-ipsec tunnel bandwidth monitoring
Whish oid can be used for monitoring bandwidth (bps, kbps...) per ipsec tunnel, assuming there is now logical tunel interface configured?
ios supports CISCO-IPSEC-FLOW-MONITOR-MIB, but cannot find oid in ftp://ftp.cisco.com/pub/mibs/oid/CISCO-IPSEC-FLOW-MONITOR-MIB.oid.
Tnx!Hi Spr,
Check out VPNTTG (VPN Tunnel Traffic Grapher) is a software for SNMP monitoring and measuring the traffic load for IPsec (Site-to-Site, Remote Access) and SSL (With Client, Clientless) VPN tunnels on a Cisco ASA. It allows the user to see traffic load on a VPN tunnel over time in graphical form.
Advantage of VPNTTG over other SNMP based monitoring software's is following: Other (commonly used) software's are working with static OID numbers, i.e. whenever tunnel disconnects and reconnects, it gets assigned a new OID number. This means that the historical data, gathered on the connection, is lost each time. However, VPNTTG works with VPN peer's IP address and it stores for each VPN tunnel historical monitoring data into the Database.
For more information about VPNTTG please visit www.vpnttg.com -
Flash player / bandwidth stats for developing coutries
Hello Forum
I am developing a website that will be viewed in countries
with high bandwidth as well as lower bandwidth (mostly countries in
South / Central America and South East Asia). I'm trying to settle
on the appropriate technology (flash vs html) or see how complex /
fancy we can get without neglecting the audience with slower
connections and possibly older flash players (or no flash players).
Are there people on this list who have experience developing
these kinds of sites?
Any general insights and leads to statistics is much
appreciated.
Thank you in advance.
stephankHey!
I am by no means an expert but i'll try and help you anyway.
http://www.adobe.com/products/player_census/flashplayer/
Those are adobe's statistics, look around a bit. They say
emerging markets and by that they mean China, S. Korea, Russia,
India and Taiwan.. so you judge.
http://www.swivel.com/data_columns/spreadsheet/3822292
that's an estimate of the number of computers in countries
around the world.. which is pretty useless data unless you believe
you can judge the capabilities of those computers based off how
common they are.
That's just my attempt at finding you some statistics.
Personally, I've had tons of experiences where i presented work in
flash on computers that just couldn't handle very simple tweens.
So, i'd be hesitant to use flash depending on the situation. If
your site is intended to sell something that's worth a considerable
amount of money then i'd go ahead and go with flash, but if it's a
service like.. well you know, UNICEF, then i'd probably use HTML.
That's just my opinion, you know?
Good luck with your site, and i hope you can find some better
data.
Thanks,
John -
Can i create two MPLS TE tunnels from PE A to PE B with the same destination address as the loopback of PE B with "autoroute-announce" enabled being two tunnels have different explicit paths created ?
e.g
From PE A:
int lo0
ip address 10.10.10.1 255.255.255.255
int tu1
ip unnumbered loopback 0
tunnel mode mpls traffic-eng
tunnel destination 20.20.20.1
tunnel mpls traffic-eng autoroute-announce
int tu2
ip unnumbered loopback 0
tunnel mode mpls traffic-eng
tunnel destination 20.20.20.1
tunnel mpls traffic-eng autoroute-announce
PE B:
int lo 0
ip address 20.20.20.1 255.255.255.255Yes you can. And you can even use unequal cost load balancing, if it is desired. You will need a tunnel bandwidth statement and CEF will be distributing the load acording to the reserved bandwidth ratio of the two tunnels. The routing table would contain two pathes to the destination networks routed across the tunnels. To make sure your IGP selects the tunnels as best path you might want to adjust the metric of the tunnels for IGP path selection:
int tu1
ip unnumbered loopback 0
tunnel mode mpls traffic-eng
tunnel mpls traffic-eng bandwidth 1000
tunnel destination 20.20.20.1
tunnel mpls traffic-eng autoroute-announce
tunnel mpls traffic-eng autoroute metric relative -1
The last command will ensure the tunnel is always slightly better than the physical interfaces towards the destination.
Hope this helps! Please rate all posts.
Regards, Martin -
Virtual Tunnel Interface (VTI) Hub Router Configuration
When configuring multiple VTI tunnels on a hub router, is it recommended that each tunnnel use a unique transform-set and ipsec profile, or they can all share the same configuration.
Example:
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key ******** address 0.0.0.0 0.0.0.0
crypto isakmp keepalive 10
crypto ipsec transform-set TSET esp-3des esp-sha-hmac
crypto ipsec profile VTI
set transform-set TSET
Thanks.-Hi,
The IPsec profile can be shared.
You could also create multiple transform set and reference it to IPsec profile and then apply it to a specific VTI.
Sent from Cisco Technical Support iPhone App
Maybe you are looking for
-
Hello, I purchased this tv over two years ago, along wtih the 4 year protection plan. Recently, my sister bought a Sony Blu-Ray player and I went to hook it up to my TV. I currently use both of the HDMI ports (A Samsung HTIB/XBOX 360) and they work
-
IPhoto album backups and duplicate photos
Hello, After uprading to iPhoto 6, I went through the whole library and put it all into about 15 separate albums. I've only got about 2000 photos, but it was still a lot of work. After I had done this, I started making a calendar, which for some stra
-
How do I read and write files on a mac?
On my windows it's easy, but when I try to write files and read them on a Mac the filepath is always wrong. I want to write to my "Documents" folder, and when I do /Documents/Hello.txt as a filepath it gets it wrong. I don't know why it won't work be
-
User Exit or BADI for catch the document number after saving the document
Hi , I am working on data conversion where Document number(BELNR),BKPF and BSEG data should transfer to my Z table(Containes fileds of BKPF and BSEG) after SAVE the document related to Tcodes F-01 , F-22 , F-28 , F-43 , FB01 , FB02, FB60 ) . It need
-
Avg read time exceeded on data volume
Dear experts, We are currently running MaxDB 7.7.04.29 on Red Hat Linux 5.1 for our BW instance. The data and log volumes and SAP binaries are all utilizing NetApp storage, configured on a single LUN within a single FlexVol running on a single filer.