2811 DMVPN Performance
I have a setup of DMVPN tunnel between a 2811 router No. 2851 on a 54 Mbps Wireless with AES-256 encryption. My latency is large, less then 5ms. However my speed above the tunnel is on average 4 to 6 Mbits.
Is this normal as the max flow that I would wait to see a 2811 on AES-256 DMVPN tunnel router?
Lower the level of encryption of my give me better performance?
It would be useful to add a module VPN PURPOSE instead of using just the built in VPN module?
Tags: Cisco Security
Similar Questions
-
Load the DMVPN Balance several tunnels
Try to balance 2 DMVPN tunnel to a remote router to our Central Administration site. The remote router is a 2811 12.4.24 running. It has two connections DSL and I built two tunnels DMVPN to my seat with each tunnel will a separate router. I am running EIGRP across the WAN and LAN. Please see attached drawing.
When I put two routes by default equal and just let EIGRP to balance between router 180.7.250.1 to favour road and very little traffic crosses the 180.7.249.1 road.
The reason why I try it is because this site is in kind of a remote and I can't get a 500KB to the top and 1.5 MB DSL circuit. So to boost performance a bit I wanted to try running both circuits.
I am open to suggestions or advice on how to get a little more bandwidth of this site.
Thanks in advance.
EIGRP metric are determined by the delay, bandwidth, reliability and support. You have the same router, the same tunnel interface. All the interfaces involved in eigrp must match exactly the same if you want to balance the load across it. See how composites represent different below. If you can make them match your traffic balance the load.
-
DMVPN w / multicast of installation/questions
Hello
I have a lot of questions, so bare with me as I vomit them out of my head.
I did a few tests with DMVPN inconjuction with the multicast video (Star, w / none talking of talk). The test configuration uses 2 cisco 2811 w/out module vpn. I understand the performance do not have the module. That being said, here are my questions.
1. with the encryption on the HUB and spokes routers use 90-97% of the cpu (8 MB multicast stream). With encryption off the coast, the Hub is about 60% and talked about 75%. Here's where I'm confused. If I send that same broadcast stream unicast, w / encryption, the hub and speaks using only about 30-35% cpu. Why is it so much more cpu need when it comes to a multicast stream?
2. in the current configuration, I entered, throttles and ignore the errors on the hub and the spokes. The hub has these errors on the LAN interface and speaks has these errors on the WAN interface. All other interfaces are completely clean. I checked and there is no duplex incompatibilities or speed. Any ideas?
HUBS:
Current configuration: 1837 bytes
!
version 12.4
horodateurs service debug datetime msec
Log service timestamps datetime msec
no password encryption service
!
Hub host name
!
boot-start-marker
boot-end-marker
!
forest-meter operation of syslog messages
activate the password
!
No aaa new-model
clock TimeZone Central - 6
!
dot11 syslog
IP source-route
!
!
IP cef
!
!
no ip domain search
8.8.8.8 IP name-server
IP multicast routing
No ipv6 cef
!
Authenticated MultiLink bundle-name Panel
!
voice-card 0
!
Archives
The config log
hidekeys
!
Tunnel1 interface
bandwidth 100000
192.168.11.1 IP address 255.255.255.0
no ip redirection
IP 1400 MTU
no ip next-hop-self eigrp 1
PIM sparse-mode IP
dynamic multicast of IP PNDH map
PNDH network IP-1 id
property intellectual PNDH holdtime 450
no ip-cache cef route
IP tcp adjust-mss 1360
no ip split horizon eigrp 1
delay of 1000
source of tunnel FastEthernet0/0
multipoint gre tunnel mode
tunnel key 100000
bandwidth tunnel pass 100000
bandwidth tunnel receive 100000
!
interface FastEthernet0/0 (WAN)
IP address 216.x.x.x 255.255.255.192
PIM sparse-mode IP
load-interval 30
automatic duplex
automatic speed
!
interface FastEthernet0/1 (LAN)
IP 128.112.64.5 255.255.248.0
PIM sparse-mode IP
load-interval 30
automatic duplex
automatic speed
!
Router eigrp 1
network 128.112.0.0
network 192.168.11.0
Auto-resume
!
IP forward-Protocol ND
IP route 0.0.0.0 0.0.0.0 216.x.x.x
IP http server
local IP http authentication
IP http secure server
!
!
128.112.64.5 IP pim rp 10
!
access-list 10 permit 239.10.0.0 0.0.255.255
public RO SNMP-server community
!
Speaks:
Current configuration: 1857 bytes
!
version 12.4
horodateurs service debug datetime msec
Log service timestamps datetime msec
no password encryption service
!
host name talk
!
boot-start-marker
boot-end-marker
!
forest-meter operation of syslog messages
activate the password
!
No aaa new-model
clock timezone central - 6
!
dot11 syslog
IP source-route
!
!
IP cef
!
!
no ip domain search
IP multicast routing
No ipv6 cef
!
Authenticated MultiLink bundle-name Panel
!
!
voice-card 0
!
Archives
The config log
hidekeys
!
Tunnel1 interface
bandwidth 100000
192.168.11.2 IP address 255.255.255.0
no ip redirection
IP 1400 MTU
PIM sparse-mode IP
property intellectual PNDH 192.168.11.1 card 216.x.x.x
map of PNDH IP multicast 216.x.x.x
PNDH network IP-1 id
property intellectual PNDH holdtime 450
property intellectual PNDH nhs 192.168.11.1
no ip-cache cef route
IP tcp adjust-mss 1360
no ip split horizon eigrp 1
delay of 1000
source of tunnel FastEthernet0/0
destination 216.x.x.x tunnel
tunnel key 100000
bandwidth tunnel pass 100000
bandwidth tunnel receive 100000
!
interface FastEthernet0/0 (WAN)
IP address 65.x.x.x 255.255.255.192
PIM sparse-mode IP
load-interval 30
automatic duplex
automatic speed
!
interface FastEthernet0/1 (LAN)
IP 128.124.64.1 255.255.248.0
PIM sparse-mode IP
IP igmp join-group 239.10.10.10
load-interval 30
automatic duplex
automatic speed
!
Router eigrp 1
network 128.124.0.0
network 192.168.11.0
Auto-resume
!
IP forward-Protocol ND
IP route 0.0.0.0 0.0.0.0 65.x.x.x
no ip address of the http server
no ip http secure server
!
!
128.112.64.5 IP pim rp 10
!
access-list 10 permit 239.10.0.0 0.0.255.255
public RO SNMP-server community
Joe,
You ask the right question.
Ultization CPU = CPU consumed by the process + IO operations (in a huge simplification - CEF)
Usually when a package is processed by the router we expect to be treated by CEF, i.e. very quickly.
Package is not processed by CEF:
-When there is something missing to route the package properly (think entry ARP/CAM) that is additional research needs to be done.
-a feature request that a packet is for transformation/deformation
-The package is for the router
(And many others, but these are the most important).
When a package is recived, but cannot be treated by the CEC, we "punt to CPU package" this will cause in turn the CPU for the process to move upward.
Now on the shelf, this seems to be the problem:
Spoke#show ip cef switching stati
Reason Drop Punt Punt2Host
RP LES Packet destined for us 0 1723 0
RP LES Encapsulation resource 0 1068275 0
There are also some failures on an output buffer you set.
Usually at this stage I would say:
(1) ' upgrade' of the device to 15.0 (1) M6 or 12.4 (15) T (last picture in this branch) and check if the problem persists there.
(2) If this is the case, rotate it by TAC. I don't see any obvious errors, but I'm just a guy on a Chair even as you ;-)
Marcin
-
I am in the initial phase of research DMVPN. We currently have an MPLS network running BGP. Each site has Internet at home as well as a VPN site-to-site is built on the router and talks to an ASA when the SPLM fails.
I want to implement DMVPN to do away with the site to site VPN and ASA. I'm going to run EIGRP on routers to connect DMVPN. Are there any good whitepapers on BGP as the main path and by EIGRP on the DMVPN as a backup? Or no focus on a general config?
Thank you
It's really the main issue.
With your configuration DMVPN roads will be internal EIGRP of an advertisement of 90, so your default DC prefer DMVPN on MPLS, which is exactly what you don't want.
There are several ways around this as summarizing through DMPVN, redistribution connected on the sites of the branch in EIGRP so roads DMVPN are external as well and then changing measures etc.
The other alternative I have ever done so it's for your information is really Cisco have what is called a solution IWAN where DMVPN is performed everywhere that is, even through the MPLS network.
That would solve your problem of external routes internal EIGRP but IWAN vs is much more than just that, even if you do not need necessarily to implement the entire solution at a time.
I just thought that it should be mentioned, and if you want more information on this I can direct you to the design guide.
Jon
-
10-20 Office Direction Design with 'Hub' DataCenter - DMVPN?
Hi guys,.
Looking for a technology to make the Branch Office LANs, private 10-20 (each with a single RFC 1918 24) and a private Data Center LAN "seem to" be connected directly. For example a cabinet with computer 192.168.101.X could get the DNS, and to authenticate to a domain controller in the data center at 192.168.1.Z.
The bandwidth to each branch is about 10 M terminal on a 2811. The LAN has between 5-10 computers without a local domain controller. Current technology uses static VPN tunnels constructed on the firewall behind the 2811. A Public 29 CIDR block is routed to the 2811 for public IP address of the firewall.
* East DMVPN on the 2811 s branch will be a good way to move the firewalls in this scenario?
* If not, why and what would be better?
* With DMVPN configured on the 2811, is it possible to simultaneously configure SSL VPN and EasyVPN for allow access remotely to any LAN of branch for remote staff?
* Would it not possible - assuming that bandwidth is not a concern - to run a kind of virtual office from the data center to the Branches through the DMVPN?
* If a 2811 is acceptable in the branches, what platform would be recommended for the data center? The bandwidth available to it would be 100 m.
Thank you!
Greg
Hi Greg,.
A DMVPN is a good solution for you, as long as you have the bandwidth; What is sounds like you do. You can do this with any of the 2800 series routers. The thing to keep in mind is that VPN traffic takes a lot of time processor to encrypt and decrypt the package. Each of the 2800 series routers have a VPN that will help it unload the main processor.
2811 to the branch should easily handle the functions of the 5 to 10 users. I have a config very similar to what you want with 8 remote offices through a DMVPN. Most of the branches ends on a 2811.
I also have IPSEC or SSL VPN on remote sites; These can be run simultaneously. In the config of the DMVPN, you can choose whether or not to carry the VPN traffic between rays DMVPN.
Connecting the locations of RDP connections runs easily the DMVPN. Speed of other services (file/printer sharing) will certainly depend on the bandwidth. If you want to authenticate remote offices to corporate domain controllers this traffic should also be taken into account.
I would start with a router 3800/3900 series in the data center; This should easily handle the traffic that you suggest and make room for growth.
I have attached a simple config with IPSEC/SSL VPN remote users for you. I hope this helps!
Kind regards
Sam
-
DMVPN Solution for 50 Branches...
Hi all
We have about 40 branches and a Central data center.
each office is connected with the domain controller and all internet traffic passed and filtered between DC and the Central firewall.
We have VoiP, with a Central in DC call manager.
our data are in DC, except some of the offices that have their own file server.
RDP is also continue to use.Now, one day, we have a MPLS network linking all of our offices.
I do a search about to implement a DMVPN for all, or as a second solution to some of our offices (the small one).
How can you recommend or kind one or the other solution?as I read, the voice traffic is the most critical and the most difficult to manage with the ISP and DMVPN Solution.
I would really apriciate your opinion.
Kind regards
Thomas.PS
I chose cause DMVPN we have in the near future to have a backup of our DC in a second office, only for some of the critics of the data and services.
That's why I think to use the DMVPN with 2 HubsYes you can run it on the Internet. Yes, you may have questions of VoIP.
A solution that we used in the past is double internet connections. You dedicate one VoIP and one for everything else. Always much cheaper than MPLS.
You can also use Pfr (routing performance) to select the circuit to use based on the latency and jitter, and the type of traffic.
-
Hello
I have deploy a dmvpn with two of the hub topology and several rays, after the spokes and the hub, I did a reboot in the hub to see if this drug works after rebbot in the hub, but I noticed that after the rebbot the tunnel in the hub is not come, the only way to raise the tunnel had to erase dmvpn static session in rays , during this time the hub to continue giving a message:
ISAKMP: ignoring the request to send delete notify (no ISAKMP security association) src 213.10.10.10 dst 213.58.10.10.14 for SPI 0xC15C587F
IOS:12.4.11 T 1
2821
2811
Someone can help me.
Thank you
Hello
Please make sure you have ISAKMP KeepAlive on the hubs and spokes, and once configured, please test again and see if it improves. What is happeneing is probably when the hub is restarted, speak it does not clear the tunnel is based on the SAs to timeout. When delete us the SAs on the RADIUS, the problem goes away. Configure ISAKMP KeepAlive should we work around this problem.
HTH,
Please rate if this can help.
Kind regards
Kamal
-
DMVPN router behind ASA - need help please.
Hello
After reading many other discussions on this topic, it appears with the correct IOS and NAT - T active router, you bring up DMVPN behind a NAT device.
I tried to perform this task, but I can not even phase 1 going to the DMVPN. The routing was checked and I can ping the routers DMVPN public IP. I'm sure that the configurations for routers are good, but asked if any additional NAT is required on the ASA.
Here is the topology:
Plate rotating DMVPN > ASA > Internet > ASA > DMVPN Branch
The SAA on the side of the hub is in our data center and in production with several site-to-site and traffic to DMZ. Devices DMVPN is a Cisco 2921 and 1921. When I run a "debug crypto isakmp" on both routers, I see ISAKMP messages are sent on the branch DMVPN router. Nothing in the hub and no hits on the ASA ACL. I tried both the public IP address and the private IP address of the ACL on the ASA.
I have attached the relevant training and can post more if necessary.
Thank you
Brandon
Hello
I finally had time to laboratory it.
I used this topology:
I have
ASA (config) # sh run nat
NAT (INSIDE, OUTSIDE) static source HUB-ROUTER-REAL-IP interface service udp-eq-4500 udp-eq-4500
NAT (INSIDE, OUTSIDE) static source HUB-ROUTER-REAL-IP interface service udp-eq-500 udp-eq-500
!
object network HUB
dynamic NAT interface (INSIDE, OUTSIDE)ASA (config) # sh run access-list
extended OUTSIDE permitted udp access list any HUB-ROUTER-REAL-IP eq isakmp object
list access extended OUTSIDE permitted udp any eq HUB-ROUTER-REAL-IP 4500R2 #sh run inter t0
interface Tunnel0
172.16.0.1 IP address 255.255.255.0
no ip redirection
no ip next-hop-self eigrp 1
no ip split horizon eigrp 1
dynamic multicast of IP PNDH map
PNDH id network IP-99
source of tunnel FastEthernet0/0
multipoint gre tunnel mode
tunnel key 100000
Tunnel ipsec DMVPN-IPSEC-PROFILE protection profileSo it should be the same configuration that you use.
The only thing is that I had to ' stop/no shut' tunnel interface and removing some config that I also need to clear the connection on the ASA using "clear conn."
R2 #sh dmvpn
Legend: Attrb--> S - static, D - dynamic, I - incomplete
Local N - using a NAT, L-, X - no Socket
# Ent--> entries number of the PNDH with same counterpart NBMA
State of the NHS: E--> RSVPs, R--> answer, W--> waiting
UpDn time--> upward or down time for a Tunnel
==========================================================================Interface: Tunnel0, IPv4 PNDH details
Type: hub, PNDH peers: 2,.# Ent Peer NBMA Peer Tunnel Addr add State UpDn Tm Attrb
----- --------------- --------------- ----- -------- -----
1 200.20.0.10 172.16.0.2 UNTIL 00:11:28
1 200.30.0.10 172.16.0.3 AT 00:11:22R2 #.
-
ATM E3 modules &; IPSEC site-to-site on 2811-sec/k9?
Hi people,
I plan for a pair of IOS Firewall of 2811 on data only links 34mbits/s and may also need to protect the IPSec connection.
Is it achievable using this platform?
If so, I am concerned about the performance... perhaps ASA5500 would be better?
Scenario: LAN_a - 2811-a - E3_line - 2811b - LANB.
As always, any suggestions gratefully received!
Kind regards
Andy.
You can run VPN site to site in two 2811 and ASA 5500 but the Cisco ASA 5500 Series is richer in features of Cisco for SSL and IPsec for remote access, robust site to site connectivity support. The series offers greater scalability and a greater flow capacity than the widely deployed Cisco VPN 3000 series concentrators and can be easily integrated into any cluster load balancing Cisco VPN 3000 Series.
-
invalid-spi-recovery crypto isakmp command worked well in the case of DMVPN
Hello
I did the Setup for Hub/spoke in th DMVPN case and it worked fine. But after reloading Hub and I saw an output of error below, well I added the command invalid-spi-recovery isakmp crypto in the Hub & spokes:
* 7 Oct 03:10:03.175: CRYPTO-4-RECVD_PKT_INV_SPI %: decaps: rec would be package IPSEC a bad spi to destaddr = 150.1.1.1, prot = 50, spi = 0 x 72662541 (1919296833), port = 150.3.1.3
* 7 Oct 03:10:03.175: CRYPTO-4-RECVD_PKT_INV_SPI %: decaps: rec would be package IPSEC a bad spi to destaddr = 150.1.1.1, prot = 50, spi = 0 x 72662541 (1919296833), port = 150.2.1.2
Note: spoke1 IP address: 150.2.1.2/spoke2's IP address:150.3.1.3/Hub's IP address: 150.1.1.1
My temporary solution for the same problem, I need to erase SPI by manually and it worked fine again.
Everyone has the same problem, please let me know
Kind regards
TRAN
Hello
There is a common misconception of what the invalid-spi-recovery crypto isakmp command does. Even without this command IOS already performs a kind of recovery invalid SPI feature by sending a DELETION notify for the SA has received send peer If she already has an IKE SA with this peer. Still once, this happens regardless of whether the order invalid-spi-recovery crypto isakmp is enabled or not.
With the order of isakmp crypto invalid-spi-recovery , he tries to regulate the condition where a router receives the IPSec traffic with invalid SPI and
It doesn't have an IKE SA with this peer. In this case, it will try to put in place a new IKE session with the peer and then send a DELETION notification on the newly created HIS IKE. However, this command does not work in all configurations of crypto. Are the only configurations that this command works cryptographic instantiated, for example, Asit, and peer static maps from static cryptographic cards where the peer is defined explicitly. Here is a summary of commonly used configurations of crypto and know if invalid spi recovery works with this configuration or not:
Crypto config Not valid-spi-recovery? Static crypto map YES Dynamic crypto map NO. P2P GRE with TP YES using love TP w / static PNDH mapping YES using love TP w / dynamic PNDH mapping NO. ASIT YES EzVPN client N/A For help with your scenario, you can enable DPD (isakmp crypto keepalive) on the shelf to help the recovery tunnel.
Thank you
Wen
-
/ * Style definitions * / table. MsoNormalTable {mso-style-name : « Table Normal » ; mso-tstyle-rowband-taille : 0 ; mso-tstyle-colband-taille : 0 ; mso-style-noshow:yes ; mso-style-priorité : 99 ; mso-style-qformat:yes ; mso-style-parent : » « ;" mso-rembourrage-alt : 0 à 5.4pt 0 à 5.4pt ; mso-para-marge-top : 0 ; mso-para-marge-droit : 0 ; mso-para-marge-bas : 10.0pt ; mso-para-marge-left : 0 ; ligne-hauteur : 115 % ; mso-pagination : widow-orphelin ; police-taille : 11.0pt ; famille de police : « Calibri », « sans-serif » ; mso-ascii-font-family : Calibri ; mso-ascii-theme-font : minor-latin ; mso-fareast-font-family : « Times New Roman » ; mso-fareast-theme-font : minor-fareast ; mso-hansi-font-family : Calibri ; mso-hansi-theme-font : minor-latin ;}
Hello
It is possible to reconfigure the ASA DMVPN?, if yes, how.
I know THAT DMVPN is not possible on PIX.
My problem is to configure the VPN site to site between two sites, first of the site having rent line with fix IP public and second site have ADSL with a dynamic IP. I have ASA 5510 firewall on first and 2811 router on the second site.
Kind regards
Sylvie
Hello
You don't need a DMVPN for this.
You can configure a tunnel from site to site using a dynamic configuration to static.
DMVPN is supported only on the cisco routers, so not possible to implement in routers.
This is because DMVPN still use GRE which is supported only on the routers.
Here is an example of a site to site, when one end has a dynamic IP address assigned:
It will be useful.
Federico.
-
Address problem Source DMVPN Dual-Cloud
Greetings,
I run a pivot single double-cloud DMVPN in operation phase2 (talk-to-spoke active). I am very surprised that the question does not come upwards more often.
Here is my configuration:
Each station has its own ISP.
Each remote site has a single router connected to ISP (interface1 and interface2) 2
Each head of public-IP network is routed static (/ 32) through a single interface.
The default route is floating based on an IP SLA monitoring mechanism.
Note the following image (showing the host routes) static and default
With the two routes by default the value of the interface making DMVPN-X, a spoke-to-spoke on DMVPN-X works well. But what of the talk-to-spoke out DMVPN? It gets broken in the following way:
At Site A, my TunnelY Interface come from 10.2.0.2. After it to Site B; s public IP (10.4.0.2) via PNDH, he's trying to form a tunnel spoke to rays. But how to get to 10.4.0.2? It uses its default route on the 10.1.0.2 interface with address 10.2.0.2 source. A few things can happen:
(1) ISP blocks the bad sources completely, either explicitly or through uRPF.
(2) talking-to-Spoke Tunnel arrives, but assymetic routing is performed (this is rare)
(3) all sources of the ISP Nat to himself (gateways Comcast SMC this) in the example above, you see 10.1.0.1 crypto packages arriving at 10.4.0.2! Imagine the confusion caused
In most cases, isakmp is watered. Even if the tunnel is in place, I don't want to assymetic shaping with all the bandwidth on a single interface - I like to use actively both ISP connections.
Then... How to handle this? I predicted it, but I thought that the mechanism of the PNDH/DMVPN would deal with this situation. that is if I hear one speak via TunnelY and TunnelY is source on Interface2, it would naturally be to send packets on interface2. Alas, this isn't the case.
Here are some ways that I thought to solve:
(1) because my end points are not dyamic, I could host statically road all rays are out all the interface2s, all the X on the interface1s. (with 30 sites, it's so ugly, that I hesitate to even include it)
(2) road map of each external interface and match against the source address. If interface1 detects a source interface2, set-next-hop to interface2. The same thing on interface2 - if she hears a source corresponding to the IP address of interface1, value jump following interface1. It is repeatable, but looks a bit ugly as well.
(3) poster on the forums of Cisco and see what the consensus is
Thank you much in advance. Here are my configs sites speaks if you need:
Example of use of site A above:
(using the PKI for isakmp)
interface TunnelX
bandwidth 10000
IP 192.168.X.13 255.255.255.0
no ip redirection
IP 1400 MTU
authentication of the PNDH IP [redact]
map of PNDH IP 1.1.1.1 multicast
PNDH IP card 192.168.X.1 1.1.1.1
PNDH IP network id X
property intellectual PNDH holdtime 240
property intellectual PNDH nhs 192.168.X.1
IP tcp adjust-mss 1360
source of tunnel GigabitEthernet0/1
multipoint gre tunnel mode
tunnel key X
Tunnel DMVPN_IPSEC ipsec protection profile
!interface TunnelY
bandwidth 10000
IP 192.168.Y.13 255.255.255.0
no ip redirection
IP 1400 MTU
authentication of the PNDH IP [redact]
map of PNDH IP multicast 2.2.2.2
PNDH IP card 192.168.Y.1 2.2.2.2
PNDH IP network id Y
property intellectual PNDH holdtime 240
property intellectual PNDH nhs 192.168.Y.1
IP tcp adjust-mss 1360
source of tunnel GigabitEthernet0/2
multipoint gre tunnel mode
tunnel key Y
Tunnel DMVPN_IPSEC ipsec protection profile
!Route IP 1.1.1.1 255.255.255.255 10.1.0.1
IP route 2.2.2.2 255.255.255.255 10.2.0.1
IP route 0.0.0.0 0.0.0.0 10.1.0.1 Track1
IP route 0.0.0.0 0.0.0.0 10.2.0.1 250 (for failover if track 1 breaks down)
This is usually resolved by separating the ISP in before VRF (keeping global VRF inside if you chose to), allowing both titled tracks.
It's late (almost 1:00) but I think that tunnel road-via could potentially work too.
-
Hi, we use 2811 now, and I've heard 2811 has up to 3mbps throughput vpn. Now, we intend to replace 2811 2951, but I would like to know, how is the vpn on 2951 flow? 2811 double or more than that?
Thank you.
LiLi
Hello
I'm afraid I can't give you the exact number because it depends on the composition of traffic and encryption settings. In practice, it is always best to test these things in real life.
One thing I can tell you, is that to get maximum performance, you ought to securityk9 and hseck9 for routers licenses. See http://www.cisco.com/en/US/prod/collateral/routers/ps10616/white_paper_c11_556985.html#wp9001382 for more information.
As you can read on this page without the license hseck9 the router will be limited to 85 Mbps of encrypted throughput, of course it depends on your situation if you can reach this value.
I hope this helps, if so please mark this question as "responded."
-
Is this a DMVPN tunnel before directed broadcasts?
Hi people.
We had a problem interesting in one of our shelves in our DMVPN network.
The RADIUS 2811, its process was 98% with the entrance of property intellectual process taking 98%.
Of netflow, I saw many broadcasts led through tun4 which is a dmvpn tunnel.
SrcIf SrcIPaddress DstIf DstIPaddress Pr PCDR as Pkts
FA0/0 169.254.29.148 Tu4 169.254.255.255 11 0089 0089 9136
FA0/0 169.254.220.230 Tu4 169.254.255.255 11 0089 0089 1935
FA0/0 169.254.153.196 Tu4 169.254.255.255 0089 0089 11 14 Kthe 169.254.X.X address is free windows configured when a pc is unable to obtain an IP address.
the configuration of the tunnel is like that and I wonder if, because of the "property intellectual PNDH multicast ' forwards all multicast and broadcast over the tunnel traffic.
Is this the case?
interface Tunnel4
bandwidth 2048
address IP X.X.X.X 255.255.252.0
no ip redirection
IP 1400 MTU
penetration of the IP stream
property intellectual PNDH authentication xxxxx
property intellectual PNDH card A.A.A.A. B.B.B.B
map of PNDH IP multicast B.B.B.B
PNDH id network IP-100003
property intellectual PNDH holdtime 600
property intellectual PNDH nhs Y.Y.Y.Y
registration of the PNDH non-unique IP
property intellectual shortened PNDH
the PNDH IP forwarding
load-interval 30
QoS before filing
source of Loopback4 tunnel
multipoint gre tunnel mode
tunnel key 100003
backup tunnel ipsec protection profileHi Rick, thanks for the note :)
Hi George,.
Another solution is to create the static route for null point 0 for these unwanted traffic.
Kind regards
Lei Tian
-
DMVPN tunnel on a shelf (ADSL Internet access provider)
Hello world
I wonder if I can potentially use same value of pi and the same mtu size of ip tcp mss on the Tunnel interface and interface Fastethernet WAN on my DMVPN spoke routers? WAN interface is facing an ADSL modem provided by the ISP.
That is something like:
Interface FastEthernet 4
IP 1400 MTU
IP tcp adjust-mss 1360
....
Interface Tunnel0
IP 1400 MTU
IP tcp adjust-mss 1360
Will be this questions with fragmentation for DMVPN?
Thank you!
Yes the major impact is the fragmentation and so performance.
I think what you describe is OK and as mentioned turning tunnel PMTUD will take care of some scenarios.
Think of it like this (this is a simplification, but I think as a fitting one).
A 1400 bytes packat happens LAN, we perform the route search, he points through the tunnel interface. We carry out the audit, ' do we need to fragment this packet? The answer is 'no', because it is part of the MTU.
We perform encapsulation (torn by the characteristics applied on the tunnel interface), adding the GRE + IPsec (header GRE, IPsec header and padding).
Now, we take this encapsulated package and check routing post encapuslation, he'll call back via interface fa4.
Don't the packets in the MTU of 1400 feet. 'No', we must fragmed if it is allowed.
Maybe you are looking for
-
I come from America, but we moved to Germany and I bought an iTunes card to a German store, but I am unable to buy on my iPhone? What should I do?
-
Fast User Switching icon missing
I created 2 user accounts on my iMac. I have set up in the system preferences of fast user switching. The instructions for the use of the foregoing are- Quickly switch between users Click the fast user switching icon in the menu bar, then select anot
-
Playlist on iTunes, DO NOT sync all songs off iPhone
Good evening Firstly, apologies if this topic has been discussed before. Basically the question I have (it lasts a few months now), it of that whenever I make a playlist on iTunes and click on sync with my iPhone not all songs are copied to the play
-
Need help to install the printer
I would like to get help on the installation of my printer... * original title - HELP printer installation *.
-
continuo sem saber of nada com o erro 80244004 n % u00e3o explicais nada
tenho um erro no com Windows Updat Código 80244004 e I can not arranjar Solução para isto gostava what me apoia-sem Solução ja numa me esta meter nojo esta mierda?