DMVPN and VRF Lite

Someone at - it an example of use of several networks DMVPN and VRF (no MPLS) interfaces

I have a requirment to use a common link to transmit three talking about networks isolated to the Hub as encrypted data. It could be VTI doesn't bother me, but I can't use MPLS.

Thank you

Hello

"back in the day", I made this config:

of http://isamology.blogspot.com/2010/01/IPSec-and-vrfs-so-who-faire-vrf.html

But normally, I guess you've seen this:
http://www.Cisco.com/en/us/prod/collateral/iosswrel/ps6537/ps6586/ps6660/prod_white_paper0900aecd8034be03_ps6658_Products_White_Paper.html

Same principles apply to the VRF lite little matter DMVPN/VTI/GREoIPsec configuration.

tunnel vrf VRF door =

IP vrf forwarding = inside the VRF

Now, if you add the cheat of Nico (for isakmp profiles) sheet especially if necessary, you should be all set.

https://supportforums.Cisco.com/docs/doc-13524

Marcin

Tags: Cisco Security

Similar Questions

The AAA authentication and VRF-Lite

Hello!

I encountered a strange problem, when you use authentication Radius AAA and VRF-Lite.

The setting is as follows. A/31 linknet is configured between PE and THIS (7206/g1 and C1812), where the EP sub-si is part of a MPLS VPN and VRF-Lite CE uses to maintain separate local services (where more than one VPN is used..).

Access to the this, via telnet, console etc, will be authenticated by our RADIUS servers, based on the following configuration:

--> Config start<>

AAA new-model

!

!

Group AA radius RADIUS-auth server

Server x.x.4.23 auth-port 1645 acct-port 1646

Server x.x.7.139 auth-port 1645 acct-port 1646

!

AAA authentication login default group auth radius local

enable AAA, enable authentication by default group RADIUS-auth

...

touch of 1646-Server RADIUS host x.x.4.23 auth-port 1645 acct-port

touch of 1646-Server RADIUS host x.x.7.139 auth-port 1645 acct-port

...

source-interface IP vrf 10 RADIUS

---> Config ends<>

The VRF-Lite instance is configured like this:

---> Config start<>

VRF IP-10

RD 65001:10

---> Config ends<>

Now - if I remove the configuration VRF-Lite and use global routing on the CE (which is OK for a simple vpn installation), AAA/RADIUS authentication works very well. "" When I activate transfer ip vrf "10" on the interface of the outside and inside, AAA/RADIUS service is unable to reach the two defined servers.

I compared the routing table when using VRF-Lite and global routing, and they are identical. All roads are correctly imported via BGP, and the service as a whole operates without problem, in other words, the AAA/RADIUS part is the only service does not.

It may be necessary to include a vrf-transfer command in the config of Group server as follows:

AAA radius RADIUS-auth server group

Server-private x.x.x.x auth-port 1645 acct-port

1646 key ww

IP vrf forwarding 10

See the document below for more details:

http://www.Cisco.com/en/us/partner/docs/iOS/12_4/secure/configuration/guide/hvrfaaa.html

DMVPN and INTERNET VIA HUB RENTAL ISSUES

Hello everyone,

I really wish you can help me with the problem I have.

I explain. I test a double Hub - double DMVPN Layout for a client before we set it up in actual production.
The client has sites where routers are behind some ISP routers who do NAT.

How things are configured:

-All rays traffic must go through the location of the hub if no local internet traffic on the rays.
-Hub 1 and 2 hub sends a default route to rays through EIGRP. But only Hub 1 is used.
-Hub 1 is the main router to DMVPN. In case of connection / hardware failure of the Internet Hub 2 become active for DMVPN and Internet.
-Hub 1 and 2 hub are both connected to an ISP and Internet gateway for rays.
-Hub 1 and 2 hub are configured with IOS Firewall.
-On the shelves I used VRF for separate DMVPN routning Global routning table so I could receive a default route of 1 Hub and Hub 2 to carry the traffic of rays to the Internet via the location of the hub

What works:

-All rays can have access to the local network to the location of the hub.
-All the rays can do talk of talk
-Working for DMVPN failover
-Rais NOT behind the router NAT ISP (i.e. the public IP address) directly related to their external interface can go Internet via hub location and all packages are inspected properly by the IOS and Nat firewall properly

What does not work:

-Rays behind the NAT ISP router can not access Internet via Hub location. They can reach a local network to the location of the hub and talk of talks.
IOS Firewall Router hub shows packages from rays of theses (behind a NAT) with a source IP address that is the router og PSI of public IP address outside the interface. Not the private address LAN IP back spoke.
In addition, the packets are never natted. If I do some captge on an Internet Server, the private source IP is the IP LAN to the LAN behind the rays. This means that the hub, router nat never these packages.

How to solve this problem?

/ * Style definitions * / table. MsoNormalTable {mso-style-name : « Tabel - Normal » ; mso-tstyle-rowband-taille : 0 ; mso-tstyle-colband-taille : 0 ; mso-style-noshow:yes ; mso-style-priorité : 99 ; mso-style-qformat:yes ; mso-style-parent : » « ;" mso-rembourrage-alt : 0 cm 5.4pt cm 0 5.4pt ; mso-para-margin : 0 cm ; mso-para-marge-bottom : .0001pt ; mso-pagination : widow-orphelin ; police-taille : 11.0pt ; famille de police : « Calibri », « sans-serif » ; mso-ascii-font-family : Calibri ; mso-ascii-theme-font : minor-latin ; mso-fareast-font-family : « Times New Roman » ; mso-fareast-theme-font : minor-fareast ; mso-hansi-font-family : Calibri ; mso-hansi-theme-font : minor-latin ; mso-bidi-font-family : « Times New Roman » ; mso-bidi-theme-font : minor-bidi ;}

Well I don't know that's why I need your help/advice :-)

I don't know that if I have to configure a VRF on the location of the hub gets also like things might mess upward.

The problem seems to be NAT - T the rays that are not behind a NAT, among which go over the Internet through a Hub and inspection of Cisco IOS and NAT are trying to find.

I tested today with the customer at the start them talking behind nat could ping different server on the Internet but not open an HTTP session. DNS was to find work. The IOS Firewall has been actually

inspection of packages with private real IP address. Then I thought it was a MTU issue, so I decided to do a ping on the Internet with the largest MTU size and suddenly the pings were no more.

I could see on the router Hub1 IOS Firewall was inspecting the public IP of the ISP NAT router again alongside with rays and not more than the actual IP address private. Really strange!

Attached files:

I attach the following files: a drawing of configuration called drawing-Lab - Setup.jpeg | All files for HUB1, BRANCH1 and BRANCH2 ISP-ROUTER configs, named respectively: HUB1.txt, BRANCH1.txt, BRANCH2.txt and ISP - ROUTER .txt

Hub1 newspapers when ping host 200.200.200.200 on the Internet of Branch2 (behind the NAT ISP router):

Branch2 #ping vrf DMVPN-VRF 200.200.200.200 source vlan 100

Type to abort escape sequence.
Send 5, echoes ICMP 100 bytes to 200.200.200.200, time-out is 2 seconds:
Packet sent with a source address of 192.168.110.1
.....
Success rate is 0% (0/5)

* 06:04:51.017 Jul 15 UTC: % FW-6-SESS_AUDIT_TRAIL_START: start session icmp: initiator (110.10.10.2:8) - answering machine (200.200.200.200:0)

If the IOS Firewall does not inspect the true private source IP address that can be, in this case: 192.168.110.2. He sess on the public IP address.

HUB1 #sh ip nat translations
Inside global internal local outside global local outdoor Pro
ICMP 80.10.10.2:1 80.10.10.2:1 100.10.10.2:1 100.10.10.2:1
ICMP 80.10.10.2:2 80.10.10.2:2 110.10.10.2:2 110.10.10.2:2
UDP 80.10.10.2:4500 80.10.10.2:4500 110.10.10.2:4500 110.10.10.2:4500

There is no entry for packets of teas present NAT

Captge on Tunnel 1 on Hub1 interface (incoming packets in):

7 7.355997 192.168.110.1 200.200.200.200 request ICMP (ping) echo
So that the firewall controllable IOS to the 110.10.10.2:8 public IP sniffing capture said that the package come from private real IP address

Inhalation of vapours on the server (200.200.200.200) with wireshark:

114 14.123552 192.168.110.1 200.200.200.200 request ICMP (ping) echo

If the private IP address of source between local network of BRANCH2 is never natted by HUB1

If the server sees the address source IP private not natted although firewall IOS Hub1 inspect the public IP address 110.10.10.2:8

Hub1 newspapers when ping host 200.200.200.200 on the Internet of Branch1 (not behind the NAT ISP router):

Branch1 #ping vrf DMVPN-VRF 200.200.200.200 source vlan 100

Type to abort escape sequence.
Send 5, echoes ICMP 100 bytes to 200.200.200.200, time-out is 2 seconds:
Packet sent with a source 192.168.100.1 address
!!!!!

* 06:05:18.217 Jul 15 UTC: % FW-6-SESS_AUDIT_TRAIL_START: start session icmp: initiator (192.168.100.1:8) - answering machine (200.200.200.200:0)

This is so the firewall sees the actual private IP which is 192.168.100.1

HUB1 #sh ip nat translations
Inside global internal local outside global local outdoor Pro
ICMP 80.10.10.2:1 80.10.10.2:1 100.10.10.2:1 100.10.10.2:1
ICMP 80.10.10.2:2 80.10.10.2:2 110.10.10.2:2 110.10.10.2:2
UDP 80.10.10.2:4500 80.10.10.2:4500 110.10.10.2:4500 110.10.10.2:4500
ICMP 80.10.10.2:22 192.168.100.1:22 200.200.200.200:22 200.200.200.200:22

The real private source IP address is also find natted 1 Hub outside the public IP address

Captge on Tunnel 1 on Hub1 interface (incoming packets in):

8 7.379997 192.168.100.1 200.200.200.200 request ICMP (ping) echo

Real same as inspected by IOS Firewall so all private IP address is y find.

Inhalation of vapours on the server (200.200.200.200) with wireshark:

/ * Style definitions * / table. MsoNormalTable {mso-style-name : « Tabel - Normal » ; mso-tstyle-rowband-taille : 0 ; mso-tstyle-colband-taille : 0 ; mso-style-noshow:yes ; mso-style-priorité : 99 ; mso-style-qformat:yes ; mso-style-parent : » « ;" mso-rembourrage-alt : 0 cm 5.4pt cm 0 5.4pt ; mso-para-margin : 0 cm ; mso-para-marge-bottom : .0001pt ; mso-pagination : widow-orphelin ; police-taille : 11.0pt ; famille de police : « Calibri », « sans-serif » ; mso-ascii-font-family : Calibri ; mso-ascii-theme-font : minor-latin ; mso-fareast-font-family : « Times New Roman » ; mso-fareast-theme-font : minor-fareast ; mso-hansi-font-family : Calibri ; mso-hansi-theme-font : minor-latin ; mso-bidi-font-family : « Times New Roman » ; mso-bidi-theme-font : minor-bidi ;}

67 10.441153 80.10.10.2 200.200.200.200 request ICMP (ping) echo

So, here's all right. The address is natted correctly.

__________________________________________________________________________________________

Best regards

Laurent

Hello

Just saw your message, I hope this isn't too late.

I don't know what your exact problem, but I think we can work through it to understand it.

One thing I noticed was that your NAT ACL is too general. You need to make it more

specific. In particular, you want to make sure that it does not match the coming of VPN traffic

in to / out of the router.

For example you should not really have one of these entries in your NAT translation table.

HUB1 #sh ip nat translations
Inside global internal local outside global local outdoor Pro
ICMP 80.10.10.2:1 80.10.10.2:1 100.10.10.2:1 100.10.10.2:1
ICMP 80.10.10.2:2 80.10.10.2:2 110.10.10.2:2 110.10.10.2:2
UDP 80.10.10.2:4500 80.10.10.2:4500 110.10.10.2:4500 110.10.10.2:4500

Instead use:

Nat extended IP access list
deny ip any 192.168.0.0 0.0.255.255 connect
allow an ip
deny ip any any newspaper

If you can use:

Nat extended IP access list
deny ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255 connect
IP 192.168.0.0 allow 0.0.255.255 everything
deny ip any any newspaper

Also, I would be very careful with the help of the "log" keyword in an ACL, NAT.

I saw problems.

What are the IOS versions do you use?

Try to make changes to the NAT so that you no longer see the entries of translation NAT

for packages of NAT - T (UDP 4500) in the table of translation NAT on the hub. It may be

This puts a flag on the package structure, that IOS Firewall and NAT is

pick up on and then do the wrong thing in this case.

If this does not work then let me know.

Maybe it's something for which you will need to open a TAC case so that we can

This debug directly on your installation.

Mike.

DMVPN and IPsec CLIENT?

Hello

I was wondering if it was possible to use CRYPTOGRAPHY even for both: DMVPN and CLIENT IPsec?

To make it work, I have to use 1 crypto for the DMVPN and 1 crypto for IPsec, both systems operate on the same router, my router TALK can connect to my HUB router and my computer can connect to the router "HUB" via an IPsec tunnel.

Is their any way to make it easier, instead of doing configs in a single router for more or less the same work?

My stitching question may be stupid, sorry for that, I'm still learning, and I love it

Here below the full work DMVPN + IPsec:

Best regards

Didier

ROUTER1841 #sh run

Building configuration...

Current configuration: 9037 bytes

!

! Last configuration change to 21:51:39 gmt + 1 Monday February 7, 2011 by admin

! NVRAM config last updated at 21:53:07 gmt + 1 Monday February 7, 2011 by admin

!

version 12.4

horodateurs service debug datetime localtime

Log service timestamps datetime msec

encryption password service

!

hostname ROUTER1841

!

boot-start-marker

boot-end-marker

!

forest-meter operation of syslog messages

logging buffered 4096 notifications

enable password 7 05080F1C2243

!

AAA new-model

!

!

AAA authentication banner ^ C

THIS SYSTEM IS ONLY FOR THE USE OF AUTHORIZED FOR OFFICIAL USERS

^ C

AAA authentication login userauthen local

AAA authorization groupauthor LAN

!

!

AAA - the id of the joint session

clock time zone gmt + 1 1 schedule

clock daylight saving time gmt + 2 recurring last Sun Mar 02:00 last Sun Oct 03:00

dot11 syslog

no ip source route

!

!

No dhcp use connected vrf ip

DHCP excluded-address IP 192.168.10.1

DHCP excluded-address IP 192.168.20.1

DHCP excluded-address IP 192.168.30.1

DHCP excluded-address IP 192.168.100.1

IP dhcp excluded-address 192.168.1.250 192.168.1.254

!

IP dhcp pool vlan10

import all

network 192.168.10.0 255.255.255.0

default router 192.168.10.1

lease 5

!

IP dhcp pool vlan20

import all

network 192.168.20.0 255.255.255.0

router by default - 192.168.20.1

lease 5

!

IP dhcp pool vlan30

import all

network 192.168.30.0 255.255.255.0

default router 192.168.30.1

!

IP TEST dhcp pool

the host 192.168.100.20 255.255.255.0

0100.2241.353f.5e client identifier

!

internal IP dhcp pool

network 192.168.100.0 255.255.255.0

Server DNS 192.168.100.1

default router 192.168.100.1

!

IP dhcp pool vlan1

network 192.168.1.0 255.255.255.0

Server DNS 8.8.8.8

default router 192.168.1.1

lease 5

!

dhcp MAC IP pool

the host 192.168.10.50 255.255.255.0

0100.2312.1c0a.39 client identifier

!

IP PRINTER dhcp pool

the host 192.168.10.20 255.255.255.0

0100.242b.4d0c.5a client identifier

!

MLGW dhcp IP pool

the host 192.168.10.10 255.255.255.0

address material 0004.f301.58b3

!

pool of dhcp IP pc-vero

the host 192.168.10.68 255.255.255.0

0100.1d92.5982.24 client identifier

!

IP dhcp pool vlan245

import all

network 192.168.245.0 255.255.255.0

router by default - 192.168.245.1

!

dhcp VPN_ROUTER IP pool

0100.0f23.604d.a0 client identifier

!

dhcp QNAP_NAS IP pool

the host 192.168.10.100 255.255.255.0

0100.089b.ad17.8f client identifier

name of the client QNAP_NAS

!

!

IP cef

no ip bootp Server

IP domain name dri

host IP SW12 192.168.1.252

host IP SW24 192.168.1.251

IP host tftp 192.168.10.50

host IP of Router_A 192.168.10.5

host IP of Router_B 10.0.1.1

IP ddns update DynDNS method

HTTP

Add http://dri66: [email protected] / * *//nic/update?system=dyndns&hostname=mlgw.dyndns.info&myip=[email protected] / * //nic/update?system=dyndns&hostname=mlgw.dyndns.info&myip=

maximum interval 1 0 0 0

minimum interval 1 0 0 0

!

NTP 66.27.60.10 Server

!

Authenticated MultiLink bundle-name Panel

!

!

Flow-Sampler-map mysampler1

Random mode one - out of 100

!

Crypto pki trustpoint TP-self-signed-2996752687

enrollment selfsigned

name of the object cn = IOS - Self - signed - certificate - 2996752687

revocation checking no

rsakeypair TP-self-signed-2996752687

!

!

VTP version 2

username Admin privilege 15 secret 5 $1$ gAFQ$ 2ecAHSYEU9g7b6WYuTY9G.

username cisco password 7 02050D 480809

Archives

The config log

hidekeys

!

!

crypto ISAKMP policy 3

BA 3des

preshared authentication

Group 2

!

crypto ISAKMP policy 10

md5 hash

preshared authentication

ISAKMP crypto cisco123 key address 0.0.0.0 0.0.0.0

!

ISAKMP crypto client configuration group 3000client

key cisco123

DNS 8.8.8.8

dri.eu field

pool VPNpool

ACL 150

!

!

Crypto ipsec transform-set strong esp-3des esp-md5-hmac

Crypto ipsec transform-set esp-3des esp-sha-hmac RIGHT

!

Profile cisco ipsec crypto

define security-association life seconds 120

transformation-strong game

!

!

Crypto-map dynamic dynmap 10

Set transform-set RIGHT

!

!

map clientmap client to authenticate crypto list userauthen

card crypto clientmap isakmp authorization list groupauthor

client configuration address map clientmap crypto answer

10 ipsec-isakmp crypto map clientmap Dynamics dynmap

!

!

!

property intellectual ssh time 60

property intellectual ssh authentication-2 retries

IP port ssh 8096 Rotary 1

property intellectual ssh version 2

!

!

!

interface Loopback0

IP 192.66.66.66 255.255.255.0

!

interface Tunnel0

172.16.0.1 IP address 255.255.255.0

no ip redirection

IP mtu 1440

no ip next-hop-self eigrp 90

property intellectual PNDH authentication cisco123

dynamic multicast of IP PNDH map

PNDH network IP-1 id

No eigrp split horizon ip 90

source of tunnel FastEthernet0/0

multipoint gre tunnel mode

0 button on tunnel

Cisco ipsec protection tunnel profile

!

interface FastEthernet0/0

DMZ description

IP ddns update hostname mlgw.dyndns.info

IP ddns update DynDNS

DHCP IP address

no ip unreachable

no ip proxy-arp

NAT outside IP

IP virtual-reassembly

automatic duplex

automatic speed

clientmap card crypto

!

interface FastEthernet0/0,241

Description VLAN 241

encapsulation dot1Q 241

DHCP IP address

IP access-group dri-acl-in in

NAT outside IP

IP virtual-reassembly

No cdp enable

!

interface FastEthernet0/0.245

encapsulation dot1Q 245

DHCP IP address

IP access-group dri-acl-in in

NAT outside IP

IP virtual-reassembly

No cdp enable

!

interface FastEthernet0/1

Description INTERNAL ETH - LAN$

IP 192.168.100.1 address 255.255.255.0

no ip proxy-arp

IP nat inside

IP virtual-reassembly

Shutdown

automatic duplex

automatic speed

!

interface FastEthernet0/0/0

switchport access vlan 10

spanning tree portfast

!

interface FastEthernet0/0/1

switchport access vlan 245

spanning tree portfast

!

interface FastEthernet0/0/2

switchport access vlan 30

spanning tree portfast

!

interface FastEthernet0/0/3

switchport mode trunk

!

interface Vlan1

IP address 192.168.1.250 255.255.255.0

IP nat inside

IP virtual-reassembly

!

interface Vlan10

IP 192.168.10.1 255.255.255.0

IP nat inside

IP virtual-reassembly

!

interface Vlan20

address 192.168.20.1 255.255.255.0

IP nat inside

IP virtual-reassembly

!

Vlan30 interface

192.168.30.1 IP address 255.255.255.0

IP nat inside

IP virtual-reassembly

!

interface Vlan245

IP 192.168.245.1 255.255.255.0

IP nat inside

IP virtual-reassembly

!

Router eigrp 90

network 172.16.0.0

network 192.168.10.0

No Auto-resume

!

IP pool local VPNpool 172.16.1.1 172.16.1.100

IP forward-Protocol ND

no ip address of the http server

local IP http authentication

IP http secure server

!

IP flow-cache timeout idle 130

IP flow-cache timeout active 20

cache IP flow-aggregation prefix

cache timeout idle 400

active cache expiration time 25

!

!

overload of IP nat inside source list 170 interface FastEthernet0/0

overload of IP nat inside source list interface FastEthernet0/0.245 NAT1

IP nat inside source static tcp 192.168.10.10 80 interface FastEthernet0/0 8095

!

access-list 150 permit ip 192.168.10.0 0.0.0.255 172.16.1.0 0.0.0.255

access-list 170 refuse ip 192.168.10.0 0.0.0.255 172.16.0.0 0.0.0.255

access-list 170 refuse ip 192.168.10.0 0.0.0.255 172.16.1.0 0.0.0.255

access-list 170 permit ip 192.168.10.0 0.0.0.255 any

access-list 180 deny ip 192.168.10.0 0.0.0.255 172.16.1.0 0.0.0.255

access-list 180 permit ip 192.168.10.0 0.0.0.255 any

not run cdp

!

!

!

route NAT allowed 10 map

corresponds to the IP 180

!

!

!

control plan

!

exec banner ^ C

WELCOME YOU ARE NOW LOGED IN

^ C

connection of the banner ^ C

WARNING!

IF YOU ARE NOT:

Didier Ribbens

Please leave NOW!

YOUR IP and MAC address will be LOGGED.

^ C

!

Line con 0

Speed 115200

line to 0

line vty 0 4

access-class 5

privilege level 15

Rotary 1

transport input telnet ssh

line vty 5 15

access-class 5

Rotary 1

!

Scheduler allocate 20000 1000

end

Didier,

Some time ago, I wrote a bit on VT, you should be able to find information about the server ezvpn DVTI it.

https://supportforums.Cisco.com/community/NetPro/security/VPN/blog/2010/12/08/advantages-of-VTI-configuration-for-IPSec-tunnels

The configuartion you have right now is the way to strives for ezvpn, with the new way DMVPN (protection of tunnel).

If it is true for the most part, it is best to go on the learning curve Moose and go everythign new configuration.

With EZVPN you can always assign IP from the pool by group ezvpn or external authorization ;-)

Anyway let me know if you face any problems.

Marcin

I opened my laptop and I lit the charge then it shows connect to 65w adapter y at - it a problem with my charger?

I opened my laptop and I lit the charge then it shows connect to 65w adapter y at - it a problem with my charger?

I pressed the f1 key to continue, then my laptop recharges normally.

DMVPN and 861 routers

We have a few customers that tunnel using DMPVN with 831 & 851 routers. Recently, a new order was placed to add a user to an existing tunnel. As 851 routers are no longer available, we went with the model 861 and found that it doesn't have the PNDH in IOS. So how do this work now, and why PNDH is no longer in the last IOS? Seems stupid to not have when used by older models of routers which replaces the 861.

Hello

You are right, the 861 series routers do not support DMVPN (and I tend to agree with you that maybe it's not the smartest marketing decision). For advanced security feature support, such as DMVPN and GETVPN, you must use the routers of the 880 series with all ip services features advanced, see:

http://www.Cisco.com/en/us/prod/collateral/routers/ps380/qa_c67_458826.html

Thank you

Wen

VRF-lite, NAT and route-leak

Hello, community. I'm trying to reproduce the installation with two clients (R1 and R2) program, router PE (R3) and common services (R4).

Here is the configuration:

R1:

interface Loopback0

IP 10.10.1.1 255.255.255.255

!

interface FastEthernet1/0

192.168.15.1 IP address 255.255.255.0

!

IP route 0.0.0.0 0.0.0.0 192.168.15.5

R2:

interface Loopback0

10.10.2.2 IP address 255.255.255.255

!

interface FastEthernet1/0

IP 192.168.16.1 255.255.255.192

!

IP route 0.0.0.0 0.0.0.0 192.168.16.5

R3:

IP vrf VRF1

RD 1:1

export of road-objective 1:1

import of course-target 1:1

!

IP vrf VRF2

Rd 2:2

Route target export 2:2

import of course-target 2:2

!

interface FastEthernet0/0

R1 description

IP vrf forwarding VRF1

IP 192.168.15.5 255.255.255.192

IP nat inside

IP virtual-reassembly

!

interface FastEthernet0/1

R2 description

IP vrf forwarding VRF2

IP 192.168.16.5 255.255.255.192

IP nat inside

IP virtual-reassembly

!

interface FastEthernet1/0

R4 description

IP 1.1.1.1 255.255.255.0

NAT outside IP

IP virtual-reassembly

!

IP route 0.0.0.0 0.0.0.0 1.1.1.2

IP route vrf VRF1 0.0.0.0 0.0.0.0 FastEthernet1/0 overall 1.1.1.2

IP route vrf VRF1 10.10.0.0 255.255.0.0 192.168.15.1

IP route vrf VRF2 0.0.0.0 0.0.0.0 FastEthernet1/0 overall 1.1.1.2

IP route vrf VRF2 10.10.0.0 255.255.0.0 192.168.16.1

!

IP nat inside source list 15 interface FastEthernet1/0 vrf VRF1 overload

VRF2 of the IP nat inside source list 16 interface FastEthernet1/0 vrf, overload

!

access-list 15 allow 192.0.0.0 0.255.255.255

access-list 15 allow 10.10.0.0 0.0.255.255

access-list 16 allow 192.0.0.0 0.255.255.255

access-list 16 allow 10.10.0.0 0.0.255.255

R4:

interface Loopback0

IP 10.10.10.10 address 255.255.255.255

!

interface FastEthernet0/0

1.1.1.2 IP 255.255.255.0

!

IP route 0.0.0.0 0.0.0.0 1.1.1.1

The configuration is not operational.

R1 #ping 192.168.15.5

Type to abort escape sequence.

Send 5, echoes ICMP 100 bytes to 192.168.15.5, wait time is 2 seconds:

!!!!!

Success rate is 100 per cent (5/5), round-trip min/avg/max = 68/89/116 ms

R1 #ping 192.168.15.5 source l0

Type to abort escape sequence.

Send 5, echoes ICMP 100 bytes to 192.168.15.5, wait time is 2 seconds:

Packet sent with the address 10.10.1.1 source

!!!!!

Success rate is 100 per cent (5/5), round-trip min/avg/max = 68/86/92 ms

R1 #ping 1.1.1.1 source l0

Type to abort escape sequence.

Send 5, echoes ICMP 100 bytes of 1.1.1.1, time-out is 2 seconds:

Packet sent with the address 10.10.1.1 source

.!!!!

Success rate is 80% (4/5), round-trip min/avg/max = 292/357/400 ms

R1 #ping 1.1.1.2 source l0

Type to abort escape sequence.

Send 5, echoes ICMP 100 bytes to 1.1.1.2, time-out is 2 seconds:

Packet sent with the address 10.10.1.1 source

.!!!!

Success rate is 80% (4/5), round-trip min/avg/max = 216/187/160 ms

R1 #ping 10.10.10.10 source l0

Type to abort escape sequence.

Send 5, echoes ICMP 100 bytes of 10.10.10.10, time-out is 2 seconds:

Packet sent with the address 10.10.1.1 source

.....

Success rate is 0% (0/5)

I can't ping R4 loopback address ("shared resource" or also known as the "common service")

It is the same with R2 (second customer).

But I can still ping loopback R4 of R3:

R3 #ping 10.10.10.10

Type to abort escape sequence.

Send 5, echoes ICMP 100 bytes of 10.10.10.10, time-out is 2 seconds:

!!!!!

Success rate is 100 per cent (5/5), round-trip min/avg/max = 40/88/116 ms

It's the routing on R3 table:

R3 #sh ip road | start the gateway

Gateway of last resort is 1.1.1.2 network 0.0.0.0

1.0.0.0/24 is divided into subnets, subnets 1

C 1.1.1.0 is directly connected, FastEthernet1/0

S * 0.0.0.0/0 [1/0] via 1.1.1.2

R3 #sh ip route vrf VRF1 | start the gateway

Gateway of last resort is 1.1.1.2 network 0.0.0.0

192.168.15.0/26 is divided into subnets, subnets 1

C 192.168.15.0 is directly connected, FastEthernet0/0

10.0.0.0/16 is divided into subnets, subnets 1

S 10.10.0.0 [1/0] via 192.168.15.1

S * 0.0.0.0/0 [1/0] via 1.1.1.2, FastEthernet1/0

R3 #sh ip route vrf VRF2 | start the gateway

Gateway of last resort is 1.1.1.2 network 0.0.0.0

10.0.0.0/16 is divided into subnets, subnets 1

S 10.10.0.0 [1/0] via 192.168.16.1

192.168.16.0/26 is divided into subnets, subnets 1

C 192.168.16.0 is directly connected, FastEthernet0/1

S * 0.0.0.0/0 [1/0] via 1.1.1.2, FastEthernet1/0

So the question is what is the cause of the problem? How to troubleshoot? What is the troubleshooting steps?

Hi Eugene Khabarov

His does not work since the address IP of Destination that represents common Services is be routed locally to the THIS itself. That's the problem here. We must ensure that the Destination subnet is not pointing to what is happening here.

R4:

interface Loopback0

IP 10.10.10.10 address 255.255.255.255

!

R3-VRF1

S 10.10.0.0 [1/0] via 192.168.15.1

Concerning

Verdier

DMVPN with VRF (redistribution a road by default via VRF)

Hi all

I was testing a DMVPN configuration so that users with POLES surfing the Internet on the Internet portal of the HUB. The SPOKE1PN is able to ping all internal IP addresses and route determination agrees. When he reached out to the Internet (HUB_INTGW) gateway, pings are okay, but traceroute requests time out. I was wondering if anyone has an idea. Here's my topology.

Basically, if SPOKE1PN pings to the Internet, it goes to SPOKE1, HUB1 via tu0, HUB1_INTGW and it gets overloaded NAT.

QUESTION (OK, TRACEROUTE DROPS AFTER OVERLOADED NAT PINGS)

SPOKE1PN #ping 202.0.0.2 rep 88

Type to abort escape sequence.

88, echoes ICMP 100 bytes to 202.0.0.2 sending, time-out is 2 seconds:

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

!!!!!!!!!!!!!!!!!!

Success rate is 100 per cent (88/88), round-trip min/avg/max = 144/211/328 ms

SPOKE1PN #traceroute 202.0.0.2

Type to abort escape sequence.

The route to 202.0.0.2

1 192.168.1.1 88 MS 64 ms 16 ms

2 172.14.1.1 164 MS 92 MS 128 ms

3 10.1.0.254 152 MS 124 MS ms 116

4 * * *

5 * * *

6 * * *

7 * * *

8 * * *

9 * * *

10 * * *

11 * * *

12 * * *

13 * * *

14 * * *

15 * * *

16 * * *

17 * * *

18 * * *

19 * * *

20 * * *

21 * * *

22 * * *

23 * * *

24 * * *

25 * * *

26 * * *

27 * * *

28 * * *

29 * * *

30 * * *

SPOKE1

version 12.4

horodateurs service debug datetime msec

Log service timestamps datetime msec

no password encryption service

!

hostname SPOKE1

!

boot-start-marker

boot-end-marker

!

!

No aaa new-model

memory iomem size 5

IP cef

!

IP vrf DMVPN

RD 1:1

!

crypto ISAKMP policy 1

BA aes 256

md5 hash

preshared authentication

Group 5

address key crypto isakmp 0.0.0.0 @ngelam1chell3r1c 0.0.0.0

ISAKMP crypto keepalive 60 periodicals

!

Crypto ipsec transform-set SET1 IPSEC ah-md5-hmac esp - aes

!

Profile of crypto ipsec DMVPN

game of transformation-IPSEC-SET1

!

interface Tunnel0

IP vrf forwarding DMVPN

IP 172.14.1.2 255.255.255.0

no ip redirection

IP mtu 1416

property intellectual PNDH authentication cisco123

property intellectual PNDH card 172.14.1.1 200.0.0.2

map of PNDH IP multicast 200.0.0.2

property intellectual PNDH card 172.14.1.254 200.0.1.2

map of PNDH IP multicast 200.0.1.2

PNDH id network IP-99

property intellectual PNDH nhs 172.14.1.1

property intellectual PNDH nhs 172.14.1.254

source of tunnel FastEthernet0/1

multipoint gre tunnel mode

tunnel key 999

Protection ipsec DMVPN tunnel profile

!

interface FastEthernet0/0

IP vrf forwarding DMVPN

IP 192.168.1.1 255.255.255.0

automatic duplex

automatic speed

!

interface FastEthernet0/1

IP 201.0.0.2 255.255.255.240

Speed 100

full-duplex

!

Router eigrp 1

Auto-resume

!

address ipv4 vrf DMVPN family

redistribute connected

network 172.14.1.0 0.0.0.255

network 192.168.1.0

No Auto-resume

autonomous system of-1

output-address-family

!

IP forward-Protocol ND

IP route 0.0.0.0 0.0.0.0 201.0.0.1

!

no ip address of the http server

no ip http secure server

!

control plan

!

Line con 0

line to 0

line vty 0 4

!

end

HUB1

version 12.4

horodateurs service debug datetime msec

Log service timestamps datetime msec

no password encryption service

!

hostname HUB1

!

boot-start-marker

boot-end-marker

!

No aaa new-model

memory iomem size 5

IP cef

!

IP vrf DMVPN

RD 1:1

!

crypto ISAKMP policy 1

BA aes 256

md5 hash

preshared authentication

Group 5

address key crypto isakmp 0.0.0.0 @ngelam1chell3r1c 0.0.0.0

ISAKMP crypto keepalive 60

!

Crypto ipsec transform-set SET1 IPSEC ah-md5-hmac esp - aes

No encryption ipsec nat-transparency udp-program

!

Profile of crypto ipsec DMVPN

game of transformation-IPSEC-SET1

!

interface Tunnel0

IP vrf forwarding DMVPN

IP 172.14.1.1 255.255.255.0

no ip redirection

IP mtu 1416

property intellectual PNDH authentication cisco123

dynamic multicast of IP PNDH map

PNDH id network IP-99

source of tunnel FastEthernet0/1

multipoint gre tunnel mode

tunnel key 999

Protection ipsec DMVPN tunnel profile

!

interface FastEthernet0/0

IP vrf forwarding DMVPN

IP 10.1.0.1 255.255.255.0

automatic duplex

automatic speed

!

interface FastEthernet0/1

IP 200.0.0.2 255.255.255.240

Speed 100

full-duplex

!

Router eigrp 1

Auto-resume

!

address ipv4 vrf DMVPN family

redistribute connected

redistribute static

Network 10.1.0.0 0.0.0.255

network 172.14.1.0 0.0.0.255

No Auto-resume

autonomous system of-1

output-address-family

!

IP forward-Protocol ND

IP route 0.0.0.0 0.0.0.0 200.0.0.1

IP route vrf DMVPN 0.0.0.0 0.0.0.0 10.1.0.254

!

no ip address of the http server

no ip http secure server

!

control plan

!

Line con 0

line to 0

line vty 0 4

!

end

HUB1_INTGW

version 12.4

horodateurs service debug datetime msec

Log service timestamps datetime msec

no password encryption service

!

hostname HUB1_INTGW

!

boot-start-marker

boot-end-marker

!

No aaa new-model

memory iomem size 5

IP cef

!

no ip domain search

!

Authenticated MultiLink bundle-name Panel

!

Archives

The config log

hidekeys

!

interface FastEthernet0/0

IP 10.1.0.254 255.255.255.0

IP nat inside

IP virtual-reassembly

automatic duplex

automatic speed

!

interface FastEthernet0/1

IP 200.0.1.2 255.255.255.240

NAT outside IP

IP virtual-reassembly

Speed 100

full-duplex

!

IP forward-Protocol ND

IP route 0.0.0.0 0.0.0.0 200.0.1.1

IP route 192.168.1.0 255.255.255.0 10.1.0.1

!

no ip address of the http server

no ip http secure server

overload of IP nat inside source list ACL_NATOVERLOAD interface FastEthernet0/1

!

IP access-list standard ACL_NATOVERLOAD

permit 10.1.0.0 0.0.0.255

permit 192.168.1.0 0.0.0.255

permit 172.14.1.0 0.0.0.255

!

control plan

!

Line con 0

exec-timeout 0 0

Synchronous recording

line to 0

line vty 0 4

!

end

Desmon,

If the works of ping I can bet you that it's a problem of how ICMP unreachable it will be via NAT (PAT in fact) in response to UDP with expired TTL.

Can you do a static NAT on HUB1_INTGW to the IP test and you should see a difference... BTW the debug ip packet is your friend, try it :-) on INTGW and INT_RTR

Marcin

I changed the batteries AA and CR1200 battery and the lite on screen keeps flashing?

Can not stop flashing battery lite on camera, changed all THE batteries?

It could be dirty, tarnished spring contacts would be a better term.

You did not say what brand of batteries you use this "could" play a role too because you get variations in the nozzle at the top but not to the actual body size may be different... all we need is a current reduced flow caused by a bad contact be loses fitting or tranished because he would become so resistive causing a voltage drop of contact acorss.

If you use a strange mark sounding or 'El cheapos' might I suggest trying something like Duracell - I use them in my Canon A650IS and they seem to last much longer than the others, I tried.

It takes the contacts should be cleaned somehow. For electrical contacts cleaning, I use a brush fiberglass in the form of a pen, a couple of swirls round is what it takes against the contacts.

A bad battery brand could also create this problem would be unable to provide the necessary power.

Dave

IKEv2 with NAT - T and VRF (FlexVPN)

Hello

I'm trying to get it works and the IOS debugging commands show nothing.

Spoke1

======

Keyring cryptographic ikev2 LAN-to-LAN

peer HUB

address of the identity 93.174.221.254

pre-shared key local TEST

pre-shared key remote TSET

!

Profile of ikev2 crypto IPSEC_IKEv2

match one address remote identity 93.174.221.254 255.255.255.255

identity local fqdn spoke1.domain.com

sharing front of remote authentication

sharing of local meadow of authentication

door-key local LAN-to-LAN

!

Crypto ipsec transform-set ESP-TUNNEL esp - aes esp-sha-hmac

tunnel mode

!

Crypto ipsec IPSEC profile

game of transformation-ESP-TUNNEL

IPSEC_IKEv2 Set ikev2-profile

!

interface tunnels2

Description VTI2 | CUSTOMER2

VRF forwarding CUSTOMER2

Unnumbered IP Loopback2

source of Dialer1 tunnel

ipv4 ipsec tunnel mode

tunnel destination 93.174.221.254

tunnel path-mtu-discovery

Ipsec IPSEC protection tunnel profile

!

interface Loopback2

VRF forwarding CUSTOMER2

10.47.255.1 the IP 255.255.255.255

!

interface Dialer1

IP address negotiated

!

HUB

====

Keyring cryptographic ikev2 LAN-to-LAN

spoke1.domain.com peer

identity domain name full spoke1.domain.com

pre-shared key local TSET

Remote pre-shared key TEST

!

Profile of ikev2 crypto IPSEC_IKEv2

match identity fqdn remote spoke1.domain.com

address local identity 93.174.221.254

sharing front of remote authentication

sharing of local meadow of authentication

door-key local LAN-to-LAN

virtual-model 2

!

Crypto ipsec transform-set ESP-TUNNEL esp - aes esp-sha-hmac

tunnel mode

!

Crypto ipsec IPSEC profile

game of transformation-ESP-TUNNEL

IPSEC_IKEv2 Set ikev2-profile

!

tunnel type of interface virtual-Template2

Description VTI2 | CUSTOMER2

VRF forwarding CUSTOMER2

Unnumbered IP Loopback2

source of Loopback254 tunnel

ipv4 ipsec tunnel mode

tunnel path-mtu-discovery

Ipsec IPSEC protection tunnel profile

!

interface Loopback2

VRF forwarding CUSTOMER2

10.47.255.252 the IP 255.255.255.255

!

interface Loopback254

93.174.221.254 the IP 255.255.255.255

!

-----

The ray can do anything on the internet, including the face address public hub 93.174.221.254 ping, but the tunnel is not started. Each end is running RIPv2 under the context of 'CUSTOMER2' with 'network 10.0.0.0' and no Auto-resume. Static routes do not seem to kick in life either. Any help would be appreciated, thanks.

[Cool!;]

Don't forget that a similar logic applies to the talk of talk communication. know what address IP/identity should I put as the identity of the peer in the Keyring? :-)

DMVPN and active directory (logon)

Hi all

We have a DMVPN configuration between a few sites and everything seems fine, except that the logons through the VPN for a new domain active directory are very slow (10-15 minutes). I believe that the problem may be with the fragmentation of tunnel and packages such as AD is configured correctly.

I am looking for some recommendations or advice on the MTU and TCP MSS settings see if it solves the problem.

both the hub and the spokes are currently with the following settings MTU and MSS (ive removed some irrelevant information) Tunnel0 was originally a mtu of 1440 but if whatever it is 1400 is even worse.

Thank you

interface Tunnel0

IP 1400 MTU

IP nat inside

authentication of the PNDH IP SP1

dynamic multicast of IP PNDH map

PNDH network IP-1 id

IP virtual-reassembly in

No cutting of the ip horizon

source of Dialer0 tunnel

multipoint gre tunnel mode

0 button on tunnel

Profile of ipsec protection tunnel 1

interface Dialer0

MTU 1492

the negotiated IP address

NAT outside IP

IP virtual-reassembly in

encapsulation ppp

IP tcp adjust-mss 1452

Dialer pool 1

Dialer-Group 1

Darren,

In general the prolem is due to Kerberos on UDP traffic.

There are several ways you can solve the problem:

(1) transition to Kerberos over TCP. (suggested)

(2) setting the MSS on the interface of tunnel not on telephone transmitter (recommended)

(3) allowing the PMTUD tunnel (strongly recommended).

M.

Cisco 1941 DMVPN and Ipsec

Hello

You start to replace all of our ISA Server with with DMVPN cisco routers. So far, we are happy with everything, but I ran into a problem. I've just set up one of our agencies and the DMVPN works very well, but this location also has a VPN tunnel to another branch that we have not replaced with Cisco equipment yet. The problem I have is that as soon as I associate an ipsec site-to-site VPN on the router, the DMVPN drops.

I create the Ipsec VPN:

map VPN_Crypto 1 ipsec-isakmp crypto

game of transformation-ESP-3DES-SHA

the value of aa.aa.aa.aa peer

match address 103 (where address is allow remote local IP subnet the IP subnet)

and everything works fine. As soon as I do the following:

interface GigabitEthernet0/1

card crypto VPN_Crypto

The DMVPN drops. If I can connect to and run:

interface GigabitEthernet0/1

No crypto card

The DMVPN happens immediately.

What could I do it wrong? Here is the config for the Tunnel0 DMVPN tunnel:

interface Tunnel0

bandwidth 1000

192.168.10.31 IP address 255.255.255.0

no ip redirection

IP 1400 MTU

authentication of the PNDH IP DMVPN_NW

map of PNDH IP xx.xx.xx.xx multicast

property intellectual PNDH card 192.168.10.10 xx.xx.xx.xx

PNDH id network IP-100000

property intellectual PNDH holdtime 360

property intellectual PNDH nhs 192.168.10.10

dmvpn-safe area of Member's area

IP tcp adjust-mss 1360

delay of 1000

source of tunnel GigabitEthernet0/1

multipoint gre tunnel mode

tunnel key 100000

Tunnel CiscoCP_Profile1 ipsec protection profile

If you need anything else the config for help just let me know. Our main site router, I had no problem with him being the DMVPN hub and also having a handful of Ipsec VPN set up on it well. I appreciate a lot of help, I really need to get both of these tunnels running simultaneously as soon as possible.

Yes, but I don't see anything looking for strange (well, configs generated by CCP always sound strange...).

Maybe you run into a bug. Have you tried a different IOS? Personally I wouldn't use 15.2 if I have to. You can try 15.0 (1) M8 and see if it works.

--
Don't stop once you have upgraded your network! Improve the world by lending money to low-income workers:
http://www.Kiva.org/invitedBy/karsteni

Decision on DMVPN and L2L simple IPsec tunnels

I have a project where I need to make a decision on which solution to implement... environment is as follows...
- 4 branches.
- Each branch has 2 subnets; one for DATA and another for VOICE
- 2 ISPS in each (an Internet access provider and a provider of MPLS)
- Branch #1 isn't necessarily the HUB office that all database servers and files are there are
- Branch #2 is actually where the phone equipment
- Other 2 branches are just branches speaks (may not need never DATA interconnectivy, but they do need interconnection VOICE when they call since we spoke directly to the other)
- MPLS is currently used for telephone traffic.
- ISP provider link is used for site to site tunnels that traverse the internet, and it is the primary path for DATA. Means that all branch DATA subnets use the tunnels from site to site as main road to join the #1 branch where all files and databases are located.
- I'd like to have redundancy in case the network MPLS down for all traffic VOICE switch to L2L tunnels.
My #1 Option

Because it isn't really a star to the need, I don't really know if I want to apply DMVPN, although I read great things about it. In addition, another reason, I would have perhaps against DMVPN is the 'delay' involved, at least during initialization, communications having spoke-to-spoke. There is always a broken package when a department wants to initiate communication with one another.

My #2 Option

My other choice is just deploy L2L IPSec tunnels between all 4 branches. It's certainly much easier to install than DMVPN although DMVPN can without routing protocols that I think I'll need. But with these Plains L2L IPSec tunnels, I can also add the GRE tunnels and the routing of traffic protocols it as well as all multicast traffic. In addition, I can easily install simple IP SLA that will keep all tunnels upwards forever.

Can someone please help to choose one over the other is? or if I'm just okay with the realization of the #2 option

Thanks in advance

Hi ciscobigcat

Yes, OSPF will send periodic packets 'Hello' and they will maintain the tunnels at all times.

The numbers that you see (143 and 1001) are the "cost" of the track, so OSPF (Simplified) will calculate what different paths there are to a destination and assign each of them a 'cost' (by assigning a cost to each segment of the path, for example GigabitEthernet is "lower cost" Fastethernet and then adding the costs of all segments).

Then it will take the path to the lowest cost (143 in your case, in normal operation) and insert this in the routing table.

So since traffic is already going the right way, I don't know if you still need any tweaking? Personally, I would not add a second routing protocol because, generally, makes things more complicated.

QoS, it is important to use "prior qos rank".

See for example

http://www.Cisco.com/en/us/docs/solutions/Enterprise/WAN_and_MAN/QoS_SRND/IPSecQoS.html

http://www.Cisco.com/en/us/Tech/tk543/tk757/technologies_tech_note09186a00800b3d15.shtml

HTH

Herbert

Captivate and Flash lite 2.1 for Mobile
Hi, I need to view a SWF file in my Intermec CN3 HH, but when I try to do that, visualization is not good, I installed Adobe flash lite 2.1 and 7 MFlashPlayer to view my SWF, but does not work, do I still have another program?, or what can I do?, I exported this compatible with Flash 7 SWF file from Captivate 3 I need to make it compatible with flash lite 2.1, do I have to export to Flash CS3 and export and then from there to flash lite 2.1?, thank you.

> Hi, I need to view a SWF file in my Intermec CN3 HH, but when I try
> do
> that visualization is not good, I installed Adobe flash lite 2.1 and
> 7 MFlashPlayer to view my SWF, but is not working, do I still need
> another
> program?, or what can I do?, I exported the SWF file from Captivate 3
> compatible with Flash 7, I need to make it compatible with flash lite
> 2.1,
> do I need to export to Flash CS3 and export and then from there to flash lite
> 2.1?, thank you.

See if this helps:-

http://www.Adobe.com/devnet/Captivate/articles/mobile_captivate.html

There are several things to Captivate 2 which are not viewable in Flash Lite.
The article above should help you to create a project file that can be accessed
on your mobile devices.

Steve

--
Adobe Community Expert: Devices, Mobile Flash and Authorware
http://www.magnoliamultimedia.com

You must go to MAX - http://adobemax2007.com/na/

Tecra M5 - fan is noisy and constantly lit

I have a new Tecra M5, to replace a M400... The M400 at first had a very noisy fan but Toshiba provided an update of the BIOS to reduce, which was good!

The M5 does not have this luxury, the fan is constantly on and I know that the goal is to keep cool.
But I know from experience we Shouldna´t have to be this strong. Someone at - it experience the same problems or know of a fix?

Powersaver tool does not appear to reduce this and I noticed that the two options is grayed out and disabled now.

Hello

> The tool powersaver doesn t seem to reduce ve all and I noticed that the two options is grayed out and disabled now
What options are just grayed out?

I just read your first thread on the wrong BIOS update. It seems that you have updated the wrong BIOS on your laptop. Am I wrong?
Have you noticed this fan behavior before update BIOS?

DMVPN and VRF Lite

Similar Questions

Maybe you are looking for