several dynamic static IP as a single, GRE tunnels
Hello
I worked 10 years ago as network engineer where I used a lot of Cisco products, I finally completely changed jobs
But ten years later, I launched a new project where I really need my old network skills... The problem is that I don't remember anything of what I learned 10 years ago, that I'm right now to take a look at my old CCIE books about how to define interfaces Eth in IOS! I'm really not proud
I found an old 1841 router I want you serve simple Concentrator VPN GRE to Ethernet bridges / 3G 3 third with ability WILL.
My 1841 is installed in the DMZ of a DSL modem/router with static IP address. My third terminals connect the network of GSM/EDGE / 3G and get dynamic IPs each new connection.
Just that these bridges 3G to be available with local IP addresses on my LAN, security is not critical for this first step.
I have a very good book of 1000 pages learn more about Cisco's VPN IPsec settings to achieve a purpose...
Your help would be very comforting...
I don't know that it's like riding a bike... I need someone to get started me and everything will come again as clear water
Kind regards
Amaury
file: config bridge Eth WILL screen screenshot / 3G
Amaury,
The problem with GRE is the local endpoint and the ot remote need a static IP pure Volition otherwsie is not able to send traffic.
What we have in the world of Cisco's love (multipoint GRE) that resolves the dynamic IP problem of endpoint under the PNDH registration process.
That being said, I think you're more likely to succeed in these conditions by using IPSec LAN-to-LAN on dynamic crypto map.
In other words, if I understand what you try to do exactly ;-)
Marcin
Tags: Cisco Security
Similar Questions
-
I'm having some trouble with a L2L tunnel where the remote end has a address DHCP on the external interface, this is a
WRVS4400N Wireless - N Gigabit Security Router with VPN, and I am locked into a particular to this end configuration. My end is an ASA5540, who must accept a dynamic connection, and I can do everything I need of to get this up and running...
Remote endpoint in Rome
192.168.252.0/24 within the network and must be able to talk to my end 192.168.240.0/24; 192.168.241.0/24; and 192.168.242.0/24
Setting up IPSec in Rome which cannot be changed:
IKE with preshared key
Phase 1 3DES, MD5, DH 2, key to life 86400
Phase2 3DES, MD5, activate the PFS, 2 DH, life 28800, pre-shared key XXXXX
On my end, I have immunity from the ACL and NAT correct... I can actually treat the current remote outside intellectual property as static and bring the tunnel up without problem. My problem is getting the correct dynamic Cryptography.
Here is what I currently have (or should I say have configured previously) on the SAA in the measurement of the dynamic crypto:
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
Crypto dynamic-map cisco 1 set of transformation-ESP-3DES-MD5
Crypto dynamic-map cisco 1 lifetime of security association set seconds 28800
kilobytes of life crypto dynamic-map cisco 1 set security-association 4608000
crypto isakmp identity address
crypto ISAKMP allow outside
crypto ISAKMP policy 5
preshared authentication
3des encryption
md5 hash
Group 2
life 86400
Therefore my isakmp policy 5 is my stage 1 Kit. My ESP-3DES-MD5 transformation corresponds to my need phase 2 encryption/authentication...
I think that all I'm missing is a way to match the PFS and DH 2 for phase2?
And since my ACL is named in Rome, then my tunnel-group must be named Rome as well?
Thank you.
I don't think that we can have several dynamic IP counterparts use diff pre-shared in these settings.
-
Sourav
-
Unique event for several dynamic buttons
I want to use a function of earphone unique event to manage several dynamically created movie clips, each movie clip triggering a different answer. I am pulling information from an xml file, which will in turn create x video clips for the information found. Each video clip would be clickable, and each would have a unique result. Sake of argument: each created movie clip dynamically would trace his name when you click on it.
Download
demoX.addEventListener (MouseEvent.CLICK, traceName);
demoY.addEventListener (MouseEvent.CLICK, traceName);
demoZ.addEventListener (MouseEvent.CLICK, traceName);
{traceName (event:MouseEvent)}
trace (/ *? * /); meet "demoX" or "James" or "amel" respectfully
}
I guess I need to create my clip dynamically and then dynamically create an event listener for it. But then I don't know how I would have access to information that the user has clicked. I could be away from the base. I did this sort of thing with AS2 (and maybe my method was not quite at the level of standards,) but I can of course find a way to do this in AS3. Any help would be appreciated.
Thank you!the event.currentTarget will return the released movieclip. You can add any property/value you want (for example, a name property) your movieclip buttons. This property is accessible via event.currentTarget.yourProperty (for example, event.currentTarget.name) in traceName().
-
Is it possible to combine dynamic & static queries in the ref cursor?
Hi all
I was wondering if it is possible to combine dynamic & static queries in the ref-cursor?
In the existing code, the two parts of the query are static, but I need to improve & replacement of part would do the trick.CREATE OR REPLACE FUNCTION dynamic_static_kk RETURN sys_refcursor AS o_cursor sys_refcursor; BEGIN open 'select 1 fom dual' union select 2 from dual; RETURN o_cursor; END;
So, I was wondering if it is possible to keep the static part 2. Of course, do both dynamic parts seems the only possible treatment for me.So, I was wondering if it is possible to keep the static part 2.
No, you can't.
Of course, do both dynamic parts seems the only possible treatment for me.
Yes, it's the only way.
-
An interface of multipoint GRE tunnel on two physical interfaces?
Hi all
I use DMVPN double single cloud VPN network of hubs.
Our shelves (C831 SRI) are connected to the dynamic DHCP ISP and dynamic PPPoE ISP. I want to install a temporary kit that fits anywhere. Here is the configuration of my my ISP PPPoE tunnel:
interface Tunnel0
bandwidth 1000
IP 172.23.2.254 255.255.252.0
no ip redirection
IP mtu 1436
property intellectual PNDH authentication xxxxxx
map of PNDH 172.16.0.1 IP 230.2.2.1map of PNDH IP multicast 230.2.2.1
map of PNDH 172.16.0.2 IP 230.2.2.2
map of PNDH IP multicast 230.2.2.1
PNDH id network IP-900001
property intellectual PNDH holdtime 300
property intellectual PNDH nhs 172.16.0.1
property intellectual PNDH nhs 172.16.0.2
delay of 1000
source of Dialer1 tunnel
multipoint gre tunnel mode
tunnel key xxxxxx
Tunnel MyIPSecProf ipsec protection profileFor my ISP DHCP, I only change the Ethernet1 tunnel source.
Is it possible to configure tunnel interfaces different related 2 on 2 physical interfaces (like: 1 Ethernet1 and 1 in Dialer1). The challenge is that I can not change the configuration of hubs at all. So I can't put the ip address of the tunnel in 2 different subnet. There is only 1 tunnel on the hub interface
Someone has an idea?
Thank you very much
Yes, I see it now. Unnumbered IP will provide the interface to the MTR and tunnel interface you have is point-to-multipoint. I'm afraid that there is no good solution to your needs.
Kind regards
Lei Tian
-
Significant decline in performance on the GRE tunnel after using cryptographic protection
Hi all
I have two G1 RSR (1811 and 1812) who have a GRE tunnel between them.
Without any encryption protection I received about 3.6 MB/s in regular transfers of Windows SMB. After using cryptographic protection of the tunnel I'm now only 2.7 MB/s transfers of same.
No idea as to why this is?
My conclusions:
According to this http://www.cisco.com/web/partners/downloads/765/tools/quickreference/vpn... the AES crypto fixed return of the 1800s is 40 MB/s.
The increase in overhead of cryptographic protection shouldn't be the problem I tried to test the transfers on the tunnel without protection and 'ip tcp adjust-mss 800' of the tunnel. There was only a small performance drop here, not as much as with the crypto.
I tried several sets of cryptographic transformation, they all give the same performance as long as they are made in the material.
ISAKMP is always done in the software? I can't get it to show its is done at the hardware level, regardless of isakmp policy.IP MTU on both interfaces of tunnel are 1434 with cryptographic protection.
My config:
crypto ISAKMP policy 10
BA aes 256
sha512 hash
preshared authentication
Group 20
isakmp encryption key * address *.
!
Crypto ipsec transform-set ESP-AES256-SHA esp - aes 256 esp-sha-hmac
transport mode
!
Profile of crypto ipsec VPN
game of transformation-ESP-AES256-SHA
!
Tunnel10
IP 10.251.251.1 255.255.255.0
no ip redirection
no ip proxy-arp
load-interval 30
source of tunnel FastEthernet0
tunnel destination *.
tunnel path-mtu-discovery
Tunnel VPN ipsec protection profile
!Output:
ISR1811 #sh crypto ipsec his
Interface: Tunnel10
Tag crypto map: addr Tunnel10-head-0, local *.protégé of the vrf: (none)
ident (addr, mask, prot, port) local: (* / 255.255.255.255/47/0)
Remote ident (addr, mask, prot, port): (* / 255.255.255.255/47/0)
current_peer * port 500
LICENCE, flags is {origin_is_acl},
#pkts program: 683060, #pkts encrypt: 683060, #pkts digest: 683060
#pkts decaps: 1227247, #pkts decrypt: 1227247, #pkts check: 1227247
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 0, #pkts compr. has failed: 0
#pkts not unpacked: 0, #pkts decompress failed: 0
Errors #send 0, #recv 0 errorsendpt local crypto. : *, remote Start crypto. : ***
Path mtu 1500, mtu 1500 ip, ip mtu IDB FastEthernet0
current outbound SPI: 0x8D9A911E (2375717150)
PFS (Y/N): N, Diffie-Hellman group: noSAS of the esp on arrival:
SPI: 0xD6F42959 (3606325593)
transform: aes-256-esp esp-sha-hmac.
running parameters = {Transport}
Conn ID: 45, flow_id: VPN on board: 45, sibling_flags 80000006, crypto card: head-Tunnel10-0
calendar of his: service life remaining (k/s) key: (4563208/1061)
Size IV: 16 bytes
support for replay detection: Y
Status: ACTIVEthe arrival ah sas:
SAS of the CFP on arrival:outgoing esp sas:
SPI: 0x8D9A911E (2375717150)
transform: aes-256-esp esp-sha-hmac.
running parameters = {Transport}
Conn ID: 46, flow_id: VPN on board: 46, sibling_flags 80000006, crypto card: head-Tunnel10-0
calendar of his: service life remaining (k/s) key: (4563239/1061)
Size IV: 16 bytes
support for replay detection: Y
Status: ACTIVEoutgoing ah sas:
outgoing CFP sas:ISR1811 #show in detail his crypto isakmp
Code: C - IKE configuration mode, D - Dead Peer Detection
NAT-traversal - KeepAlive, N - K
T - cTCP encapsulation, X - IKE Extended Authentication
PSK - GIPR pre-shared key - RSA signature
renc - RSA encryption
IPv4 Crypto ISAKMP Security AssociationC - id Local Remote I have VRF status BA hash Auth DH lifetime limit.
2015 * * ACTIVE aes sha5 psk 20 12:42:50
Engine-id: Conn-id = SW: 15
2016 * * ACTIVE aes sha5 psk 20 12:42:58
Engine-id: Conn-id = SW: 16
IPv6 Crypto ISAKMP Security AssociationUse of CPU for the transfer with crypto:
ISR1811 #sh proc cpu its
ISR1811 09:19:54 Tuesday Sep 2 2014 THIS
544444555555555544444444445555544444555556666644444555555555
355555000001111133333888884444444444333333333377777666662222
100
90
80
70
60 ***** *****
50 **************** ********** ************************
40 ************************************************************
30 ************************************************************
20 ************************************************************
10 ************************************************************
0... 5... 1... 1... 2... 2... 3... 3... 4... 4... 5... 5... 6
0 5 0 5 0 5 0 5 0 5 0
Processor: % per second (last 60 seconds)ISR1812 #sh proc cpu history
ISR1812, Tuesday 09:19:24 Sep 2 2014 THIS
666666666666666666666666666666666666666666655555444445555544
777888883333344444555555555566666777770000055555777776666666
100
90
80
70 ******** ********************
60 ************************************************ *****
50 ************************************************************
40 ************************************************************
30 ************************************************************
20 ************************************************************
10 ************************************************************
0... 5... 1... 1... 2... 2... 3... 3... 4... 4... 5... 5... 6
0 5 0 5 0 5 0 5 0 5 0
Processor: % per second (last 60 seconds)I think that this performance is what you should get with the legacy 18xx SRI G1. But the performance degradation is perhaps really a little too high.
For ISAKMP, there is no problem with that. The amount of protected data is too small to have one any influence.
As a first test, I would remove the GRE encapsulation by setting "mode ipsec ipv4 tunnel" on the tunnel interface and compare if the results improve.
-
IP route command in GRE tunnel
Hello world
I have Setup GRE laboratory between routers R1 and R3.
R1 is connected to R2 using OSPF and R2 is connected to R3 using OSPF.
I have config interface on R1 and R3 GRE tunnel.
R1 has internal subnet say 100.x.x.x.x to share with R3.
R3 has Lan internal subnet say 101.x.x.x.x to share with R1.
Interesting traffic through the GRE tunnel is 100.x.x.x of subnets. and 101.x.x.x.x.
Config of tunnel of R1
R1 # sh run tunnel int 0
Building configuration...Current configuration: 168 bytes
!
interface Tunnel0
IP 13.13.13.1 255.255.255.0
KeepAlive 3
CDP enable
source of tunnel Loopback0
tunnel destination 20.0.0.1
tunnel path-mtu-discoveryR3 config tunnel
R3 #sh run tunnel int 0
Building configuration...Current configuration: 158 bytes
!
interface Tunnel0
IP 13.13.13.3 255.255.255.0
KeepAlive 3 1
source of tunnel Loopback0
tunnel destination 10.0.0.1
tunnel path-mtu-discoverySo my question is instead of using routing protocols to advertise the subnets Lan of R1 and R3 can be used for static routes?
for example
If I can use static routes say on R1
IP route 101.101.101.101 255.255.255?
What should be the next jump IP here?
interface of tunnel of the router R3 or physical interface of R3 which connects to R2?
Then the same way I can use static routes on R3 right?
Thank you
Mahesh
Hello Manu,
You can use the IP address as long as addresses IP of the Tunnel on both sides are in the same subnet. So in your case, you can use
!
IP route 101.101.101.101 255.255.255 13.13.13.3
!
Or you can use the interface tunnel
!
IP route 101.101.101.101 255.255.255 Tunnel0
!
Although I saw problems in some cases when the interface name is used instead of IP tunnel.
Please rate this post if helpful.
Thank you
André
-
Using Gre Tunnel between devices on the same LAN
Hello world
When we need to use the Gre Tunnel on same side means on 2 devices to each other on the LAN?
Whats is advantage of using GRe Tunnel on LAN?
Thank you
MAhesh
In general, GRE tunnel is not on the same side/network.
It serves to connect 2 networks and to get through the traffic.
GRE advantage is that it can participate in routing protocols, then it becomes a little jump through the tunnel instead of several jumps across different devices. As a result, the GRE is also used for tunnel traffic that is not natively supported by these devices where the type not supported traffic cannot pass through.
-
So here's my setup:
Internal router (2821) > Cluster internal DMZ ASA > router DMZ (2821) > external DMZ Checkpoint Cluster > Branch Office router (877)
Internal Cluster ASA a configured PAT production internal then all the VLANS.
The router in the DMZ has an interior interface configured on the internal DMZ and an external interface configured on the external DMZ. The DMZ router has two interfaces configured loopback.
The external control point is configured with NAT for the incoming and outgoing traffic.
The branch is a DSL router with a static IP address.
The first requirement is to configure a GRE IPSec tunnel between the DMZ router and the branch office router.
The second condition is to configure a GRE IPSec tunnel between the internal router and the router in the DMZ.
The third requirement is to allow routing between the internal router and the branch through the router in the DMZ, because it is ultimately the connection between the head office and branch of live backup.
I configured a Contract by the IPSec Tunnel between the router in the DMZ and routers of Management Office successfully.
I can also set up a GRE Tunnel (without IPSec) between the internal router and the router in the DMZ.
However, whenever the GRE Tunnel establishes between internal and DMZ routers and a neighbouring forms EIGRP, EIGRP neighborhood between the router in the DMZ and the branch drops! See following the DMZ router log file:
1 = to branch tunnel
Tunnel of 100 = internal
002885:. 3 Mar 22:32:57.013: % LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel1, changed State to
002886:. 3 Mar 22:33:06.029: % DUAL-5-NBRCHANGE: IPv4 EIGRP 1: neighbor 172.17.205.61 (Tunnel1) is on the rise: new adjacency
002889:. 3 Mar 22:33:58.434: % LINK-3-UPDOWN: Interface Tunnel100, changed State to
002890.: 3 Mar 22:33:58.438: % LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel100, changed State to
002891:. 3 Mar 22:34:15.370: % DUAL-5-NBRCHANGE: IPv4 EIGRP 1: neighbor 192.168.5.66 (Tunnel100) is on the rise: new adjacency
002892:. 22:34:30.551 3 Mar: % DUAL-5-NBRCHANGE: 1 IPv4 EIGRP: neighbour 172.17.205.61 (Tunnel1) is falling: expiry of hold time
002893:. 3 Mar 22:34:47.015: % LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel1, state change downstairsThe IPSec tunnel, for the branch remains in place throughout.
Can anyone help!?
The problem was that whenever the GRE Tunnel established between internal and DMZ routers and a forms of EIGRP neighbor branch was learning the next hop to the destination of tunnel from a different device.
This is how the branch was to learn the route to the tunnel destination:
Tunnel1 interface
Tandragee Sub Station router VPN Tunnel description
bandwidth 64
IP 172.17.205.62 255.255.255.252
no ip-cache cef route
delay of 20000
KeepAlive 10 3
source of tunnel Loopback1
tunnel destination 172.17.255.23
be-idz-vpn-01 #sh ip route 172.17.255.23
Routing for 172.17.255.23/32 entry
Through the 'static', the metric distance 1 0 known
Routing descriptor blocks:
* 172.17.252.129
Path metric is 0, number of shares of traffic 1
be-idz-vpn-01 #sh ip route 172.17.252.129
Routing for 172.17.252.128/25 entry
Known via 'connected', distance 0, metric 0 (connected, via the interface)
Routing descriptor blocks:
* directly connected by GigabitEthernet0/1
Path metric is 0, number of shares of traffic 1
be-idz-vpn-01 #.
This is how the next hop as learned GRE Tunnel between internal and DMZ routers
be-idz-vpn-01 #sh ip route 172.17.252.129
Routing for 172.17.252.128/27 entry
By the intermediary of "eigrp 1", the known distance 170, metric 40258816, type external
Redistribution via eigrp 1
Last updated on Tunnel100 192.168.5.66, ago 00:07:25
Routing descriptor blocks:
* 192.168.5.66, 192.168.5.66, there is, through Tunnel100 00:07:25
Path metric is 40258816, 1/number of shares of traffic is
Time total is 10110 microseconds, minimum bandwidth 64 Kbps
Reliability 255/255, MTU minimum 1476 bytes
Loading 1/255, 2 hops
We can see how the next hop to the destination of tunnel 172.17.255.23 changed from known via 'connected' via GigabitEthernet0/1 known via "eigrp 1" through Tunnel100.
This case causes the Tunnel 1 drops.
The reason for this behavior was because the road to reach the next hop was acquired with a longest match through tunnel interface so that he won the race to the routing table.
The solution we applied:
Created a list of distribution on the branch office router in order to remove this specific route Tunnel 100 updates.
Router eigrp 1
distribute-list 1
Network 10.10.10.0 0.0.0.3
network 172.17.203.56 0.0.0.3
network 172.17.203.60 0.0.0.3
network 172.17.205.60 0.0.0.3
network 172.19.98.18 0.0.0.0
network 192.168.5.64 0.0.0.3
passive-interface Loopback1
be-idz-vpn-01 #sh access-list 1
IP access list standard 1
10 deny 172.17.252.128, wildcard bits 0.0.0.127 (1 match)
20 permit (1230 matches)
be-idz-vpn-01 #.
Once this has been applied, we could have the GRE Tunnel established between internal and DMZ routers with the tunneld ACCORD between the branch and the router in the DMZ.
-
DMVPN GRE tunnel does not connect a failed encapsulate
Hello
I'm trying to set up the tunnel WILL map HWIC Verizon - 3 G-CDMA per Verizons document. Does anyone have a backup on EVDO working?
PDF schema - attached
Verizons - plug
The relevant commands are below
HUB END
interface Tunnel0
IP 192.168.255.89 255.255.255.0
no ip redirection
dynamic multicast of IP PNDH map
PNDH id network IP-100
tunnel source 152.176.219.158
multipoint gre tunnel modeinterface Serial1/0
Verizon MPLS VPN T3 description
IP 152.176.219.158 255.255.255.252
penetration of the IP stream
encapsulation ppp
DSU bandwidth 44210SPOKE ABOUT END
interface Tunnel0
description on the Hub GRE tunnel
IP 192.168.255.29 255.255.255.0
no ip redirection
property intellectual PNDH card 192.168.255.89 152.176.219.158
map of PNDH IP multicast 152.176.219.158
PNDH id network IP-100
property intellectual PNDH nhs 152.176.219.158
registration of the PNDH non-unique IP
source of tunnel Cellular0/1/0
multipoint gre tunnel modethe Cellular0/1/0 interface
Description * VzW EVDO Interface *.
the negotiated IP address
encapsulation ppp
Broadband Dialer
Dialer idle-timeout 0
EVDO Dialer string
Dialer-Group 1
interactive asynchronous mode
PPP chap password 7 120F1F00IP route 152.176.219.158 255.255.255.255 Cellular0/1/0
in the radius of the command... IP PNDH nhs 152.176.219.158 is bad, you need to use the IP tunnel... .IP PNDH nhs 192.168.255.89.
Just in case, here is an example configuration.
http://www.Cisco.com/en/us/Tech/tk583/TK372/technologies_configuration_example09186a008014bcd7.shtml
-
Please see the photo above two connected sites using FA 0/1 R1 and R2 and a GRE Tunnel is formed.
Case 1:
We have a point-to-point connection between two routers and the IP address assigned to FA 0/1 on R1 and R2 belong to the same subnet. We then configure a GRE Tunnel on these as indicated in the topology:
- Using such as eigrp and ospf IGP we can peer routers R1 and R2 using the tunnel and the point-to-point connections.
- This will make the redundant paths between two routers
- This will form the double equal relationship between the two routers (for example for EIGRP or OSPF).
- Or we can tunnel just for the exchange of traffic between two routers.
My Question:
- What is the standard in this topology using the two connection for iGP peering or just tunnel in the real world?
- What is the standard in this topology using the two connection for iGP peering or tunnel just in a review?
Case 2:
If Fa 0/1 on both routers is all public IPs and in fact do not belong to the same subnet. So I think that we have to create a Tunnel between the two routers and then use the tunnel both routers for iGP peer.
My Question:
- I just want to know there is a valid case and also do we get this case in a review?
What comments can you do on both cases freely, I just create these two cases to clear my mind.
Basically the tunnel's link to Point Virtual Point between two routers. When you have two router physically connected by Point to point the link for this tunnel has no utility, but if you have two routers separate my many network jumps then GRE and IPsec tunnel is useful, and in this case tunnel gives you the ease of the logical Point to Point network.
In the tunnel you can run any routing protocol ospf, eigrp, BGP route smiler or Sttic as interface point-to-point between two routers.
Answer to your question on my opinion are as below
case 1
- What is the standard in this topology using the two connection for iGP peering or just tunnel in the real world? -No use of the tunnel in this case in the real world so he will use any routing protocol between physical point-to-point interface.
- What is the standard in this topology using the two connection for iGP peering or tunnel just in a review? -Same as above point Exam are mostly due to the scenario of the real world (not sure what you're talking about what exam).
Case 2
- I just want to know there is a valid case and also do we get this case in a review? -Yes, this is valid in the real world, but also optical examination specially DMVPN and Ipsec tunnel in the CCIE exam.
Please always evaluate the useful post!
Kind regards
Pawan (CCIE # 52104)
-
Multicast over GRE tunnel traffic
Hi guys,.
I have a connection via ISP connection point to point BGP on a connection of 100 Mbps between the branch and the central office.
I set up in two cisco routers with ios security advance 2801 a tunnel WILL running the ospf Protocol so I can share the multicast traffic for streaming between the two sites, but I am only able to get 6 Mbps out of the tunnel between the sites. I have configured multicast PIM sparc-mode to transport video traffic above the tunnel.
Is there a limit on the GRE tunnel, could it be MTU, or perhaps other issues anyone can help me solve this question guys?
Hello
There is a lot of discussion about the limitations of bandwidth on the tunnel interface. But most of the discussions flow seems to be linked to the limitation of the software on the device.
Issues could be related to MTU. Have you enabled PMTUD on the tunnel interface? If this is not the case, turn it on, as it recommended on the tunnel interface.
HTH.
Evaluate the useful ticket.
Kind regards
Terence
-
VPN3000 as an end of GRE tunnel
Dear all,
Is it possible for a VPN3000 to close a GRE tunnel by its own interface (private or public)? As long as I see in the GUI, looks like there no option for config one end of GRE tunnel. You can configure a GRE filter, but it comes through a GRE traffic, I'm right?
Best regards
Engel
Engel,
You can not cancel a Grateful for lan-to-lan tunnel based on a hub (as in IOS). Protocol PPTP uses GRE as the transport protocol, which supports a concentrator of VPN3K (and therefore filters and debugs for GRE)
Hope that answers your question
Jean Marc
-
Questions about the Internet browsing GRE tunnel ISPec
I am faced with Internet navigation problems when distened to the customer's internet traffic. mail.Yahoo.com does not open on the client, while yahoo.com works very well. Same streaming and apps from apple works does not on iphone, but distened for data center traffic works very well. If I remove the protection of IPSec of GRE tunnel then everything works fine.
Please guide what to do, I have attached a diagram of scenario
Hello
It is difficult to suggest, but MTU issue could be the reason for the problem.
Do you have the command of setting-mss tcp ip on both interfaces of tunnel?
If not, please try to add:
Tunnel X interface
IP tcp adjust-mss 1300
If it helps, you can try to increase the value of 1300 to 1360 MMS (which is recommended by Cisco)
-
I have a router Cisco 2811 configured with a GRE tunnel, and I want to add another tunnel to another remote site. It's the first tunnel configuration:
Tunnel1 interface
IP 10.1.1.1 255.255.255.252
IP access-group 10 out
IP nat inside
IP virtual-reassembly
KeepAlive 10 3
source of tunnel Vlan1
tunnel destination xxx.xxx.xxx.xxx
card crypto IPSEC_VPN
I have some doubts on that subnet to configure for the second tunnel.
In the existing tunnel, the IP address is: 10.1.1.1 and mask: 255.255.255.252 subnet so is 10.1.1.0. I guess, I have to configure another different subnet (i.e. 10.1.2.0) for the second tunnel, but what IP address and the mask, 10.1.2.1 255.255.255.0?
When a PC from the router's local network tries to connect to the remote router using the tunnel, what IP address it use?
Thanks and greetings
You're wrong, your PC's need is a route of default gateway for the router, a default route is a route that defines, all unknown IP traffic must be forwarded to the next hop that is defined in the default route.
Maybe you are looking for
-
I have to open a firefox page to access favorite and I want to be able to do this directly from my office
-
Cannot share individual items inside web pages on Facebook
HelloSome sites, for example motogp.com, have a feature of sharing for each item on their page, display of stock usually options for Facebook, Twitter and Google.It works very well for Twitter and Google +, but when I click on the FB icon, nothing ha
-
How can I place a STOP button on my toolbar. I would like to stop firefox from loading a page by pressing the STOP button, but I can't find it in the toolbar options.
-
HP 15-f009wm Notebook PC: laptop does not start in windows. UEFI diags say hard drive is bad.
I intend to replace the hard drive for this machine. What can I use? I am using this one. However I don't have a recovery disc and machine is a windows coa on it. I do not know what image to use 64 bit? House? Do I need to download a special HP
-
How to configure my mac to always send pictures and music on an external hard drive?
I have a desktop Mac that has limited memory. I bought an external hard drive to store all my music, photos, and videos on. How can I configure my mac while iPhoto and iTunes always point to the hard drive and save it (and not on the hard drive on