Cisco WAN :: 7609S - Configure Per-tunnel QoS With DMVPN For MPLS Connected Sites?
May 3, 2013
One of the customers has deployed Cisco 7609S in their infrastructure for Branch/RO connectivity. When we tried to configure per-tunnel QoS with DMVPN for MPLS connected sites, we came to know that Cat 6500 and Cisco 7600 series routers don't support this feature.
Now, we are looking for suitable replacement of Cisco 7609S. I found a document for configuring above feature on Cisco ASR 1000 series routers, but it has many restrictions always.
We are now looking for
(a) suitable platform in the league of Cisco 7609S which support above feature.
(b) suitable technology replacement of DMVPN with minimum restrictions.
Our client has MPLS connected all sites. Each site has a router connected to MPLS via serial interface, and connected to the switch (6500) via ethernet interface. There is QoS applied on the serial interface for outbound.
It appears there are lots of inbound traffic coming to the site, and the client applied QoS on outbound.What I learned that after the packet are marked by the CPE, the ingree Provider Edge Router (PER)uses these marking to map flows to various Label Switched Paths (LSPs) providing differentiated treatment accross the network. Then at egree, the PER applies queuing policying based on the CPEs orginal DSCP markings to properly allocate bandwidth on the egrees link during congestion. My guess we really don't need to have inbound policy applied in the serial interface on the router, am I correct?
The serial interface has 1.5 MB, and the goal is we want to have 1 MB for cirtical apps, and 0.5 MB for download/upload internet access. If we apply this policy on the switch, A) should I apply it on the VLAN interface or the port connected to the router?
Imagine you have 5 sites, one router each site (2851 as CE) connected to MPLS network. All sites have max 3xT1.Requirement:In case CE router or circuit to MPLS fails in any of those sites, I need to provide backup circuit to reach MPLS network.
Proposal:Bring one Internet circuit to each of those sites and create DMVPN to every site.
Question:Let's say Site1-MPLS circuit goes donwn.
Then all traffic from Site1-MPLS should flow thru the IPSec tunnel to all other MPLS sites. Am I right that the traffic coming from Site1-MPLS will ingress via the 2851 CE routers, correct? Is this the typical design? How to accomplish this, I'd like to setup a lab to simulate it.
We have about 200 spokes (2811 routers), each one connected to two hubs(7206VXR with NPE-G2) via a separate DMVPN. DMVPN is over MPLS cloud provided by the local operator. On the hubs we get very frequently these type of messages
.Feb 9 16:00:10.402: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 200: Neighbor 10.X.X.X (Tunnel3) is down: Interface Goodbye received.Feb 9 16:00:11.658: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 200: Neighbor 10.X.X.X (Tunnel3) is up: new adjacency
On the spoke Feb 9 13:36:48: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 200: Neighbor 10.X.X.X (Tunnel0) is down: holding time expiredFeb 9 13:36:51: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 200: Neighbor 10.X.X.X (Tunnel0) is up: new adjacency
I think the default eigrp hello and holding timers (5,15) are not suitable since these are wan links.
Our company is starting to open a lot of small mpls sites across the nation. By small I mean less than 10 users, voip, 1 dc, that's it. Instead of getting the usual 2901+2960 combo, I'm interested in finding less expensive solutions. Maybe an L3 switch like a 3750? These are temporary sites so management is fine with looking into used, non smartnet covered gear?
i have a general Question regarding buildings SA´s between two peers.Can I establish more than one SA between two Peers with the same IP Address?Actually I have 3 DMVPN´s running in parallel in different VRF´s using the same SA.They have all the same IPSEC encryption AES256.Now I need to reduce the encryption to 3DES in one of the three DMVPN´s.Is that possible or do I need a differnet IP Address so that the SA Pair is unique?Thats how I stared, with a Phase 2 failure that it is not acceptable.
We have a 6 spoke DMVPN setup. Five of the six spokes work fine. On the 6th spoke, a 2911, we have created a Tunnel0. Other spokes and the hubs can ping it's ip, but it can't ping itself. When we do a show interface it shows the Tunnel 0 is up, but the protocol is down. What does that mean?
Central Router (WAN: 1.1.1.1) <--> Internet <--> (WAN: Dynamic IP) Branch RouterTunnel 172.31.254.1/26 Tunnel 172.31.254.9/26
Central router is a Cisco 1811 running IOS c181x-advipservicesk9-mz.151-4.M.bin.Branch router is a Cisco 1941 running IOS c1900-universalk9-mz.SPA.151-4.M.bin.
When I do a Ping test directly from the branch to central router over the Internet I have no packet loss:
branch#ping 1.1.1.1 source GigabitEthernet 0/0 repeat 1000Type escape sequence to abort.Sending 1000, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:Packet sent with a source address of 192.168.0.100!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!(...)!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!Success rate is 100 percent (1000/1000), round-trip min/avg/max = 40/41/60 msbranch#
When doing a Ping test over the DMVPN tunnel (which is using the WAN IP as source) I see packetloss.
branch#ping 172.31.254.1 source Tunnel 3 repeat 1000Type escape sequence to abort.Sending 1000, 100-byte ICMP Echos to 172.31.254.1, timeout is 2 seconds:Packet sent with a source address of 172.31.254.9!!!!!!!!!!.!!!!!!!!!!.!.!!!!!!.!!!!!..!!!!!!..!!!!!!!!.!!.!!!!!.!!!!!!!!!!!!.!!!!!.!!!.!!!!!!!!!!!..!!!!.!.!.!!!!!.!!!!!!!!!.!..!!!.!.!!!!!.(...)!!!!!!.!!!.!!!!.!!!!.!.!!.!!!!!!!!!!!!!!!.!!.!!!!!!!!!.!!!.!!.!.!!!!!...!!!!!!!!!!..!!!!!!Success rate is 79 percent (795/1000), round-trip min/avg/max = 40/43/568 msbranch#
Central:
interface Tunnel0 description Testing (DMVPN) bandwidth 10000 ip address 172.31.254.1 255.255.255.192 no ip redirects ip mtu 1400 ip nhrp authentication testing ip nhrp map multicast dynamic ip nhrp network-id 1 ip nhrp holdtime 600 ip nhrp redirect ip tcp adjust-mss 1360 no ip split-horizon eigrp 1 tunnel source FastEthernet1 tunnel mode gre multipoint tunnel key 100003 tunnel bandwidth transmit 10000 tunnel bandwidth receive 10000 tunnel protection ipsec profile secure_profile shared
Branch:
interface Tunnel3 description Testing (DMVPN) bandwidth 2000 ip address 172.31.254.9 255.255.255.192 no ip redirects ip mtu 1400 ip nhrp authentication testing ip nhrp map multicast 1.1.1.1 ip nhrp map 172.31.254.1 1.1.1.1 ip nhrp network-id 1 ip nhrp holdtime 300 ip nhrp nhs 172.31.254.1 ip nhrp shortcut ip nhrp redirect ip tcp adjust-mss 1360 no ip split-horizon eigrp 1 delay 1000 tunnel source GigabitEthernet0/0 tunnel mode gre multipoint tunnel key 100003 tunnel bandwidth transmit 2000 tunnel bandwidth receive 2000 tunnel protection ipsec profile secure_profile shared
Crypto parameters on both central and branch routers:
So in our DMVPN network, we have this Cisco 3845 hub router that is connected via a DS3 to the Internet, and our spoke sites usually have a broadband connection that typically have a maximum of 1Mbps upload capacity. We are getting ready to add a few more sites to our network that are connected to the Internet with 10Mbps upload speeds (and 50Mbps download). Spoke site routers are usually 800 series ISRs. We have seen spikes of 8-10Mbps on the hub router so far. So the question is that a site with 10Mbps upload speed transmit to the full capacity over a DMVPN tunnel or is it limited by other factors? What are those factors?
I am having a hard time trying to configure DMVPN with the tunnel being sourced via a loopback interface. All routers are Cisco 886 routers which don't have L3 ports.That is why I used SVI interfaces, and have configured the L2 ports (Fa0, Fa1, etc.) with the command switchport access vlan.The problem is that I am receiving Invalid SPI error's only on the Hub router and I have no clue what could be the problem, because they use exactly the same parameters for IPsec. [code]
We are facing network heavy and slow performance at one of our remote site, we are using Cisco2800 series router with same IOS on either of the sites.Our WAN network is running on BGP with EIGRP configured and tunnels were configured on either of the sites. As part of the testing I have removed the tunnel to see the performance was ok from Head office to remote branch and the WAN network is getting heavy and slow down when we put the tunnel back in hub and spoke.
quick info
Cisco 2800 Series router IOS: (C2800NM-ADVIPSERVICESK9-M), Version 12.4(15)T1, RELEASE SOFTWARE
I have a setup where a spoke (cisco 1841) is sending a multicast feed to a hub (cisco 2951) via a DMVPN tunnel on the Internet. The feed arrives on interface fa0/0 of the cisco 1841 and is forwarded to the tunnel interface. It is about 160,000 kbit/s and 18 pps. This always looks the same:
cisco2951-1-hub#sh run int tu10 ! interface Tunnel10 description DMVPN TUNNEL
I am facing Voice Quality issue in Cisco Ip phone. However I don’t have any issue while calling between extension in the same Site. I am facing voice quality issue while traffic flowing through the MPLS over GRE tunnel. Its working fine If I am removing the mls Qos in Cisco 3550 Interface.
i am new to MPLS on cisco routers. For our interoperability testing i need MPLS tunnel counters output ( data sent out and data received.). i am not able to find this information in cisco user guide. As per standard it is defined in MIB table mplsTunnelPerfTable of stdte.mib.
Have a lab in which I am trying to configure a VPN tunnel between an ASA5520 (running ASA ver 8.0(2)) and a router (3725 running C3725-ADVENTERPRISEK9-M) - see pic below for topology.
5 - Remote sites (no static IP there) 3 - Remote users (comercial) 1 - Central building (using static ip address)
Is it possible to establish a permanent vpn tunnel between each one of my remote sites to the main building, even if I have no static IP address in the remote sites?
Do you think that RV180 is the best choice to mannage vpn connection between remote sites and the central building securely and faster?
I'm currently setting up two VPN 3000 Concentrators at two different sites to create a IPsec LAN-to-LAN Tunnel. I have gone through all the basic configuration guides on the CISCO site, but a LAN-to-LAN session is never created. I have enabled the logs on the Concentrator and it displays no errors at all - it appears the Concentrator is not even trying to establish a IPsec LAN-to-LAN Tunnel.After running through the standard setup provided by CISCO, is there anything I need to do to make the Concentrator try to create a Tunnel, or should this be automatic once all settings are in place?
I am attempting to install an asa 5510 at my hq. Our MPLS network is provided by our ISP and the routers are managed by them. They will be working with me to add the needed routes to the routers. Using version 8.4.1 That said, here is my challenge:
I am connecting the MPLS routers and WAAS device to my core switch(also performing inter-vlan routing) in VLAN 2. There are 3 connections needed for the mpls equipment and they are all in vlan 2 on my core switch. The firewall (ASA 5510 with security plus licensing) also has an interface (outside) in vlan 2.
e0/0 shutdown no nameif
[Code]....
configuration guides or suggest TAC as they have been a bit inconsistent with this issue thus far. What am I missing because I cannot get to where inside interface of the firewall is pingable by the lan and the outside interface of the firewall is pingable by the lan.
We have an aironet 1130ag in a remote office connected to the data centre over MPLS. The Radius server is based on server 2003.We have hundreds of these points set up exactly the same but this is the only one giving me issues, I even stripped the config and rebuilt it and then swapped with a new access point
The issue is that clients can't authenticate when connecting to the access point but provides nothing in event viewer. Checking the RADIUs server provides nothing either.The access point error logs just state station: authentication failed
On looking deeper into the problem I enabled RADIUS debugging on the access point and got some interesting results, in particular is the line: no sg in radius-timers: ctx 0x12EF0A4 sg 0x0000.I can't find out what no SG in Radius-timers actually means, but after that line appears I just see more retransmits and no sg fails.
I inspected the packets on the RADIUs server and found lots access requests coming from my access point and lots of access-challenges returning back from my RADIUS server - I'm not sure how often that's supposed to happen or if it's a one time occurance. I did however see directly after the first access-request that the RADIUS server returns with UDP and is fragmented, length is 1514...... could this be the problem? If so why cannot it hanlde fragmented packets?
I thought I saw a post/question in regards to "how to" configure a Broadband backup for a MPLS circuit.. What I am trying to do is use a cable/dsl/ broadband (secondary) connection as a backup to a MPLS circuit (primary). I have EIGRP and BGP configured on both the branch endpoint and the tunnel headend. The tunnel is used by the interface that connects to the secondary circuit. The branch location router is a 1841 and the "headend" tunnel router is a 3825. I am wondering about the configuration/syntax of a "weight" or static route that can be used to have data flow over the tunnel when the MPLS circuit goes down - and then switch back to the MPLS circuit when it comes back on line.
I am trting to test multicast between two sites connected over WAN...SIte A is connected to Site B with DS3 link with ethernet output.The DS3 link is connncteted between cisco 2851 router at each end.At Lan SIde Cisco 2851 router is conncted to Nortel-8600 Switch over ethernet connectivty at both end.PIM is enabled on Nortel-8600 core switch with Sparse mode and multicast is working fine within LAN.Same is the result for both sites.
Now we are trying to make multicast work over wan in which PIM is enabled on both lan & want interafce of cisco router with sparse mode and multicast is enabled globally...now both the routers are making neighbourship with respective lan switches and with each other but multicast traffic is not flowing.In cisco router Mroute is not coming for the multicast group defined in core switch.
I have 3 sites. Each site has a Cisco 1841 as its WAN router with a 10Mb direct internet access circuit connected to Fa0/0. The sites are then connected to each other via site-to-site IPSEC VPN. (The LAN switches in use at each site are Cisco 3750 series) [code]
Now, Site A has already been set-up with VoIP telephony. The plan is to extend this to the other 2 offices.Auto QoS has been set-up on the switches and data and voice VLANs created in the same way for each office.
how should/do we extend the QoS for the voice over the WAN to ensure voice quality remains for site to site calls. And what special considerations do we have to make for it being IPSEC VPN connectivity between the sites? The actual IP telephony system itself is being set-up by a 3rd party and not a lot of information on their requirements has been forthcoming so far – essentially all we have really been told is that they would like us to “reserve” a certain amount of bandwidth for the voice traffic between each site.
I am having trouble with my wireless connection. I am only able to visit websites but if I try to use the internet for anything else (AIM, Yahoo instant messenger, etc), it will not work. This is not a modem issue because my other computers' connections still work fine.
About a week ago my mom (unknowingly to me) installed a registry "booster" (Uniblue Registry Booster) and as expected, it messed some stuff up. As soon as she finished scanning and it "fixed" all her registry issues, she could no longer load webpages in her browser.PC was running XP at the time of the corruption, none of her system restore points work, and unfortunately her automatic backups had stopped running about 2 months ago without me knowing. She's been planning to switch to Windows 7 soon anyway so after a few days of trying to find a solution and not having any luck I thought "well maybe if we upgrade it will unintentionally fix some files / settings during the install." Going from XP to Windows 7 was no fun task itself, but after many hours of installs I had it upgraded to Vista and then to 7.
i have a adsl modem tp link td 8840, and i had this up and running well for about 3 days. then we decided to get a router cause my little sis got a ipad2.the router is dlink dir 61.so basically i followed all the instructions and the internet was working fine.then for some reason ign site stopped working, i thought that it was down for some reason and didn't think much of it and today when i tryed to go into hotmail or facebook it doesn't work either. so i can get into the log in pages of both, but when i put in the id and password, the screen goes blank and just says waiting for .... on the bottom (using google chrome).and it never loads.i tryed with other internet browsers and it din't work so i took out the router and re wired the adsl modem only and voila. all the sites started working again.i want to use my router but i don't know why i can't acess some sites when i have it connected.
I wanted to ask a question about the diagram I have included. We are bringing up 2 MPLS WAN connections and would like some specifics on the best design. We are using BGP to the providers. From there we have big questions. We can run BGP internal and are licensed to do so on the N5K's. The N5Ks are currently using HSRP for inside LAN clients as default gateway. We want to load balance and provide redundant routes using a dynamic approach. Should we use BGP internal utilizing the connections between the routers? Should we use HSRP on the routers? How best to get the routes to the N5K and should we be considering this?
I'm attempting to configure a tunnel on a PIX-501 version 6.3. It's an old device that's due to be replaced soon, but unfortunately we need a tunnel now... I have been using this document as a reference (6211): URL ,The remote end is a sonicwall.
The problem seems to be that the pix never sees the interesting traffic for the tunnel, and never tries to initiate a connection. I have enabled crypto ipsec and crypto isakmp debugs, but no data is ever displayed, even when attempting to access a device on the remote side of the tunnel! Someone had tried to set up this device with some tunnels in the past, but was never successful, so I'm thinking there might be remaining commands in the running-config causing problems.
I followed:[URL]And my VPN connection is established on 2921.However when I successfully connected to the router via VPN, ipfoncfig shows default gateway being 255.0.0.0,My CISCO2921 GI0/0 has default 10.10.10.1 IP assigned, I want to access this interface with CISCO CP.
