Configuring an IPsec Profile.
The IPsec profile shares most of the same commands with the crypto map configuration, but only a
subset of the commands are valid in an IPsec profile. Only commands that pertain to an IPsec policy can
be issued under an IPsec profile; you cannot specify the IPsec peer address or the access control list
(ACL) to match the packets that are to be encrypted.
Prerequisites
Before configuring an IPsec profile, you must define a transform set by using the crypto ipsec
transform-set command.
SUMMARY STEPS
1. enable
2. configure terminal
3. crypto ipsec profile name
4. set transform-set transform-set-name
5. set identity
6. set security association lifetime {seconds seconds | kilobytes kilobytes}
7. set pfs [group1 | group2]
Step 1 enable
Example:
Router> enable (enableEnables higher privilege levels, such as privileged EXEC
mode.Enter your password if prompted.)
Step 2 configure terminal
Example:
Router# configure terminal (Enters global configuration mode).
Step 3 crypto ipsec profile name
Example:
Router(config)# crypto ipsec profile vpnprof (Defines the IPsec parameters that are to be used for IPsec
encryption between “spoke and hub” and “spoke and spoke”
routers.
This command enters crypto map configuration mode.
• The name argument specifies the name of the IPsec
profile).
Step 4 set transform-set transform-set-name
Example:
Router(config-crypto-map)# set transform-set
trans2
Specifies which transform sets can be used with the IPsec
profile.
• The transform-set-name argument specifies the name
of the transform set.
Step 5 set identity
Example:
Router(config-crypto-map)# set identity
(Optional) Specifies identity restrictions to be used with the
IPsec profile.
Step 6 set security association lifetime {seconds
seconds | kilobytes kilobytes}
Example:
Router(config-crypto-map)# set security
association lifetime seconds 1800
(Optional) Overrides the global lifetime value for the IPsec
profile.
• The seconds seconds option specifies the number of
seconds a security association will live before expiring;
the kilobytes kilobytes option specifies the volume of
traffic (in kilobytes) that can pass between IPsec peers
using a given security association before that security
association expires.
• The default for the seconds argument is 3600 seconds.
Step 7 set pfs [group1 | group2]
Example:
Router(config-crypto-map)# set pfs group2
(Optional) Specifies that IPsec should ask for perfect
forward secrecy (PFS) when requesting new security
associations for this IPsec profile. If this command is not
specified, the default (group1) will be enabled.
• The group1 keyword specifies that IPsec should use the
768-bit Diffie-Hellman (DH) prime modulus group
when performing the new DH exchange; the group2
keyword specifies the 1024-bit DH prime modulus
group.
Configuring the Hub for DMVPN
To configure the hub router for mGRE and IPsec integration (that is, associate the tunnel with the IPsec
profile configured in the previous procedure), use the following commands:
SUMMARY STEPS
1. enable
2. configure terminal
3. interface tunnel number
4. ip address ip-address mask [secondary]
5. ip mtu bytes
6. ip nhrp authentication string
7. ip nhrp map multicast dynamic
8. ip nhrp network-id number
9. tunnel source {ip-address | type number}
10. tunnel key key-number
11. tunnel mode gre multipoint
12. tunnel protection ipsec profile name
13. bandwidth kbps
14. ip tcp adjust-mss max-segment-size
15. ip nhrp holdtime seconds
16. delay number
Step 1 enable
Example:
Router> enable
Enables higher privilege levels, such as privileged EXEC
mode.
Enter your password if prompted.
Step 2 configure terminal
Example:
Router# configure terminal
Enters global configuration mode.
Dynamic Multipoint VPN (DMVPN)
How to Configure Dynamic Multipoint VPN (DMVPN)
14
Cisco IOS Security Configuration Guide
Step 3 interface tunnel number
Example:
Router(config)# interface tunnel 5
Configures a tunnel interface and enters interface
configuration mode
• The number argument specifies the number of the
tunnel interface that you want to create or configure.
There is no limit on the number of tunnel interfaces you
can create.
Step 4 ip address ip-address mask [secondary]
Example:
Router(config-if)# ip address 10.0.0.1
255.255.255.0
Sets a primary or secondary IP address for the tunnel
interface.
Note All hubs and spokes that are in the same DMVPN
network must be addressed in the same IP subnet.
Step 5 ip mtu bytes
Example:
Router(config-if)# ip mtu 1400
Sets the maximum transmission unit (MTU) size, in bytes,
of IP packets sent on an interface.
Step 6 ip nhrp authentication string
Example:
Router(config-if)# ip nhrp authentication
donttell
Configures the authentication string for an interface using
NHRP.
Note The NHRP authentication string must be set to the
same value on all hubs and spokes that are in the
same DMVPN network.
Step 7 ip nhrp map multicast dynamic
Example:
Router(config-if)# ip nhrp map multicast dynamic
Allows NHRP to automatically add spoke routers to the
multicast NHRP mappings.
Step 8 ip nhrp network-id number
Example:
Router(config-if)# ip nhrp network-id 99
Enables NHRP on an interface.
• The number argument specifies a globally unique
32-bit network identifier from a nonbroadcast
multiaccess (NBMA) network. The range is from 1 to
4294967295.
Step 9 tunnel source {ip-address | type number}
Example:
Router (config-if)# tunnel source Ethernet0
Sets source address for a tunnel interface.
Step 10 tunnel key key-number
Example:
Router (config-if)# tunnel key 100000
(Optional) Enables an ID key for a tunnel interface.
• The key-number argument specifies a number from 0 to
4,294,967,295 that identifies the tunnel key.
Note The key number must be set to the same value on all
hubs and spokes that are in the same DMVPN
network.
Note This command should not be configured if you are
using a Cisco 6500 or Cisco 7600 platform.
Command or Action Purpose
Dynamic Multipoint VPN (DMVPN)
How to Configure Dynamic Multipoint VPN (DMVPN)
15
Cisco IOS Security Configuration Guide
Step 11 tunnel mode gre multipoint
Example:
Router(config-if)# tunnel mode gre multipoint
Sets the encapsulation mode to mGRE for the tunnel
interface.
Step 12 tunnel protection ipsec profile name
Example:
Router(config-if)# tunnel protection ipsec
profile vpnprof
Associates a tunnel interface with an IPsec profile.
• The name argument specifies the name of the IPsec
profile; this value must match the name specified in the
crypto ipsec profile name command.
Step 13 bandwidth kbps
Example:
Router(config-if)# bandwidth 1000
Sets the current bandwidth value for an interface to
higher-level protocols.
• The kbps argument specifies the bandwidth in kilobits
per second. The default value is 9. The recommend
bandwidth value is 1000 or greater.
Setting the bandwidth value to at least 1000 is critical if
EIGRP is used over the tunnel interface. Higher bandwidth
values may be necessary depending on the number of
spokes supported by a hub.
Step 14 ip tcp adjust-mss max-segment-size
Example:
Router(config-if)# ip tcp adjust-mss 1360
Adjusts the maximum segment size (MSS) value of TCP
packets going through a router.
• The max-segment-size argument specifies the
maximum segment size, in bytes. The range is from 500
to 1460.
The recommended value is 1360 when the number of IP
MTU bytes is set to 1400. With these recommended
settings, TCP sessions quickly scale back to 1400-byte IP
packets so the packets will “fit” in the tunnel.
Step 15 ip nhrp holdtime seconds
Example:
Router(config-if)# ip nhrp holdtime 450
Changes the number of seconds that NHRP NBMA
addresses are advertised as valid in authoritative NHRP
responses.
• The seconds argument specifies the time in seconds that
NBMA addresses are advertised as valid in positive
authoritative NHRP responses. The recommended
value ranges from 300 seconds to 600 seconds.
Step 16 delay number
Example:
Router(config-if)# delay 1000
(Optional) Used to change the EIGRP routing metric for
routes learned over the tunnel interface.
• The number argument specifies the delay time in
Configuring the Spoke for DMVPN
SUMMARY STEPS
1. enable
2. configure terminal
3. interface tunnel number
4. ip address ip-address mask [secondary]
5. ip mtu bytes
6. ip nhrp authentication string
7. ip nhrp map hub-tunnel-ip-address hub-physical-ip-address
8. ip nhrp map multicast hub-physical-ip-address
9. ip nhrp nhs hub-tunnel-ip-address
10. ip nhrp network-id number
11. tunnel source {ip-address | type number}
12. tunnel key key-number
13. tunnel mode gre multipoint
or
tunnel destination hub-physical-ip-address
14. tunnel protection ipsec profile name
15. bandwidth kbps
16. ip tcp adjust-mss max-segment-size
17. ip nhrp holdtime seconds
18. delay number
Step 1 enable
Example:
Router> enable
Enables higher privilege levels, such as privileged EXEC
mode.
Enter your password if prompted.
Step 2 configure terminal
Example:
Router# configure terminal
Enters global configuration mode.
Dynamic Multipoint VPN (DMVPN)
How to Configure Dynamic Multipoint VPN (DMVPN)
17
Cisco IOS Security Configuration Guide
Step 3 interface tunnel number
Example:
Router(config)# interface tunnel 5
Configures a tunnel interface and enters interface
configuration mode.
• The number argument specifies the number of the
tunnel interface that you want to create or configure.
There is no limit on the number of tunnel interfaces you
can create.
Step 4 ip address ip-address mask [secondary]
Example:
Router(config-if)# ip address 10.0.0.2
255.255.255.0
Sets a primary or secondary IP address for the tunnel
interface.
Note All hubs and spokes that are in the same DMVPN
network must be addressed in the same IP subnet.
Step 5 ip mtu bytes
Example:
Router(config-if)# ip mtu 1400
Sets the MTU size, in bytes, of IP packets sent on an
interface.
Step 6 ip nhrp authentication string
Example:
Router(config-if)# ip nhrp authentication
donttell
Configures the authentication string for an interface using
NHRP.
Note The NHRP authentication string be set to the same
value on all hubs and spokes that are in the same
DMVPN network.
Step 7 ip nhrp map hub-tunnel-ip-address
hub-physical-ip-address
Example:
Router(config-if)# ip nhrp map 10.0.0.1
172.17.0.1
Statically configures the IP-to-NBMA address mapping of
IP destinations connected to an MBMA network.
• hub-tunnel-ip-address—Defines the NHRP server at
the hub, which is permanently mapped to the static
public IP address of the hub.
• hub-physical-ip-address—Defines the static public IP
address of the hub.
Step 8 ip nhrp map multicast hub-physical-ip-address
Example:
Router(config-if)# ip nhrp map multicast
172.17.0.1
Enables the use of a dynamic routing protocol between the
spoke and hub, and sends multicast packets to the hub
router.
Step 9 ip nhrp nhs hub-tunnel-ip-address
Example:
Router(config-if)# ip nhrp nhs 10.0.0.1
Configures the hub router as the NHRP next-hop server.
Step 10 ip nhrp network-id number
Example:
Router(config-if)# ip nhrp network-id 99
Enables NHRP on an interface.
• The number argument specifies a globally unique
32-bit network identifier from a NBMA network. The
range is from 1 to 4294967295.
Step 11 tunnel source {ip-address | type number}
Example:
Router (config-if)# tunnel source Ethernet0
Sets the source address for a tunnel interface.
Command or Action Purpose
Dynamic Multipoint VPN (DMVPN)
How to Configure Dynamic Multipoint VPN (DMVPN)
18
Cisco IOS Security Configuration Guide
Step 12 tunnel key key-number
Example:
Router (config-if)# tunnel key 100000
(Optional) Enables an ID key for a tunnel interface.
• The key-number argument specifies a number from 0 to
4,294,967,295 that identifies the tunnel key.
• The key number must be set to the same value on all
hubs and spokes that are in the same DMVPN network.
Note This command should not be configured if you are
using a Cisco 6500 or Cisco 7600 platform.
Step 13 tunnel mode gre multipoint
or
tunnel destination hub-physical-ip-address
Example:
Router(config-if)# tunnel mode gre multipoint
or
Router(config-if)# tunnel destination
172.17.0.1
Sets the encapsulation mode to mGRE for the tunnel
interface.
Use this command if data traffic can use dynamic
spoke-to-spoke traffic.
Specifies the destination for a tunnel interface.
Use this command if data traffic can use hub-and-spoke
tunnels.
Step 14 tunnel protection ipsec profile name
Example:
Router(config-if)# tunnel protection ipsec
profile vpnprof
Associates a tunnel interface with an IPsec profile.
• The name argument specifies the name of the IPsec
profile; this value must match the name specified in the
crypto ipsec profile name command.
Step 15 bandwidth kbps
Example:
Router(config-if)# bandwidth 1000
Sets the current bandwidth value for an interface to
higher-level protocols.
• The kbps argument specifies the bandwidth in kilobits
per second. The default value is 9. The recommend
bandwidth value is 1000 or greater.
The bandwidth setting for the spoke does not need to equal
the bandwidth setting for the DMVPN hub. It is usually
easier if all of the spokes use the same or similar value.
Step 16 ip tcp adjust-mss max-segment-size
Example:
Router(config-if)# ip tcp adjust-mss 1360
Adjusts the maximum segment size (MSS) value of TCP
packets going through a router.
• The max-segment-size argument specifies the
maximum segment size, in bytes. The range is from 500
to 1460.
The recommended number value is 1360 when the number
of IP MTU bytes is set to 1400. With these recommended
settings, TCP sessions quickly scale back to 1400-byte IP
packets so the packets will “fit” in the tunnel.
Command or Action Purpose.
The IPsec profile shares most of the same commands with the crypto map configuration, but only a
subset of the commands are valid in an IPsec profile. Only commands that pertain to an IPsec policy can
be issued under an IPsec profile; you cannot specify the IPsec peer address or the access control list
(ACL) to match the packets that are to be encrypted.
Prerequisites
Before configuring an IPsec profile, you must define a transform set by using the crypto ipsec
transform-set command.
SUMMARY STEPS
1. enable
2. configure terminal
3. crypto ipsec profile name
4. set transform-set transform-set-name
5. set identity
6. set security association lifetime {seconds seconds | kilobytes kilobytes}
7. set pfs [group1 | group2]
Step 1 enable
Example:
Router> enable (enableEnables higher privilege levels, such as privileged EXEC
mode.Enter your password if prompted.)
Step 2 configure terminal
Example:
Router# configure terminal (Enters global configuration mode).
Step 3 crypto ipsec profile name
Example:
Router(config)# crypto ipsec profile vpnprof (Defines the IPsec parameters that are to be used for IPsec
encryption between “spoke and hub” and “spoke and spoke”
routers.
This command enters crypto map configuration mode.
• The name argument specifies the name of the IPsec
profile).
Step 4 set transform-set transform-set-name
Example:
Router(config-crypto-map)# set transform-set
trans2
Specifies which transform sets can be used with the IPsec
profile.
• The transform-set-name argument specifies the name
of the transform set.
Step 5 set identity
Example:
Router(config-crypto-map)# set identity
(Optional) Specifies identity restrictions to be used with the
IPsec profile.
Step 6 set security association lifetime {seconds
seconds | kilobytes kilobytes}
Example:
Router(config-crypto-map)# set security
association lifetime seconds 1800
(Optional) Overrides the global lifetime value for the IPsec
profile.
• The seconds seconds option specifies the number of
seconds a security association will live before expiring;
the kilobytes kilobytes option specifies the volume of
traffic (in kilobytes) that can pass between IPsec peers
using a given security association before that security
association expires.
• The default for the seconds argument is 3600 seconds.
Step 7 set pfs [group1 | group2]
Example:
Router(config-crypto-map)# set pfs group2
(Optional) Specifies that IPsec should ask for perfect
forward secrecy (PFS) when requesting new security
associations for this IPsec profile. If this command is not
specified, the default (group1) will be enabled.
• The group1 keyword specifies that IPsec should use the
768-bit Diffie-Hellman (DH) prime modulus group
when performing the new DH exchange; the group2
keyword specifies the 1024-bit DH prime modulus
group.
Configuring the Hub for DMVPN
To configure the hub router for mGRE and IPsec integration (that is, associate the tunnel with the IPsec
profile configured in the previous procedure), use the following commands:
SUMMARY STEPS
1. enable
2. configure terminal
3. interface tunnel number
4. ip address ip-address mask [secondary]
5. ip mtu bytes
6. ip nhrp authentication string
7. ip nhrp map multicast dynamic
8. ip nhrp network-id number
9. tunnel source {ip-address | type number}
10. tunnel key key-number
11. tunnel mode gre multipoint
12. tunnel protection ipsec profile name
13. bandwidth kbps
14. ip tcp adjust-mss max-segment-size
15. ip nhrp holdtime seconds
16. delay number
Step 1 enable
Example:
Router> enable
Enables higher privilege levels, such as privileged EXEC
mode.
Enter your password if prompted.
Step 2 configure terminal
Example:
Router# configure terminal
Enters global configuration mode.
Dynamic Multipoint VPN (DMVPN)
How to Configure Dynamic Multipoint VPN (DMVPN)
14
Cisco IOS Security Configuration Guide
Step 3 interface tunnel number
Example:
Router(config)# interface tunnel 5
Configures a tunnel interface and enters interface
configuration mode
• The number argument specifies the number of the
tunnel interface that you want to create or configure.
There is no limit on the number of tunnel interfaces you
can create.
Step 4 ip address ip-address mask [secondary]
Example:
Router(config-if)# ip address 10.0.0.1
255.255.255.0
Sets a primary or secondary IP address for the tunnel
interface.
Note All hubs and spokes that are in the same DMVPN
network must be addressed in the same IP subnet.
Step 5 ip mtu bytes
Example:
Router(config-if)# ip mtu 1400
Sets the maximum transmission unit (MTU) size, in bytes,
of IP packets sent on an interface.
Step 6 ip nhrp authentication string
Example:
Router(config-if)# ip nhrp authentication
donttell
Configures the authentication string for an interface using
NHRP.
Note The NHRP authentication string must be set to the
same value on all hubs and spokes that are in the
same DMVPN network.
Step 7 ip nhrp map multicast dynamic
Example:
Router(config-if)# ip nhrp map multicast dynamic
Allows NHRP to automatically add spoke routers to the
multicast NHRP mappings.
Step 8 ip nhrp network-id number
Example:
Router(config-if)# ip nhrp network-id 99
Enables NHRP on an interface.
• The number argument specifies a globally unique
32-bit network identifier from a nonbroadcast
multiaccess (NBMA) network. The range is from 1 to
4294967295.
Step 9 tunnel source {ip-address | type number}
Example:
Router (config-if)# tunnel source Ethernet0
Sets source address for a tunnel interface.
Step 10 tunnel key key-number
Example:
Router (config-if)# tunnel key 100000
(Optional) Enables an ID key for a tunnel interface.
• The key-number argument specifies a number from 0 to
4,294,967,295 that identifies the tunnel key.
Note The key number must be set to the same value on all
hubs and spokes that are in the same DMVPN
network.
Note This command should not be configured if you are
using a Cisco 6500 or Cisco 7600 platform.
Command or Action Purpose
Dynamic Multipoint VPN (DMVPN)
How to Configure Dynamic Multipoint VPN (DMVPN)
15
Cisco IOS Security Configuration Guide
Step 11 tunnel mode gre multipoint
Example:
Router(config-if)# tunnel mode gre multipoint
Sets the encapsulation mode to mGRE for the tunnel
interface.
Step 12 tunnel protection ipsec profile name
Example:
Router(config-if)# tunnel protection ipsec
profile vpnprof
Associates a tunnel interface with an IPsec profile.
• The name argument specifies the name of the IPsec
profile; this value must match the name specified in the
crypto ipsec profile name command.
Step 13 bandwidth kbps
Example:
Router(config-if)# bandwidth 1000
Sets the current bandwidth value for an interface to
higher-level protocols.
• The kbps argument specifies the bandwidth in kilobits
per second. The default value is 9. The recommend
bandwidth value is 1000 or greater.
Setting the bandwidth value to at least 1000 is critical if
EIGRP is used over the tunnel interface. Higher bandwidth
values may be necessary depending on the number of
spokes supported by a hub.
Step 14 ip tcp adjust-mss max-segment-size
Example:
Router(config-if)# ip tcp adjust-mss 1360
Adjusts the maximum segment size (MSS) value of TCP
packets going through a router.
• The max-segment-size argument specifies the
maximum segment size, in bytes. The range is from 500
to 1460.
The recommended value is 1360 when the number of IP
MTU bytes is set to 1400. With these recommended
settings, TCP sessions quickly scale back to 1400-byte IP
packets so the packets will “fit” in the tunnel.
Step 15 ip nhrp holdtime seconds
Example:
Router(config-if)# ip nhrp holdtime 450
Changes the number of seconds that NHRP NBMA
addresses are advertised as valid in authoritative NHRP
responses.
• The seconds argument specifies the time in seconds that
NBMA addresses are advertised as valid in positive
authoritative NHRP responses. The recommended
value ranges from 300 seconds to 600 seconds.
Step 16 delay number
Example:
Router(config-if)# delay 1000
(Optional) Used to change the EIGRP routing metric for
routes learned over the tunnel interface.
• The number argument specifies the delay time in
Configuring the Spoke for DMVPN
SUMMARY STEPS
1. enable
2. configure terminal
3. interface tunnel number
4. ip address ip-address mask [secondary]
5. ip mtu bytes
6. ip nhrp authentication string
7. ip nhrp map hub-tunnel-ip-address hub-physical-ip-address
8. ip nhrp map multicast hub-physical-ip-address
9. ip nhrp nhs hub-tunnel-ip-address
10. ip nhrp network-id number
11. tunnel source {ip-address | type number}
12. tunnel key key-number
13. tunnel mode gre multipoint
or
tunnel destination hub-physical-ip-address
14. tunnel protection ipsec profile name
15. bandwidth kbps
16. ip tcp adjust-mss max-segment-size
17. ip nhrp holdtime seconds
18. delay number
Step 1 enable
Example:
Router> enable
Enables higher privilege levels, such as privileged EXEC
mode.
Enter your password if prompted.
Step 2 configure terminal
Example:
Router# configure terminal
Enters global configuration mode.
Dynamic Multipoint VPN (DMVPN)
How to Configure Dynamic Multipoint VPN (DMVPN)
17
Cisco IOS Security Configuration Guide
Step 3 interface tunnel number
Example:
Router(config)# interface tunnel 5
Configures a tunnel interface and enters interface
configuration mode.
• The number argument specifies the number of the
tunnel interface that you want to create or configure.
There is no limit on the number of tunnel interfaces you
can create.
Step 4 ip address ip-address mask [secondary]
Example:
Router(config-if)# ip address 10.0.0.2
255.255.255.0
Sets a primary or secondary IP address for the tunnel
interface.
Note All hubs and spokes that are in the same DMVPN
network must be addressed in the same IP subnet.
Step 5 ip mtu bytes
Example:
Router(config-if)# ip mtu 1400
Sets the MTU size, in bytes, of IP packets sent on an
interface.
Step 6 ip nhrp authentication string
Example:
Router(config-if)# ip nhrp authentication
donttell
Configures the authentication string for an interface using
NHRP.
Note The NHRP authentication string be set to the same
value on all hubs and spokes that are in the same
DMVPN network.
Step 7 ip nhrp map hub-tunnel-ip-address
hub-physical-ip-address
Example:
Router(config-if)# ip nhrp map 10.0.0.1
172.17.0.1
Statically configures the IP-to-NBMA address mapping of
IP destinations connected to an MBMA network.
• hub-tunnel-ip-address—Defines the NHRP server at
the hub, which is permanently mapped to the static
public IP address of the hub.
• hub-physical-ip-address—Defines the static public IP
address of the hub.
Step 8 ip nhrp map multicast hub-physical-ip-address
Example:
Router(config-if)# ip nhrp map multicast
172.17.0.1
Enables the use of a dynamic routing protocol between the
spoke and hub, and sends multicast packets to the hub
router.
Step 9 ip nhrp nhs hub-tunnel-ip-address
Example:
Router(config-if)# ip nhrp nhs 10.0.0.1
Configures the hub router as the NHRP next-hop server.
Step 10 ip nhrp network-id number
Example:
Router(config-if)# ip nhrp network-id 99
Enables NHRP on an interface.
• The number argument specifies a globally unique
32-bit network identifier from a NBMA network. The
range is from 1 to 4294967295.
Step 11 tunnel source {ip-address | type number}
Example:
Router (config-if)# tunnel source Ethernet0
Sets the source address for a tunnel interface.
Command or Action Purpose
Dynamic Multipoint VPN (DMVPN)
How to Configure Dynamic Multipoint VPN (DMVPN)
18
Cisco IOS Security Configuration Guide
Step 12 tunnel key key-number
Example:
Router (config-if)# tunnel key 100000
(Optional) Enables an ID key for a tunnel interface.
• The key-number argument specifies a number from 0 to
4,294,967,295 that identifies the tunnel key.
• The key number must be set to the same value on all
hubs and spokes that are in the same DMVPN network.
Note This command should not be configured if you are
using a Cisco 6500 or Cisco 7600 platform.
Step 13 tunnel mode gre multipoint
or
tunnel destination hub-physical-ip-address
Example:
Router(config-if)# tunnel mode gre multipoint
or
Router(config-if)# tunnel destination
172.17.0.1
Sets the encapsulation mode to mGRE for the tunnel
interface.
Use this command if data traffic can use dynamic
spoke-to-spoke traffic.
Specifies the destination for a tunnel interface.
Use this command if data traffic can use hub-and-spoke
tunnels.
Step 14 tunnel protection ipsec profile name
Example:
Router(config-if)# tunnel protection ipsec
profile vpnprof
Associates a tunnel interface with an IPsec profile.
• The name argument specifies the name of the IPsec
profile; this value must match the name specified in the
crypto ipsec profile name command.
Step 15 bandwidth kbps
Example:
Router(config-if)# bandwidth 1000
Sets the current bandwidth value for an interface to
higher-level protocols.
• The kbps argument specifies the bandwidth in kilobits
per second. The default value is 9. The recommend
bandwidth value is 1000 or greater.
The bandwidth setting for the spoke does not need to equal
the bandwidth setting for the DMVPN hub. It is usually
easier if all of the spokes use the same or similar value.
Step 16 ip tcp adjust-mss max-segment-size
Example:
Router(config-if)# ip tcp adjust-mss 1360
Adjusts the maximum segment size (MSS) value of TCP
packets going through a router.
• The max-segment-size argument specifies the
maximum segment size, in bytes. The range is from 500
to 1460.
The recommended number value is 1360 when the number
of IP MTU bytes is set to 1400. With these recommended
settings, TCP sessions quickly scale back to 1400-byte IP
packets so the packets will “fit” in the tunnel.
Command or Action Purpose.
No comments:
Post a Comment