cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
562
Views
10
Helpful
6
Replies

Need help selecting router

Mark Mattix
Level 2
Level 2

I was wondering if someone could help me select a router that would be powerful enough for my organization. At the main site we currently use a 2851 that has a VPN connection to a remote site, the Internet line may also be upgraded from 30Mbps to 100Mbps in the future. The VPN is configured twice for the interface, TAC suggested we only configure one for either the tunnel int or on the physical int. I believe that may be the reason for the high CPU load but wanted other's opinions on what you thought would be best. We also want at least 1Gbit speeds for our LAN of about 100 people and also need to support 100 people in remote sites and 30 servers. I was thinking the 2951 but do you think this is sufficient? Thanks a lot!  -Mark

6 Replies 6

Joseph W. Doherty
Hall of Fame
Hall of Fame

Disclaimer

The  Author of this posting offers the information contained within this  posting without consideration and with the reader's understanding that  there's no implied or expressed suitability or fitness for any purpose.  Information provided is for informational purposes only and should not  be construed as rendering professional advice of any kind. Usage of this  posting's information is solely at reader's own risk.

Liability Disclaimer

In  no event shall Author be liable for any damages whatsoever (including,  without limitation, damages for loss of use, data or profit) arising out  of the use or inability to use the posting's information even if Author  has been advised of the possibility of such damage.

Posting

The 30 Mbps, itself, could account for a high loading on a 2851.

Unsure how you've configured VPN twice on the same interface.  Could you clarify or post the part of the relevant config?

For LAN routing, at gig rates, you'll probably should look into using a L3 switch.

Attached is a Cisco white paper on later ISR performance.

Here is the double VPN config I was talking about:

interface Tunnel99

bandwidth 100000

ip address 172.10.1.1 255.255.255.252

ip mtu 1524

delay 1

tunnel source GigabitEthernet0/1

tunnel destination 192.168.1.1

crypto map Cisco

!

interface GigabitEthernet0/1

ip address 192.168.1.2 255.255.255.128

delay 1

duplex full

speed 100

crypto map Cisco

I believe the crypto map "Cisco" should only be configured on the Tunnel or physical interface. The TAC said our map was either configured or encrypted twice. The way this looks to me I thought it was configured twice.

Disclaimer

The   Author of this posting offers the information contained within this   posting without consideration and with the reader's understanding that   there's no implied or expressed suitability or fitness for any purpose.   Information provided is for informational purposes only and should not   be construed as rendering professional advice of any kind. Usage of  this  posting's information is solely at reader's own risk.

Liability Disclaimer

In   no event shall Author be liable for any damages whatsoever (including,   without limitation, damages for loss of use, data or profit) arising  out  of the use or inability to use the posting's information even if  Author  has been advised of the possibility of such damage.

Posting

Ah, got it.  If I remember correctly, the the technique you're using was required several IOS versions ago.  I think newer IOS versions only require the crypto map on the physical interface.  (Note: reason I write "I think", there's even a newer approach for encrypted IP tunnels, VTI interfaces.

PS:

Why IP MTU 1524 on the GRE/IPSec tunnel?  I would expect something like IP MTU 1424.  (I'm guessing you're adding 24 bytes for GRE, but you also have to allow for IPSec overhead, and is jumbo Ethernet enabled/supported across the physical?)

You also might consider using adjust-mss command and tunnel PMTUD.

Lastly, if you do keep using the GRE/IPSec tunnel, you might consider using keep alives across it.

I'm not sure how long the tunnel has been configured this way, long before I started working with this company. I believe the first recommendation by the TAC was what you mentioned about the MTU size. I haven't been able to change anything since this is an important link that needs to be available. What is the process of determining what your MTU size should be? I'd have to consider the GRE, IPSEC and the specific encryptions used, right?

Disclaimer

The  Author of this posting offers the information contained within this  posting without consideration and with the reader's understanding that  there's no implied or expressed suitability or fitness for any purpose.  Information provided is for informational purposes only and should not  be construed as rendering professional advice of any kind. Usage of this  posting's information is solely at reader's own risk.

Liability Disclaimer

In  no event shall Author be liable for any damages whatsoever (including,  without limitation, damages for loss of use, data or profit) arising out  of the use or inability to use the posting's information even if Author  has been advised of the possibility of such damage.

Posting

Yes, correct, you need to figure out overhead of all the encapsulations.  For example, GRE uses 24, IPSec varies on configuration.  (BTW, to avoid all this, one of Cisco's documents just recommends setting IP MTU to 1400 as that should be larger than actual overhead.)

Another technique, if the tunnel is active and "honors" PMTUD, is use a router's extended ping, using a range of packet sizes, with DF set.

Thanks for the information Joseph! We're in the process of doing some upgrades to equipment so when I go to reconfigure everything I'll be sure to use the MTU size of 1400. Thanks again!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: