[c-nsp] GRE tunnel optimization

Jason Shearer jshearer at amedisys.com
Tue Jan 12 18:35:52 EST 2010 

Why the IPSec over GRE?  Typically you see GRE over IPSec to get the benefits of multicast.

Jason

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Adam Greene
Sent: Tuesday, January 12, 2010 3:12 PM
To: Cisco NSP
Subject: [c-nsp] GRE tunnel optimization

Hi,

I'm trying to pass IPSec VPN traffic over a simple GRE tunnel, with
mixed results (some packet loss, high latency).

Configs on both ends:

==========
2811, 12.4(21), traffic is sent over bonded DSL lines
==========
interface Tunnel0
 ip address 172.16.16.9 255.255.255.252
 ip tcp adjust-mss 1460
 tunnel source x.x.x.x
 tunnel destination y.y.y.y
!
interface ATM0/0/0
 no ip address
 no ip mroute-cache
 no atm ilmi-keepalive
 dsl operating-mode auto
 hold-queue 224 in
 pvc 0/35
  protocol ppp Virtual-Template1
 !
interface ATM0/1/0
 no ip address
 no ip mroute-cache
 no atm ilmi-keepalive
 dsl operating-mode auto
 hold-queue 224 in
 pvc 0/35
  protocol ppp Virtual-Template1
 !
interface Virtual-Template1
 no ip address
 ppp multilink
 ppp multilink group 1
!
interface Multilink1
 ip address x.x.x.x z.z.z.z
 ip nat outside
 ip virtual-reassembly
 ppp multilink
 ppp multilink group 1

==========
1841, 12.4(24)T2, traffic is sent over Cablevision link
===========
interface Tunnel0
 ip address 172.16.16.10 255.255.255.252
 ip tcp adjust-mss 1460
 tunnel source y.y.y.y
 tunnel destination x.x.x.x
!
interface FastEthernet0/0/0
 description *** Cablevision ***
 ip address y.y.y.y z.z.z.z
 ip nat outside
 ip virtual-reassembly
 ip tcp adjust-mss 1460
 duplex auto
 speed auto

The VPN is being generated by Sonicwalls on both ends. I've set MTU to
1460 on them as well.

I had originally set MTU to 1400, but it was worse.

Are there any obvious configurations I am missing to optimize this
traffic?  For example, is  something like the following recommended on
the Tunnel interfaces?

hold-queue 1024 in
hold-queue 1024 out


Thanks for your help.

Adam




_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

*** NOTICE--The attached communication contains privileged and confidential information. If you are not the intended recipient, DO NOT read, copy, or disseminate this communication. Non-intended recipients are hereby placed on notice that any unauthorized disclosure, duplication, distribution, or taking of any action in reliance on the contents of these materials is expressly prohibited. If you have received this communication in error, please delete this information in its entirety and contact the Amedisys Privacy Hotline at 1-866-518-6684. Also, please immediately notify the sender via e-mail that you have received this communication in error. ***

More information about the cisco-nsp mailing list