Per-Tunnel Qos for DMVPN.

Objetivo: Realizar un laboratorio con un ejemplo de configuración de DMVPN que incluya la calidad de servicio.

Precedence:

The Per-Tunnel QoS for DMVPN feature introduces per-tunnel quality of service (QoS) support for
Dynamic Multipoint VPN (DMVPN). This feature allows you to apply a QoS policy on a DMVPN hub on a
tunnel instance (per-endpoint or per-spoke basis) in the egress direction for DMVPN hub-to-spoke tunnels.
The QoS policy on a DMVPN hub on a tunnel instance allows you to shape the tunnel traffic to individual
spokes (parent policy) and to differentiate individual data flows going through the tunnel for policing (child
policy).

-Restrictions for per-Tunnel QoS for DMVPN
• The class default shaper with the QoS service policy on a physical interface that is applied to the
DMVPN tunnel does not support point-to-point generic routing encapsulation (GRE) tunnels, shaper
on physical interfaces, and shaper on VLAN/subinterfaces.
• QoS on a physical interface is limited only to the class default shaper on the physical interface. No
other QoS configurations on the physical interface are supported when two separate QoS policies are
applied to the physical and tunnel interfaces.
• Addition of a QoS policy with a class default shaper on a physical interface is not supported when
multiple QoS policies are utilized.
• You can attach a per-tunnel QoS policy on the tunnel only in the egress direction.

When the Per-Tunnel QoS for DMVPN feature is enabled, queueing and shaping are performed at the
outbound physical interface for generic routing encapsulation (GRE)/IPsec tunnel packets. The per-Tunnel
QoS for DMVPN feature ensures that the GRE header, the IPsec header, and the Layer 2 (for the physical
interface) header are included in the packet-size calculations for shaping and bandwidth queueing of
packets under QoS.

NHRP performs the provisioning for the Per-Tunnel QoS for DMVPN feature by using NHRP groups.
An NHRP group, a new functionality introduced by this feature, is the group identity information signaled
by a DMVPN node (a spoke) to the DMVPN hub. The hub uses this information to select a locally defined
QoS policy instance for the remote node.

NHRP group-to-QoS policy mappings are configured on the hub DMVPN GRE tunnel interface. The
NHRP group string received from a spoke is mapped to a QoS policy, which is applied to that hub-to-spoke
tunnel in the egress direction.

Once an NHRP group is configured on a spoke, the group is not immediately sent to the hub, but is sent in
the next periodic registration request. (lo que hice para acelerar el proceso fue darle shutdown a las interfaces túneles de los spokes de manera que se registraran nuevamente en el spoke)

Topology Example:

R1 (Hub Config):

hostname Hub
!
ip cef
!
no ip domain lookup
ip domain name cisco.com
!
username root password 0 system
!
crypto isakmp policy 1
!
ip ssh version 2
!
/class definitions. Priority for telnet to tunnel client Spoke2. Priority for ssh to tunnel client Spoke1.
class-map match-all telnet
match protocol telnet
match access-group name telnet
class-map match-all ssh
match protocol ssh /Para que el match protocol funcione tiene que estar el comando ip nbar proto… aplicado en la interfaz física.
match access-group name ssh
!
/Child policy for Spoke1. 70% of the shaping bandwidth defined in the parent policy for ssh.
policy-map group1
class ssh
priority percent 70
class class-default
policy-map group1_parent
class class-default
/Parent policy for Spoke1. Shaping to 64 kbps.
shape average 64000
service-policy group1
/Child policy for Spoke2. 20% of the shaping bandwidth defined in the parent policy for telnet.
policy-map group2
class telnet
priority percent 20
class class-default
/Parent policy for Spoke2. Shaping to 128 kbps.
policy-map group2_parent
class class-default
shape average 128000
service-policy group2
!
encr 3des
authentication pre-share
group 2
crypto isakmp key testing1 address 172.22.8.2
crypto isakmp key testing2 address 172.22.8.3
crypto isakmp aggressive-mode disable
!
!
crypto ipsec transform-set dmvpn esp-3des esp-sha-hmac
!
crypto ipsec profile test
description tunnel-test
set transform-set dmvpn
!
!
interface Tunnel0
ip address 10.1.5.1 255.255.255.0
no ip redirects
ip nbar protocol-discovery
ip nhrp authentication teto
ip nhrp map multicast dynamic
/Adds the NHRP group to the QoS policy mapping on the hub.
ip nhrp map group spoke_group1 service-policy output group1_parent
ip nhrp map group spoke_group2 service-policy output group2_parent
ip nhrp network-id 1
no ip split-horizon eigrp 1
tunnel source FastEthernet1/1
tunnel mode gre multipoint
tunnel key 345678
tunnel protection ipsec profile test
!
interface FastEthernet1/0
ip address 10.1.1.1 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet1/1
ip address 172.22.8.1 255.255.255.248
duplex auto
speed auto
!
router eigrp 1
network 10.0.0.0
no auto-summary
!
ip access-list extended ssh
permit ip any any
ip access-list extended telnet
permit ip any any
!
line vty 0 4
login local
transport input telnet ssh
!
End

R2 (Spoke1 Config) (different from the DMVPN Config Example):
….
!
interface Tunnel0
ip address 10.1.5.2 255.255.255.0
ip nhrp authentication teto
/Configures an NHRP group on the spoke.
ip nhrp group spoke_group1
ip nhrp map multicast 172.22.8.1
ip nhrp map 10.1.5.1 172.22.8.1
ip nhrp network-id 1
ip nhrp nhs 10.1.5.1
tunnel source FastEthernet1/1
tunnel destination 172.22.8.1
tunnel key 345678
tunnel protection ipsec profile test
!
….

R3 (Spoke2 Config) (different from the DMVPN Config Example):
….
!
interface Tunnel0
ip address 10.1.5.3 255.255.255.0
ip nhrp authentication teto
/Configures an NHRP group on the spoke.
ip nhrp group spoke_group1
ip nhrp map multicast 172.22.8.1
ip nhrp map 10.1.5.1 172.22.8.1
ip nhrp network-id 1
ip nhrp nhs 10.1.5.1
tunnel source FastEthernet1/1
tunnel destination 172.22.8.1
tunnel key 345678
tunnel protection ipsec profile test
!

Verifying per-Tunnel QoS for DMVPN

 

show dmvpn detail Displays detailed DMVPN information for each session, including the Next Hop Server (NHS) and NHS status, crypto session information,

and socket details.

• Also displays the NHRP group received from the spoke and the QoS policy applied to the spoke tunnel.

show ip nhrp Displays the NHRP cache and the NHRP group received from the

Spoke.

show ip nhrp group-map [group-name] Displays the group-to-policy maps configured on the hub and also

displays the tunnels on which the QoS policy is applied.

show policy-map multipoint [tunnel tunnel-interface-number] Displays QoS policy details applied to multipoint tunnels.
show tunnel endpoints Displays information about the source and destination endpoints for multipoint tunnels and the QoS policy applied on the spoke tunnel.

 

On the hub:

Hub#sh dmvpn detail
Legend: Attrb –> S – Static, D – Dynamic, I – Incomplete
N – NATed, L – Local, X – No Socket
# Ent –> Number of NHRP entries with same NBMA peer
NHS Status: E –> Expecting Replies, R –> Responding
UpDn Time –> Up or Down Time for a Tunnel

==========================================================================

Intferface Tunnel0 is up/up, Addr. is 10.1.5.1, VRF “”
Tunnel Src./Dest. addr: 172.22.8.1/MGRE, Tunnel VRF “”
Protocol/Transport: “multi-GRE/IP”, Protect “test”
Type:Hub, Total NBMA Peers (v4/v6): 2

# Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb    Target Network

—– ————— ————— —– ——– —– —————–

1     172.22.8.2        10.1.5.2    UP 00:59:14    D        10.1.5.2/32
NHRP group: spoke_group1
Output QoS service-policy applied: group1_parent

1     172.22.8.3        10.1.5.3    UP 00:58:48    D        10.1.5.3/32
NHRP group: spoke_group2
Output QoS service-policy applied: group2_parent

Crypto Session Details:
——————————————————————————–

Interface: Tunnel0
Session: [0x67BB5CC0]
IKE SA: local 172.22.8.1/500 remote 172.22.8.2/500 Active
Capabilities:(none) connid:1007 lifetime:23:00:44
Crypto Session Status: UP-ACTIVE
fvrf: (none),        Phase1_id: 172.22.8.2
IPSEC FLOW: permit 47 host 172.22.8.1 host 172.22.8.2
Active SAs: 4, origin: crypto map
Inbound:  #pkts dec’ed 860 drop 0 life (KB/Sec) 4485148/3486
Outbound: #pkts enc’ed 876 drop 0 life (KB/Sec) 4485148/3486
Outbound SPI : 0x95974CAE, transform : esp-3des esp-sha-hmac
Socket State: Open

Interface: Tunnel0
Session: [0x67BB5BD0]
IKE SA: local 172.22.8.1/500 remote 172.22.8.3/500 Active
Capabilities:(none) connid:1008 lifetime:23:01:11
Crypto Session Status: UP-ACTIVE
fvrf: (none),        Phase1_id: 172.22.8.3
IPSEC FLOW: permit 47 host 172.22.8.1 host 172.22.8.3
Active SAs: 4, origin: crypto map
Inbound:  #pkts dec’ed 771 drop 0 life (KB/Sec) 4531243/3485
Outbound: #pkts enc’ed 770 drop 0 life (KB/Sec) 4531243/3485
Outbound SPI : 0x67782C16, transform : esp-3des esp-sha-hmac
Socket State: Open

Pending DMVPN Sessions:
!
Hub#sh ip nhrp
10.1.5.2/32 via 10.1.5.2
Tunnel0 created 01:00:18, expire 01:39:42
Type: dynamic, Flags: unique registered
NBMA address: 172.22.8.2
Group: spoke_group1
10.1.5.3/32 via 10.1.5.3
Tunnel0 created 00:59:51, expire 01:40:08
Type: dynamic, Flags: unique registered
NBMA address: 172.22.8.3
Group: spoke_group2
!
Hub#sh ip nhrp group-map
Interface: Tunnel0
NHRP group: spoke_group1
QoS policy: group1_parent
Tunnels using the QoS policy:
Tunnel destination overlay/transport address
10.1.5.2/172.22.8.2

NHRP group: spoke_group2
QoS policy: group2_parent
Tunnels using the QoS policy:
Tunnel destination overlay/transport address
10.1.5.3/172.22.8.3
!
Hub#show policy-map multipoint

Interface Tunnel0 <–> 172.22.8.2

Service-policy output: group1_parent
Class-map: class-default (match-any)
906 packets, 79049 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: any
Queueing
queue limit 16 packets
(queue depth/total drops/no-buffer drops) 0/0/0
(pkts output/bytes output) 0/0
shape (average) cir 64000, bc 256, be 256
target shape rate 64000

Service-policy : group1

queue stats for all priority classes:

queue limit 11 packets
(queue depth/total drops/no-buffer drops) 0/0/0
(pkts output/bytes output) 0/0

Class-map: ssh (match-all)
47 packets, 3709 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: protocol ssh
Match: access-group name ssh
Priority: 70% (44 kbps), burst bytes 1500, b/w exceed drops: 0

Class-map: class-default (match-any)
859 packets, 75340 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: any

queue limit 5 packets
(queue depth/total drops/no-buffer drops) 0/0/0
(pkts output/bytes output) 0/0

Interface Tunnel0 <–> 172.22.8.3

Service-policy output: group2_parent

Class-map: class-default (match-any)
801 packets, 70710 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: any
Queueing
queue limit 32 packets
(queue depth/total drops/no-buffer drops) 0/0/0
(pkts output/bytes output) 0/0
shape (average) cir 128000, bc 512, be 512
target shape rate 128000

Service-policy : group2

queue stats for all priority classes:

queue limit 6 packets
(queue depth/total drops/no-buffer drops) 0/0/0
(pkts output/bytes output) 0/0

Class-map: telnet (match-all)
0 packets, 0 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: protocol telnet
Match: access-group name telnet
Priority: 20% (25 kbps), burst bytes 1500, b/w exceed drops: 0

Class-map: class-default (match-any)
801 packets, 70710 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: any

queue limit 25 packets
(queue depth/total drops/no-buffer drops) 0/0/0
(pkts output/bytes output) 0/0

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s