Objetivo: Realizar un laboratorio con un ejemplo de configuración de DMVPN que incluya la calidad de servicio.
Precedence:
The Per-Tunnel QoS for DMVPN feature introduces per-tunnel quality of service (QoS) support for Dynamic Multipoint VPN (DMVPN). This feature allows you to apply a QoS policy on a DMVPN hub on a tunnel instance (per-endpoint or per-spoke basis) in the egress direction for DMVPN hub-to-spoke tunnels. The QoS policy on a DMVPN hub on a tunnel instance allows you to shape the tunnel traffic to individual spokes (parent policy) and to differentiate individual data flows going through the tunnel for policing (child policy).
-Restrictions for per-Tunnel QoS for DMVPN
• The class default shaper with the QoS service policy on a physical interface that is applied to the DMVPN tunnel does not support point-to-point generic routing encapsulation (GRE) tunnels, shaper on physical interfaces, and shaper on VLAN/subinterfaces.
• QoS on a physical interface is limited only to the class default shaper on the physical interface. No other QoS configurations on the physical interface are supported when two separate QoS policies are applied to the physical and tunnel interfaces.
• Addition of a QoS policy with a class default shaper on a physical interface is not supported when multiple QoS policies are utilized.
• You can attach a per-tunnel QoS policy on the tunnel only in the egress direction.
When the Per-Tunnel QoS for DMVPN feature is enabled, queueing and shaping are performed at the
outbound physical interface for generic routing encapsulation (GRE)/IPsec tunnel packets. The per-Tunnel QoS for DMVPN feature ensures that the GRE header, the IPsec header, and the Layer 2 (for the physical interface) header are included in the packet-size calculations for shaping and bandwidth queueing of packets under QoS.
NHRP performs the provisioning for the Per-Tunnel QoS for DMVPN feature by using NHRP groups. An NHRP group, a new functionality introduced by this feature, is the group identity information signaled by a DMVPN node (a spoke) to the DMVPN hub. The hub uses this information to select a locally defined QoS policy instance for the remote node.
NHRP group-to-QoS policy mappings are configured on the hub DMVPN GRE tunnel interface. The NHRP group string received from a spoke is mapped to a QoS policy, which is applied to that hub-to-spoke tunnel in the egress direction.
Once an NHRP group is configured on a spoke, the group is not immediately sent to the hub, but is sent in the next periodic registration request. (para acelerar el proceso se le dió shutdown a las interfaces túneles de los Spokes de manera que se registraran nuevamente en el spoke)
Topology Example:
R1 (Hub Config): ! hostname Hub ! ip cef ! no ip domain lookup ip domain name cisco.com ! username root password 0 system ! crypto isakmp policy 1 ! ip ssh version 2 ! /class definitions. Priority for telnet to tunnel client Spoke2. Priority for ssh to tunnel client Spoke1. class-map match-all telnet match protocol telnet match access-group name telnet class-map match-all ssh match protocol ssh /Para que el match protocol funcione tiene que estar el comando ip nbar proto… aplicado en la interfaz física. match access-group name ssh ! /Child policy for Spoke1. 70% of the shaping bandwidth defined in the parent policy for ssh. policy-map group1 class ssh priority percent 70 class class-default policy-map group1_parent class class-default /Parent policy for Spoke1. Shaping to 64 kbps. shape average 64000 service-policy group1 /Child policy for Spoke2. 20% of the shaping bandwidth defined in the parent policy for telnet. policy-map group2 class telnet priority percent 20 class class-default /Parent policy for Spoke2. Shaping to 128 kbps. policy-map group2_parent class class-default shape average 128000 service-policy group2 ! encr 3des authentication pre-share group 2 crypto isakmp key testing1 address 172.22.8.2 crypto isakmp key testing2 address 172.22.8.3 crypto isakmp aggressive-mode disable ! crypto ipsec transform-set dmvpn esp-3des esp-sha-hmac ! crypto ipsec profile test description tunnel-test set transform-set dmvpn ! interface Tunnel0 ip address 10.1.5.1 255.255.255.0 no ip redirects ip nbar protocol-discovery ip nhrp authentication teto ip nhrp map multicast dynamic /Adds the NHRP group to the QoS policy mapping on the hub. ip nhrp map group spoke_group1 service-policy output group1_parent ip nhrp map group spoke_group2 service-policy output group2_parent ip nhrp network-id 1 no ip split-horizon eigrp 1 tunnel source FastEthernet1/1 tunnel mode gre multipoint tunnel key 345678 tunnel protection ipsec profile test ! interface FastEthernet1/0 ip address 10.1.1.1 255.255.255.0 duplex auto speed auto ! interface FastEthernet1/1 ip address 172.22.8.1 255.255.255.248 duplex auto speed auto ! router eigrp 1 network 10.0.0.0 no auto-summary ! ip access-list extended ssh permit ip any any ip access-list extended telnet permit ip any any ! line vty 0 4 login local transport input telnet ssh ! end
R2 (Spoke1 Config) (different from the DMVPN Config Example): … ! interface Tunnel0 ip address 10.1.5.2 255.255.255.0 ip nhrp authentication teto /Configures an NHRP group on the spoke. ip nhrp group spoke_group1 ip nhrp map multicast 172.22.8.1 ip nhrp map 10.1.5.1 172.22.8.1 ip nhrp network-id 1 ip nhrp nhs 10.1.5.1 tunnel source FastEthernet1/1 tunnel destination 172.22.8.1 tunnel key 345678 tunnel protection ipsec profile test ! …
R3 (Spoke2 Config) (different from the DMVPN Config Example): … ! interface Tunnel0 ip address 10.1.5.3 255.255.255.0 ip nhrp authentication teto /Configures an NHRP group on the spoke. ip nhrp group spoke_group1 ip nhrp map multicast 172.22.8.1 ip nhrp map 10.1.5.1 172.22.8.1 ip nhrp network-id 1 ip nhrp nhs 10.1.5.1 tunnel source FastEthernet1/1 tunnel destination 172.22.8.1 tunnel key 345678 tunnel protection ipsec profile test ! …
Verifying per-Tunnel QoS for DMVPN
show dmvpn detail | Displays detailed DMVPN information for each session, including the Next Hop Server (NHS) and NHS status, crypto session information, and socket details. • Also displays the NHRP group received from the spoke and the QoS policy applied to the spoke tunnel. |
show ip nhrp | Displays the NHRP cache and the NHRP group received from the Spoke. |
show ip nhrp group-map [group-name] | Displays the group-to-policy maps configured on the hub and also displays the tunnels on which the QoS policy is applied. |
show policy-map multipoint [tunnel tunnel-interface-number] | Displays QoS policy details applied to multipoint tunnels. |
show tunnel endpoints | Displays information about the source and destination endpoints for multipoint tunnels and the QoS policy applied on the spoke tunnel. |
On the hub:
Hub#sh dmvpn detail Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete N - NATed, L - Local, X - No Socket # Ent --> Number of NHRP entries with same NBMA peer NHS Status: E --> Expecting Replies, R --> Responding UpDn Time --> Up or Down Time for a Tunnel ========================================================================== Intferface Tunnel0 is up/up, Addr. is 10.1.5.1, VRF "" Tunnel Src./Dest. addr: 172.22.8.1/MGRE, Tunnel VRF "" Protocol/Transport: "multi-GRE/IP", Protect "test" Type:Hub, Total NBMA Peers (v4/v6): 2 # Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb Target Network ----- --------------- --------------- ----- -------- ----- ----------------- 1 172.22.8.2 10.1.5.2 UP 00:59:14 D 10.1.5.2/32 NHRP group: spoke_group1 Output QoS service-policy applied: group1_parent 1 172.22.8.3 10.1.5.3 UP 00:58:48 D 10.1.5.3/32 NHRP group: spoke_group2 Output QoS service-policy applied: group2_parent Crypto Session Details: -------------------------------------------------------------------------------- Interface: Tunnel0 Session: [0x67BB5CC0] IKE SA: local 172.22.8.1/500 remote 172.22.8.2/500 Active Capabilities:(none) connid:1007 lifetime:23:00:44 Crypto Session Status: UP-ACTIVE fvrf: (none), Phase1_id: 172.22.8.2 IPSEC FLOW: permit 47 host 172.22.8.1 host 172.22.8.2 Active SAs: 4, origin: crypto map Inbound: #pkts dec'ed 860 drop 0 life (KB/Sec) 4485148/3486 Outbound: #pkts enc'ed 876 drop 0 life (KB/Sec) 4485148/3486 Outbound SPI : 0x95974CAE, transform : esp-3des esp-sha-hmac Socket State: Open Interface: Tunnel0 Session: [0x67BB5BD0] IKE SA: local 172.22.8.1/500 remote 172.22.8.3/500 Active Capabilities:(none) connid:1008 lifetime:23:01:11 Crypto Session Status: UP-ACTIVE fvrf: (none), Phase1_id: 172.22.8.3 IPSEC FLOW: permit 47 host 172.22.8.1 host 172.22.8.3 Active SAs: 4, origin: crypto map Inbound: #pkts dec'ed 771 drop 0 life (KB/Sec) 4531243/3485 Outbound: #pkts enc'ed 770 drop 0 life (KB/Sec) 4531243/3485 Outbound SPI : 0x67782C16, transform : esp-3des esp-sha-hmac Socket State: Open
Pending DMVPN Sessions: ! Hub#sh ip nhrp 10.1.5.2/32 via 10.1.5.2 Tunnel0 created 01:00:18, expire 01:39:42 Type: dynamic, Flags: unique registered NBMA address: 172.22.8.2 Group: spoke_group1 10.1.5.3/32 via 10.1.5.3 Tunnel0 created 00:59:51, expire 01:40:08 Type: dynamic, Flags: unique registered NBMA address: 172.22.8.3 Group: spoke_group2 ! Hub#sh ip nhrp group-map Interface: Tunnel0 NHRP group: spoke_group1 QoS policy: group1_parent Tunnels using the QoS policy: Tunnel destination overlay/transport address 10.1.5.2/172.22.8.2 NHRP group: spoke_group2 QoS policy: group2_parent Tunnels using the QoS policy: Tunnel destination overlay/transport address 10.1.5.3/172.22.8.3 ! Hub#show policy-map multipoint Interface Tunnel0 <--> 172.22.8.2 Service-policy output: group1_parent Class-map: class-default (match-any) 906 packets, 79049 bytes 5 minute offered rate 0 bps, drop rate 0 bps Match: any Queueing queue limit 16 packets (queue depth/total drops/no-buffer drops) 0/0/0 (pkts output/bytes output) 0/0 shape (average) cir 64000, bc 256, be 256 target shape rate 64000 Service-policy : group1 queue stats for all priority classes: queue limit 11 packets (queue depth/total drops/no-buffer drops) 0/0/0 (pkts output/bytes output) 0/0 Class-map: ssh (match-all) 47 packets, 3709 bytes 5 minute offered rate 0 bps, drop rate 0 bps Match: protocol ssh Match: access-group name ssh Priority: 70% (44 kbps), burst bytes 1500, b/w exceed drops: 0 Class-map: class-default (match-any) 859 packets, 75340 bytes 5 minute offered rate 0 bps, drop rate 0 bps Match: any queue limit 5 packets (queue depth/total drops/no-buffer drops) 0/0/0 (pkts output/bytes output) 0/0 Interface Tunnel0 <--> 172.22.8.3 Service-policy output: group2_parent Class-map: class-default (match-any) 801 packets, 70710 bytes 5 minute offered rate 0 bps, drop rate 0 bps Match: any Queueing queue limit 32 packets (queue depth/total drops/no-buffer drops) 0/0/0 (pkts output/bytes output) 0/0 shape (average) cir 128000, bc 512, be 512 target shape rate 128000 Service-policy : group2 queue stats for all priority classes: queue limit 6 packets (queue depth/total drops/no-buffer drops) 0/0/0 (pkts output/bytes output) 0/0 Class-map: telnet (match-all) 0 packets, 0 bytes 5 minute offered rate 0 bps, drop rate 0 bps Match: protocol telnet Match: access-group name telnet Priority: 20% (25 kbps), burst bytes 1500, b/w exceed drops: 0 Class-map: class-default (match-any) 801 packets, 70710 bytes 5 minute offered rate 0 bps, drop rate 0 bps Match: any queue limit 25 packets (queue depth/total drops/no-buffer drops) 0/0/0 (pkts output/bytes output) 0/0