Objetivo: Realizar un laboratorio con un ejemplo de configuración de DMVPN que incluya la calidad de servicio.
Precedence:
The Per-Tunnel QoS for DMVPN feature introduces per-tunnel quality of service (QoS) support for Dynamic Multipoint VPN (DMVPN). This feature allows you to apply a QoS policy on a DMVPN hub on a tunnel instance (per-endpoint or per-spoke basis) in the egress direction for DMVPN hub-to-spoke tunnels. The QoS policy on a DMVPN hub on a tunnel instance allows you to shape the tunnel traffic to individual spokes (parent policy) and to differentiate individual data flows going through the tunnel for policing (child policy).
-Restrictions for per-Tunnel QoS for DMVPN
• The class default shaper with the QoS service policy on a physical interface that is applied to the DMVPN tunnel does not support point-to-point generic routing encapsulation (GRE) tunnels, shaper on physical interfaces, and shaper on VLAN/subinterfaces.
• QoS on a physical interface is limited only to the class default shaper on the physical interface. No other QoS configurations on the physical interface are supported when two separate QoS policies are applied to the physical and tunnel interfaces.
• Addition of a QoS policy with a class default shaper on a physical interface is not supported when multiple QoS policies are utilized.
• You can attach a per-tunnel QoS policy on the tunnel only in the egress direction.
When the Per-Tunnel QoS for DMVPN feature is enabled, queueing and shaping are performed at the
outbound physical interface for generic routing encapsulation (GRE)/IPsec tunnel packets. The per-Tunnel QoS for DMVPN feature ensures that the GRE header, the IPsec header, and the Layer 2 (for the physical interface) header are included in the packet-size calculations for shaping and bandwidth queueing of packets under QoS.
NHRP performs the provisioning for the Per-Tunnel QoS for DMVPN feature by using NHRP groups. An NHRP group, a new functionality introduced by this feature, is the group identity information signaled by a DMVPN node (a spoke) to the DMVPN hub. The hub uses this information to select a locally defined QoS policy instance for the remote node.
NHRP group-to-QoS policy mappings are configured on the hub DMVPN GRE tunnel interface. The NHRP group string received from a spoke is mapped to a QoS policy, which is applied to that hub-to-spoke tunnel in the egress direction.
Once an NHRP group is configured on a spoke, the group is not immediately sent to the hub, but is sent in the next periodic registration request. (para acelerar el proceso se le dió shutdown a las interfaces túneles de los Spokes de manera que se registraran nuevamente en el spoke)
Topology Example:
R1 (Hub Config): ! hostname Hub ! ip cef ! no ip domain lookup ip domain name cisco.com ! username root password 0 system ! crypto isakmp policy 1 ! ip ssh version 2 ! /class definitions. Priority for telnet to tunnel client Spoke2. Priority for ssh to tunnel client Spoke1. class-map match-all telnet match protocol telnet match access-group name telnet class-map match-all ssh match protocol ssh /Para que el match protocol funcione tiene que estar el comando ip nbar proto… aplicado en la interfaz física. match access-group name ssh ! /Child policy for Spoke1. 70% of the shaping bandwidth defined in the parent policy for ssh. policy-map group1 class ssh priority percent 70 class class-default policy-map group1_parent class class-default /Parent policy for Spoke1. Shaping to 64 kbps. shape average 64000 service-policy group1 /Child policy for Spoke2. 20% of the shaping bandwidth defined in the parent policy for telnet. policy-map group2 class telnet priority percent 20 class class-default /Parent policy for Spoke2. Shaping to 128 kbps. policy-map group2_parent class class-default shape average 128000 service-policy group2 ! encr 3des authentication pre-share group 2 crypto isakmp key testing1 address 172.22.8.2 crypto isakmp key testing2 address 172.22.8.3 crypto isakmp aggressive-mode disable ! crypto ipsec transform-set dmvpn esp-3des esp-sha-hmac ! crypto ipsec profile test description tunnel-test set transform-set dmvpn ! interface Tunnel0 ip address 10.1.5.1 255.255.255.0 no ip redirects ip nbar protocol-discovery ip nhrp authentication teto ip nhrp map multicast dynamic /Adds the NHRP group to the QoS policy mapping on the hub. ip nhrp map group spoke_group1 service-policy output group1_parent ip nhrp map group spoke_group2 service-policy output group2_parent ip nhrp network-id 1 no ip split-horizon eigrp 1 tunnel source FastEthernet1/1 tunnel mode gre multipoint tunnel key 345678 tunnel protection ipsec profile test ! interface FastEthernet1/0 ip address 10.1.1.1 255.255.255.0 duplex auto speed auto ! interface FastEthernet1/1 ip address 172.22.8.1 255.255.255.248 duplex auto speed auto ! router eigrp 1 network 10.0.0.0 no auto-summary ! ip access-list extended ssh permit ip any any ip access-list extended telnet permit ip any any ! line vty 0 4 login local transport input telnet ssh ! end
R2 (Spoke1 Config) (different from the DMVPN Config Example): … ! interface Tunnel0 ip address 10.1.5.2 255.255.255.0 ip nhrp authentication teto /Configures an NHRP group on the spoke. ip nhrp group spoke_group1 ip nhrp map multicast 172.22.8.1 ip nhrp map 10.1.5.1 172.22.8.1 ip nhrp network-id 1 ip nhrp nhs 10.1.5.1 tunnel source FastEthernet1/1 tunnel destination 172.22.8.1 tunnel key 345678 tunnel protection ipsec profile test ! …
R3 (Spoke2 Config) (different from the DMVPN Config Example): … ! interface Tunnel0 ip address 10.1.5.3 255.255.255.0 ip nhrp authentication teto /Configures an NHRP group on the spoke. ip nhrp group spoke_group1 ip nhrp map multicast 172.22.8.1 ip nhrp map 10.1.5.1 172.22.8.1 ip nhrp network-id 1 ip nhrp nhs 10.1.5.1 tunnel source FastEthernet1/1 tunnel destination 172.22.8.1 tunnel key 345678 tunnel protection ipsec profile test ! …
Verifying per-Tunnel QoS for DMVPN
| show dmvpn detail | Displays detailed DMVPN information for each session, including the Next Hop Server (NHS) and NHS status, crypto session information, and socket details. • Also displays the NHRP group received from the spoke and the QoS policy applied to the spoke tunnel. |
| show ip nhrp | Displays the NHRP cache and the NHRP group received from the Spoke. |
| show ip nhrp group-map [group-name] | Displays the group-to-policy maps configured on the hub and also displays the tunnels on which the QoS policy is applied. |
| show policy-map multipoint [tunnel tunnel-interface-number] | Displays QoS policy details applied to multipoint tunnels. |
| show tunnel endpoints | Displays information about the source and destination endpoints for multipoint tunnels and the QoS policy applied on the spoke tunnel. |
On the hub:
Hub#sh dmvpn detail
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
N - NATed, L - Local, X - No Socket
# Ent --> Number of NHRP entries with same NBMA peer
NHS Status: E --> Expecting Replies, R --> Responding
UpDn Time --> Up or Down Time for a Tunnel
==========================================================================
Intferface Tunnel0 is up/up, Addr. is 10.1.5.1, VRF ""
Tunnel Src./Dest. addr: 172.22.8.1/MGRE, Tunnel VRF ""
Protocol/Transport: "multi-GRE/IP", Protect "test"
Type:Hub, Total NBMA Peers (v4/v6): 2
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb Target Network
----- --------------- --------------- ----- -------- ----- -----------------
1 172.22.8.2 10.1.5.2 UP 00:59:14 D 10.1.5.2/32
NHRP group: spoke_group1
Output QoS service-policy applied: group1_parent
1 172.22.8.3 10.1.5.3 UP 00:58:48 D 10.1.5.3/32
NHRP group: spoke_group2
Output QoS service-policy applied: group2_parent
Crypto Session Details:
--------------------------------------------------------------------------------
Interface: Tunnel0
Session: [0x67BB5CC0]
IKE SA: local 172.22.8.1/500 remote 172.22.8.2/500 Active
Capabilities:(none) connid:1007 lifetime:23:00:44
Crypto Session Status: UP-ACTIVE
fvrf: (none), Phase1_id: 172.22.8.2
IPSEC FLOW: permit 47 host 172.22.8.1 host 172.22.8.2
Active SAs: 4, origin: crypto map
Inbound: #pkts dec'ed 860 drop 0 life (KB/Sec) 4485148/3486
Outbound: #pkts enc'ed 876 drop 0 life (KB/Sec) 4485148/3486
Outbound SPI : 0x95974CAE, transform : esp-3des esp-sha-hmac
Socket State: Open
Interface: Tunnel0
Session: [0x67BB5BD0]
IKE SA: local 172.22.8.1/500 remote 172.22.8.3/500 Active
Capabilities:(none) connid:1008 lifetime:23:01:11
Crypto Session Status: UP-ACTIVE
fvrf: (none), Phase1_id: 172.22.8.3
IPSEC FLOW: permit 47 host 172.22.8.1 host 172.22.8.3
Active SAs: 4, origin: crypto map
Inbound: #pkts dec'ed 771 drop 0 life (KB/Sec) 4531243/3485
Outbound: #pkts enc'ed 770 drop 0 life (KB/Sec) 4531243/3485
Outbound SPI : 0x67782C16, transform : esp-3des esp-sha-hmac
Socket State: Open
Pending DMVPN Sessions:
!
Hub#sh ip nhrp
10.1.5.2/32 via 10.1.5.2
Tunnel0 created 01:00:18, expire 01:39:42
Type: dynamic, Flags: unique registered
NBMA address: 172.22.8.2
Group: spoke_group1
10.1.5.3/32 via 10.1.5.3
Tunnel0 created 00:59:51, expire 01:40:08
Type: dynamic, Flags: unique registered
NBMA address: 172.22.8.3
Group: spoke_group2
!
Hub#sh ip nhrp group-map
Interface: Tunnel0
NHRP group: spoke_group1
QoS policy: group1_parent
Tunnels using the QoS policy:
Tunnel destination overlay/transport address
10.1.5.2/172.22.8.2
NHRP group: spoke_group2
QoS policy: group2_parent
Tunnels using the QoS policy:
Tunnel destination overlay/transport address
10.1.5.3/172.22.8.3
!
Hub#show policy-map multipoint
Interface Tunnel0 <--> 172.22.8.2
Service-policy output: group1_parent
Class-map: class-default (match-any)
906 packets, 79049 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: any
Queueing
queue limit 16 packets
(queue depth/total drops/no-buffer drops) 0/0/0
(pkts output/bytes output) 0/0
shape (average) cir 64000, bc 256, be 256
target shape rate 64000
Service-policy : group1
queue stats for all priority classes:
queue limit 11 packets
(queue depth/total drops/no-buffer drops) 0/0/0
(pkts output/bytes output) 0/0
Class-map: ssh (match-all)
47 packets, 3709 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: protocol ssh
Match: access-group name ssh
Priority: 70% (44 kbps), burst bytes 1500, b/w exceed drops: 0
Class-map: class-default (match-any)
859 packets, 75340 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: any
queue limit 5 packets
(queue depth/total drops/no-buffer drops) 0/0/0
(pkts output/bytes output) 0/0
Interface Tunnel0 <--> 172.22.8.3
Service-policy output: group2_parent
Class-map: class-default (match-any)
801 packets, 70710 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: any
Queueing
queue limit 32 packets
(queue depth/total drops/no-buffer drops) 0/0/0
(pkts output/bytes output) 0/0
shape (average) cir 128000, bc 512, be 512
target shape rate 128000
Service-policy : group2
queue stats for all priority classes:
queue limit 6 packets
(queue depth/total drops/no-buffer drops) 0/0/0
(pkts output/bytes output) 0/0
Class-map: telnet (match-all)
0 packets, 0 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: protocol telnet
Match: access-group name telnet
Priority: 20% (25 kbps), burst bytes 1500, b/w exceed drops: 0
Class-map: class-default (match-any)
801 packets, 70710 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: any
queue limit 25 packets
(queue depth/total drops/no-buffer drops) 0/0/0
(pkts output/bytes output) 0/0
netBackyard() 