Welcome to the Network Engineering Domain
Pape O. Fall's Blog

DMVPN Per-Tunnel QoS

One of the benefits of a DMVPN network is that the encrypted tunnels are built on top of DIA circuits more often than not. In that sense, the remote sites typically defer in terms of circuit bandwidth. Per-Tunnel QoS is an effective way to apply QoS policies on the hub router(s) on a per-tunnel instance to all remote sites via NHRP registration. I’ll show you how.

We will be working with the following setup:

 

 

Here, we have a DMVPN network with a single hub and 2 spokes. Spoke 1 has a bandwidth of 100Mbps while Spoke 2 has a bandwidth of 50Mbps. We will be prioritizing voice and SSH traffic for the sake of this lab.

The way it works is that we will need to create different QoS policies and tie them to distinct NHRP group. Under those NHRP groups, we will reference the bandwidth of our remote sites and that’s how we’ll know what NHRP group to point which remote site to.

The DMVPN configuration is already in place and we have DMVPN sessions between the hub and the spokes.

HUB1-RTR#sh ip nhrp brief 
   Target             Via            NBMA           Mode   Intfc   Claimed 
     172.16.100.2/32 172.16.100.2    3.3.3.254       dynamic  Tu100   10.100.30.1
     172.16.100.3/32 172.16.100.3    4.4.4.100       dynamic  Tu100   10.100.40.1
HUB1-RTR#
HUB1-RTR#sh dmvpn detail  
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
        N - NATed, L - Local, X - No Socket
        # Ent --> Number of NHRP entries with same NBMA peer
        NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
        UpDn Time --> Up or Down Time for a Tunnel
==========================================================================

Interface Tunnel100 is up/up, Addr. is 172.16.100.1, VRF "" 
   Tunnel Src./Dest. addr: 10.100.10.1/MGRE, Tunnel VRF "DMVPN"
   Protocol/Transport: "multi-GRE/IP", Protect "DMVPN_PROFILE" 
   Interface State Control: Disabled
   nhrp event-publisher : Disabled

IPv4 NHS:
172.16.100.1   E priority = 0 cluster = 0
Type:Hub, Total NBMA Peers (v4/v6): 2

# Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb    Target Network
----- --------------- --------------- ----- -------- ----- -----------------
    1 3.3.3.254          172.16.100.2    UP 01:22:32   DN    172.16.100.2/32
               Claimed Addr. 10.100.30.1
    1 4.4.4.100          172.16.100.3    UP 01:22:32   DN    172.16.100.3/32
               Claimed Addr. 10.100.40.1
          

Crypto Session Details: 
--------------------------------------------------------------------------------

Interface: Tunnel300 Tunnel100 
Session: [0xC39AEC18]
  Session ID: 0  
  IKEv1 SA: local 10.100.10.1/4500 remote 3.3.3.254/4500 Active 
          Capabilities:DN connid:1002 lifetime:22:37:17
  Crypto Session Status: UP-ACTIVE     
  fvrf: DMVPN,  Phase1_id: 10.100.30.1
  IPSEC FLOW: permit 47 host 10.100.10.1 host 3.3.3.254 
        Active SAs: 2, origin: crypto map
        Inbound:  #pkts dec'ed 1100 drop 0 life (KB/Sec) 4268315/2068
        Outbound: #pkts enc'ed 1100 drop 0 life (KB/Sec) 4268315/2068
   Outbound SPI : 0xE54F159B, transform : esp-aes 
    Socket State: Open

Interface: Tunnel300 Tunnel100 
Session: [0xC39AED10]
  Session ID: 0  
  IKEv1 SA: local 10.100.10.1/4500 remote 4.4.4.100/4500 Active 
          Capabilities:DN connid:1001 lifetime:22:37:27
  Crypto Session Status: UP-ACTIVE     
  fvrf: DMVPN,  Phase1_id: 10.100.40.1
  IPSEC FLOW: permit 47 host 10.100.10.1 host 4.4.4.100 
        Active SAs: 2, origin: crypto map
        Inbound:  #pkts dec'ed 1102 drop 0 life (KB/Sec) 4221570/2095
        Outbound: #pkts enc'ed 1102 drop 0 life (KB/Sec) 4221570/2095
   Outbound SPI : 0xDBABF0BD, transform : esp-aes 
    Socket State: Open

Pending DMVPN Sessions:

Interface: Tunnel300 Tunnel100 
  Crypto Session Status: DOWN
  fvrf: DMVPN,    IPSEC FLOW: permit 47 host 10.100.10.1 host 2.2.2.100 
        Active SAs: 0, origin: crypto map
        Inbound:  #pkts dec'ed 0 drop 0 life (KB/Sec) 0/0
        Outbound: #pkts enc'ed 0 drop 1068 life (KB/Sec) 0/0
   Outbound SPI : 0x       0, transform : 
    Socket State: Closed



HUB1-RTR#

Here, you can see that both spokes are pointing to the hub. Let’s see what the QoS configuration looks like.

HUB1-RTR(config)#access-list 100 permit tcp any any eq 22
HUB1-RTR(config)#access-list 100 permit tcp any eq 22 any

Here, we’re creating extended ACLs and matching on any source or destination on port TCP/22.

Next, we will need to create our class-maps.

class-map match-all SSH
 match access-group 100
class-map match-all VOICE
 match protocol rtp

Notice how the SSH class-map makes a remote call to the ACLs we’ve created. Also, note here that we used NBAR to match on voice traffic. The RTP protocol stands for “Real Time Protocol”. Next we will need to configure our policy-maps.

policy-map RTLEAK-DMVPN
 class VOICE
  set dscp ef
 class SSH
  set dscp cs3
!
!
!
policy-map SHAPE-50Mbps
 class class-default
  shape average 50000000
   service-policy RTLEAK-DMVPN
!
!
!
policy-map SHAPE-100Mbps
 class class-default
  shape average 100000000
   service-policy RTLEAK-DMVPN

We created a parent policy-map called “RTLEAK-DMVPN” which set voice traffic with a DSCP value of 46 which is for EF (Expedited Forwarding) and SSH with DSCP value of 24 which is CS3.

The policy-map called “SHAPE-50Mbps” shapes all traffic in the class-default class-map to 50Mbps and the one called “SHAPE-100Mbps” also shapes all traffic in the class-default class-map to 100Mbps. Notice how within within the shaper, we chained them both to the parent policy-map “RTLEAK-DMVPN” where we defined what traffic to match on and what action to perform.

Our next step is to map the QoS policies to NHRP groups. Let me show you how it’s done.

HUB1-RTR#sh run int tu100
Building configuration...

Current configuration : 646 bytes
!
interface Tunnel100
 description ***** HUB1 *****
 ip address 172.16.100.1 255.255.255.0
 no ip redirects
 ip mtu 1400
 no ip next-hop-self eigrp 1001
 no ip split-horizon eigrp 1001
 ip nhrp authentication RT-L3AK
 ip nhrp map multicast dynamic
 ip nhrp network-id 100
 ip nhrp holdtime 600
 ip nhrp nhs 172.16.100.1
 ip nhrp redirect
 ip tcp adjust-mss 1360
 delay 4000
 nhrp map group SHAPE-100M service-policy output SHAPE-100Mbps
 nhrp map group SHAPE-50M service-policy output SHAPE-50Mbps
 tunnel source Ethernet0/0
 tunnel mode gre multipoint
 tunnel key 100
 tunnel vrf DMVPN
 tunnel protection ipsec profile DMVPN_PROFILE shared
end

HUB1-RTR#

Here, we have 2 NHRP groups called “SHAPE-100M” and “SHAPE-50M”. These are respectively stitched to the following policy-maps “SHAPE-100Mbps” and “SHAPE-50Mbps”. Note that in some IOS, you’ll need the keyword “IP” before the above commands. This is pretty much all we need at the hub side. Let’s now head to the spokes.

SPOKE1-RTR#sh run int tu100
Building configuration...

Current configuration : 520 bytes
!
interface Tunnel100
 description **** DMVPN SPOKE1 - HUB1 ****
 ip address 172.16.100.2 255.255.255.0
 no ip redirects
 ip mtu 1400
 ip nhrp authentication RT-L3AK
 ip nhrp map multicast 1.1.1.100
 ip nhrp map 172.16.100.1 1.1.1.100
 ip nhrp network-id 100
 ip nhrp holdtime 600
 ip nhrp nhs 172.16.100.1
 ip nhrp shortcut
 ip tcp adjust-mss 1360
 nhrp group SHAPE-100M
 tunnel source Ethernet0/0
 tunnel mode gre multipoint
 tunnel key 100
 tunnel vrf DMVPN
 tunnel protection ipsec profile DMVPN_PROFILE shared
SPOKE2-RTR#sh run int tu100
Building configuration...

Current configuration : 519 bytes
!
interface Tunnel100
 description **** DMVPN SPOKE1 - HUB1 ****
 ip address 172.16.100.3 255.255.255.0
 no ip redirects
 ip mtu 1400
 ip nhrp authentication RT-L3AK
 ip nhrp map multicast 1.1.1.100
 ip nhrp map 172.16.100.1 1.1.1.100
 ip nhrp network-id 100
 ip nhrp holdtime 600
 ip nhrp nhs 172.16.100.1
 ip nhrp shortcut
 ip tcp adjust-mss 1360
 nhrp group SHAPE-50M
 tunnel source Ethernet0/0
 tunnel mode gre multipoint
 tunnel key 100
 tunnel vrf DMVPN
 tunnel protection ipsec profile DMVPN_PROFILE shared

Here, we have successfully configured the appropriate NHRP group on the spoke routers. Remember that Spoke 1 has a bandwidth of 100Mbps and Spoke 2 is running on 50Mbps. When the spokes register with the hub, the NHRP group is including in the registration request which subsequently apply the QoS policies accordingly.

Next, let’s clear the DMVPN sessions and initiate the tunnel again. Let’s do that on the hub router.

HUB1-RTR#clear dmvpn session 
HUB1-RTR#
HUB1-RTR#
HUB1-RTR#sh dmvpn            
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
        N - NATed, L - Local, X - No Socket
        # Ent --> Number of NHRP entries with same NBMA peer
        NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
        UpDn Time --> Up or Down Time for a Tunnel
==========================================================================

Interface: Tunnel100, IPv4 NHRP Details 
Type:Hub, NHRP Peers:2, 

 # Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb
 ----- --------------- --------------- ----- -------- -----
     1 3.3.3.254          172.16.100.2    UP 00:00:00    DN
     1 4.4.4.100          172.16.100.3    UP 00:00:00    DN

Very well ! That’d be all we need. Let’s make sure what we’ve configured is actually matching on the traffic we want. In this case, I’ll simply test SSH access. First, let’s look at the policies at the hub side.

HUB1-RTR#sh dmvpn detail
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
        N - NATed, L - Local, X - No Socket
        # Ent --> Number of NHRP entries with same NBMA peer
        NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
        UpDn Time --> Up or Down Time for a Tunnel
==========================================================================

Interface Tunnel100 is up/up, Addr. is 172.16.100.1, VRF "" 
   Tunnel Src./Dest. addr: 10.100.10.1/MGRE, Tunnel VRF "DMVPN"
   Protocol/Transport: "multi-GRE/IP", Protect "DMVPN_PROFILE" 
   Interface State Control: Disabled
   nhrp event-publisher : Disabled

IPv4 NHS:
172.16.100.1   E priority = 0 cluster = 0
Type:Hub, Total NBMA Peers (v4/v6): 2

# Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb    Target Network
----- --------------- --------------- ----- -------- ----- -----------------
    1 3.3.3.254          172.16.100.2    UP 00:02:33   DN    172.16.100.2/32
               Claimed Addr. 10.100.30.1
NHRP group: SHAPE-100M
 Output QoS service-policy applied: SHAPE-100Mbps
    1 4.4.4.100          172.16.100.3    UP 00:02:33   DN    172.16.100.3/32
               Claimed Addr. 10.100.40.1
NHRP group: SHAPE-50M
 Output QoS service-policy applied: SHAPE-50Mbps


Crypto Session Details: 
--------------------------------------------------------------------------------

Interface: Tunnel300 Tunnel100 
Session: [0xC39AEF00]
  Session ID: 0  
  IKEv1 SA: local 10.100.10.1/4500 remote 3.3.3.254/4500 Active 
          Capabilities:DN connid:1002 lifetime:21:42:44
  Crypto Session Status: UP-ACTIVE     
  fvrf: DMVPN,  Phase1_id: 10.100.30.1
  IPSEC FLOW: permit 47 host 10.100.10.1 host 3.3.3.254 
        Active SAs: 2, origin: crypto map
        Inbound:  #pkts dec'ed 37 drop 0 life (KB/Sec) 4218130/3446
        Outbound: #pkts enc'ed 35 drop 0 life (KB/Sec) 4218130/3446
   Outbound SPI : 0x5912BF73, transform : esp-aes 
    Socket State: Open

Interface: Tunnel300 Tunnel100 
Session: [0xC39AEE08]
  Session ID: 0  
  IKEv1 SA: local 10.100.10.1/4500 remote 4.4.4.100/4500 Active 
          Capabilities:DN connid:1001 lifetime:21:42:54
  Crypto Session Status: UP-ACTIVE     
  fvrf: DMVPN,  Phase1_id: 10.100.40.1
  IPSEC FLOW: permit 47 host 10.100.10.1 host 4.4.4.100 
        Active SAs: 2, origin: crypto map
        Inbound:  #pkts dec'ed 34 drop 0 life (KB/Sec) 4209094/3446
        Outbound: #pkts enc'ed 35 drop 0 life (KB/Sec) 4209094/3446
   Outbound SPI : 0xAD3209AE, transform : esp-aes 
    Socket State: Open

Pending DMVPN Sessions:

Interface: Tunnel300 Tunnel100 
  Crypto Session Status: DOWN
  fvrf: DMVPN,    IPSEC FLOW: permit 47 host 10.100.10.1 host 2.2.2.100 
        Active SAs: 0, origin: crypto map
        Inbound:  #pkts dec'ed 0 drop 0 life (KB/Sec) 0/0
        Outbound: #pkts enc'ed 0 drop 1774 life (KB/Sec) 0/0
   Outbound SPI : 0x       0, transform : 
    Socket State: Closed

This is good so far as we can see both the NHRP groups and the policy-maps via the “sh dmvpn det” at the hub side. Let’s check our traffic count.

HUB1-RTR#sh policy-map multipoint tunnel 100
 
Interface Tunnel100 <--> 3.3.3.254 

  Service-policy output: SHAPE-100Mbps

    Class-map: class-default (match-any)  
      72 packets, 6760 bytes
      5 minute offered rate 0000 bps, drop rate 0000 bps
      Match: any 
      Queueing
      queue limit 2500 packets
      (queue depth/total drops/no-buffer drops) 0/0/0
      (pkts output/bytes output) 71/10654
      shape (average) cir 100000000, bc 400000, be 400000
      target shape rate 100000000

      Service-policy : RTLEAK-DMVPN

        Class-map: VOICE (match-all)  
          0 packets, 0 bytes
          5 minute offered rate 0000 bps, drop rate 0000 bps
          Match: protocol rtp
          QoS Set
            dscp ef
              Packets marked 0

        Class-map: SSH (match-all)  
          0 packets, 0 bytes
          5 minute offered rate 0000 bps, drop rate 0000 bps
          Match: access-group 100
          QoS Set
            dscp cs3
              Packets marked 0

        Class-map: class-default (match-any)  
          72 packets, 6760 bytes
          5 minute offered rate 0000 bps, drop rate 0000 bps
          Match: any 
 
Interface Tunnel100 <--> 4.4.4.100 

  Service-policy output: SHAPE-50Mbps

    Class-map: class-default (match-any)  
      71 packets, 6563 bytes
      5 minute offered rate 0000 bps, drop rate 0000 bps
      Match: any 
      Queueing
      queue limit 2500 packets
      (queue depth/total drops/no-buffer drops) 0/0/0
      (pkts output/bytes output) 71/10654
      shape (average) cir 50000000, bc 200000, be 200000
      target shape rate 50000000

      Service-policy : RTLEAK-DMVPN

        Class-map: VOICE (match-all)  
          0 packets, 0 bytes
          5 minute offered rate 0000 bps, drop rate 0000 bps
          Match: protocol rtp
          QoS Set
            dscp ef
              Packets marked 0

        Class-map: SSH (match-all)  
          0 packets, 0 bytes
          5 minute offered rate 0000 bps, drop rate 0000 bps
          Match: access-group 100
          QoS Set
            dscp cs3
              Packets marked 0

        Class-map: class-default (match-any)  
          71 packets, 6563 bytes
          5 minute offered rate 0000 bps, drop rate 0000 bps
          Match: any 
HUB1-RTR#

Here notice that we have not matched against any SSH or voice traffic. Let’s initiate a SSH session from the hub to the Spoke1 and check our counters again.

HUB1-RTR#ssh -l rtleak 172.16.100.2
Password: 

SPOKE1-RTR#

Here, we’ve successfully SSH to Spoke 1 from the Hub. Let’s check our counters again.

HUB1-RTR#sh policy-map multipoint tunnel 100 3.3.3.254
 
Interface Tunnel100 <--> 3.3.3.254 

  Service-policy output: SHAPE-100Mbps

    Class-map: class-default (match-any)  
      252 packets, 23616 bytes
      5 minute offered rate 1000 bps, drop rate 0000 bps
      Match: any 
      Queueing
      queue limit 2500 packets
      (queue depth/total drops/no-buffer drops) 0/0/0
      (pkts output/bytes output) 251/38054
      shape (average) cir 100000000, bc 400000, be 400000
      target shape rate 100000000

      Service-policy : RTLEAK-DMVPN

        Class-map: VOICE (match-all)  
          0 packets, 0 bytes
          5 minute offered rate 0000 bps, drop rate 0000 bps
          Match: protocol rtp
          QoS Set
            dscp ef
              Packets marked 0

        Class-map: SSH (match-all)  
          54 packets, 5184 bytes
          5 minute offered rate 1000 bps, drop rate 0000 bps
          Match: access-group 100
          QoS Set
            dscp cs3
              Packets marked 54

        Class-map: class-default (match-any)  
          198 packets, 18432 bytes
          5 minute offered rate 0000 bps, drop rate 0000 bps
          Match: any

Very good ! This is what we expected to see. In this instance, SSH traffic will be shaped up to 100Mbps per the actions defined in the parent policy-map.

This is the most scalable approach to deploy QoS in DMVPN networks as you can tie many spokes to the same NHRP group.

That’s all I have for you today.

Classification: USE CASES
Posted On: 2019/02/23

Leave a Reply

Your email address will not be published. Required fields are marked *

A Little About Myself

Hello I'm Pape. My friends call me Pop. I'm CCIE #48357. I enjoy my field and love to share it with others. I love to write so I'm sharing my blog with you.

Sign up to receive notifications and updates whenever new topics or videos are uploaded!

RouteLeak Calendar

November 2024
M T W T F S S
 123
45678910
11121314151617
18192021222324
252627282930  
© Copyright 2024 @ RouteLeak