Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
762
Views
0
Helpful
1
Replies

ASR1001-X: DMVPN Per Tunnel QoS over Portchannel with sub-interfaces

tsvasilev
Level 1
Level 1

‎10-13-2016 01:48 AM - edited ‎03-05-2019 07:15 AM

Hello community,

I have an interesting case. The task is to police some bad traffic in DMVPN network. The DMVPN Hub is ASR1001-X, currently running IOS 3.16.3S.

I configured the ASR with the following steps:

1. Configure QoS for port-channels and Policy-map statistics:

platform qos port-channel-aggregate 1
platform qos match-statistics per-filter

2. Define the bad traffic with an access-list:

ip access-list extended BRANCH_QOS_ACL
remark bad_server_1
permit ip host 192.168.1.1 any
remark bad_server_2
permit ip host 192.168.1.2 any

3. Define a class-map for bad traffic:

class-map match-any BRANCH_QOS_CLASS
 match access-group name BRANCH_QOS_ACL

4. Define a child policy-map with police statement:

policy-map CHILD_QOS_POLICY
 class BRANCH_QOS_CLASS
 police 20000000

5. Define a parent policy-map with class-default and shaper:

policy-map PARENT_QOS_TUNNEL_POLICY
 class class-default
 shape average 100000000
 service-policy CHILD_QOS_POLICY

6. Define a shaper for the physical interface 

policy-map WAN_INTERFACE_Po1_SHAPE
 class class-default
 shape average 2000000000

7. Apply the shaper for the physical interface:

interface Port-channel1.100
 service-policy output WAN_INTERFACE_Po1_SHAPE

8. Apply the policy-map on the DMVPN Tunnel interface (tunnel source is loopback, tunnel destination is multipoint)

interface Tunnel1
nhrp group map QOS-GROUP-100MBPS service-policy output PARENT_QOS_TUNNEL_POLICY

This is the QoS related configuration on the DMVPN Hub router. When one spoke registers to the DMVPN with the group QOS-GROUP-100MBPS, everything works fine. The counters in the show policy-map multipoint output show the packets for each class of traffic. 

The problem happens when i try to add the same policies on the second DMVPN interface on the router, which is routed from the second sub-interface of the Port-channel 1. Then the counters freeze and the QoS stops working. The physical interface policy-map counters are OK. 

This is not counters related problem. I made test on the QoS and it doesn't work. After it hangs one time, it can't be turn on again until I restart the router. 

Do anyone have some experience with such configurations?

ASR1001-X#show policy-map target
Port-channel1.100

Service-policy output: WAN_INTERFACE_Po1_SHAPE

Class-map: class-default (match-any)
825975 packets, 845474427 bytes
5 minute offered rate 13444000 bps, drop rate 0000 bps
Match: any
Queueing
queue limit 8333 packets
(queue depth/total drops/no-buffer drops) 0/0/0
(pkts output/bytes output) 700543/825312271
shape (average) cir 2000000000, bc 8000000, be 8000000
target shape rate 2000000000

Interface Tunnel1 <--> xx.xx.xx.xx

Service-policy output: PARENT_QOS_TUNNEL_POLICY

Class-map: class-default (match-any)
0 packets, 0 bytes
5 minute offered rate 0000 bps, drop rate 0000 bps
Match: any
Queueing
queue limit 8333 packets
(queue depth/total drops/no-buffer drops) 0/0/0
(pkts output/bytes output) 0/0
shape (average) cir 2000000000, bc 8000000, be 8000000
target shape rate 2000000000

Service-policy : CHILD_QOS_POLICY

Class-map: BRANCH_QOS_CLASS (match-any)
0 packets, 0 bytes
5 minute offered rate 0000 bps, drop rate 0000 bps
Match: access-group name BRANCH_QOS_CLASS
0 packets, 0 bytes
5 minute rate 0 bps
police:
cir 20000000 bps, bc 9972 bytes
conformed 0 packets, 0 bytes; actions:
transmit
exceeded 0 packets, 0 bytes; actions:
drop
conformed 0000 bps, exceeded 0000 bps

Class-map: class-default (match-any)
0 packets, 0 bytes
5 minute offered rate 0000 bps, drop rate 0000 bps
Match: any

Labels:
0 Helpful
1 Reply 1

tsvasilev
Level 1
Level 1

‎10-13-2016 03:07 AM

The following is also interesting. When a completely new policy is created and applied, it is not shown in the show platform hardware qfp active feature qos config output all output.

Only the policies, which were configured before the problem are shown:

ASR1001-X#show platform hardware qfp active feature qos config output all
Interface: Port-channel1.100, QFP if_h: 18, Num Targets: 1
Target: Out, Num UIDBs: 1
UIDB #: 0
Hierarchy level: 0, Num matching iftgts: 1
Policy name: WAN_INTERFACE_Po1_SHAPE, Policy id: 15903824
Parent Class Idx: 0, Parent Class ID: 0
IF Tgt#: 0, ifh: 18, member_ifh: 0, link_idx: 0

Interface: Port-channel1.459, QFP if_h: 19, Num Targets: 1
Target: Out, Num UIDBs: 1
UIDB #: 0
Hierarchy level: 0, Num matching iftgts: 1
Policy name: WAN_INTERFACE_Po1_SHAPE, Policy id: 15903824
Parent Class Idx: 0, Parent Class ID: 0
IF Tgt#: 0, ifh: 19, member_ifh: 0, link_idx: 0

Interface: DmvpnSpoke6422545, QFP if_h: 26, Num Targets: 1
Target: Out, Num UIDBs: 1
UIDB #: 0
Hierarchy level: 0, Num matching iftgts: 1
Policy name: BRANCH_QOS_TUNNEL_POLICY, Policy id: 8793264
Parent Class Idx: 0, Parent Class ID: 0
IF Tgt#: 0, ifh: 26, member_ifh: 0, link_idx: 0
Hierarchy level: 1, Num matching iftgts: 1
Policy name: BRANCH_QOS_POLICY, Policy id: 2340848
Parent Class Idx: 0, Parent Class ID: 1593
Parent class name: class-default
IF Tgt#: 0, ifh: 26, member_ifh: 0, link_idx: 0

Interface: DmvpnSpoke6422546, QFP if_h: 27, Num Targets: 1
Target: Out, Num UIDBs: 1
UIDB #: 0
Hierarchy level: 0, Num matching iftgts: 1
Policy name: Branch2_QOS_TUNNEL_POLICY, Policy id: 7325664
Parent Class Idx: 0, Parent Class ID: 0
IF Tgt#: 0, ifh: 27, member_ifh: 0, link_idx: 0
Hierarchy level: 1, Num matching iftgts: 1
Policy name: Branch2_QOS_POLICY, Policy id: 7142560
Parent Class Idx: 0, Parent Class ID: 1593
Parent class name: class-default
IF Tgt#: 0, ifh: 27, member_ifh: 0, link_idx: 0

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card