cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1258
Views
0
Helpful
13
Replies

DMVPN / Tunnel configuration

willicac54
Level 1
Level 1

I am New to configuring DMVPN, currently assisting on configuring prioritization of networks over a vpn tunnel. How do I configure the router to prioritize a network over the tunnel?

Basically I want to prioritize the following over the vpn tunnel 0.

Prioritization for Destination Network:
10.255.0.0/24 - any
10.255.4.0/24 - any
174.128.1.0/24 – HTTPS and HTTP 

interface Tunnel0
description DMVPN
ip address 10.255.14.231 255.255.254.0 tunnel ip for each location
no ip redirects
ip mtu 1400
ip nhrp authentication senior
ip nhrp map 10.255.14.1 38.69.52.4
ip nhrp map multicast 38.69.52.4
ip nhrp network-id 1
ip nhrp holdtime 300
ip nhrp nhs 10.255.14.1
ip nhrp shortcut
ip nhrp redirect
ip tcp adjust-mss 1360
keepalive 5 3
tunnel source GigabitEthernet0/0/1
tunnel mode gre multipoint

13 Replies 13

Philip D'Ath
VIP Alumni
VIP Alumni

Are you referring to QoS here - where you want those networks to get a larger share of the bandwidth; or are you referring to routing and you want those networks to go over the tunnel in preference to some other path?

Hi Phil,

larger share of the bandwidth

We will need to create a hierarchical policy.  How much bandwidth is there on the circuit?

Not sure how much bandwidth yet, can you give an example on how the configuration would look like

Is GigabitEthernet0/0/1 dedicated to DMVPN, or is it shared for other purposes as well (aka normal Internet traffic goes through it as well)?

It is for DMVPN and internet as well

What about using Policy Based Routing with Route-Maps?

Any suggestions to make it work are welcome

That changes where the traffic will go, but not the "priority" of the traffic.

OK.  I guess I'm not sure of the objective.

I was thinking we just want to prioritize that traffic to go over the DMVPN connection, but use a different route if the DMVPV connection isn't available.

So you would do two standard access lists with permit statements for

10.255.0.0/24 - any
10.255.4.0/24 - any

Then an extended access list :

ip access-list extended HTTP-TRAFFIC permit ip 174.128.1.0 0.0.0.255 any eq 80 443

Then

route-map [NAME] permit 10

match ip address [ACL 1]

set ip next-hop [I think you would use the local ip from the nhrp map, but I'm not sure]

Then repeat that for each of the other two ACLs, e.g "route-map [NAME] permit 20"

In that case, I recommend using DSCP markings.

First create a top level policy limiting the bandwidth to the actual circuit capacity.  This example is for a 50Mb/s circuit.  This goes on Gig0/0/1.

policy-map pm-Gi001
  class class-default
    shape average 50000000
    service-policy pm-QoS

Then a sub-policy.  This is a generic QoS policy I use.

policy-map pm-QoS
  class cm-qos-voice
    priority percent 33
  class cm-qos-call-signalling
    bandwidth percent 5
  class cm-qos-critical-data
    bandwidth percent 36
  class cm-qos-scavenger
    bandwidth percent 1
  class class-default
    bandwidth percent 25
    fair-queue 512
    queue-limit 1024 packets

Now the class definitions for our network wide QoS policy.

class-map match-any cm-qos-voice
  match ip dscp ef
class-map match-any cm-qos-scavenger
  match ip dscp cs1
class-map match-any cm-qos-critical-data
  match ip dscp cs6
  match ip dscp af21 af22
  match ip dscp cs2
class-map match-any cm-qos-call-signalling
  match ip dscp cs3
  match ip dscp af31

Now on your DMVPN tunnel tell it preserve/copy the QoS marking so we can process it after encapsulation.

interface Tunnel 0
 qos pre-classify

Now we can QoS process traffic weather it is Internet traffic, DMVPN traffic, or anything else that flows through this interface.

Anything that you put into cm-qos-scavenger can use all free bandwidth, but is the first to get discarded.  So great for large file transfers, replication, etc.

Business critical traffic, aka your traffic, should go into cm-qos-critical-data.  You can mark this on the switch interfaces that kit is plugged into, or mark it as it enters the lan side interface on the router.  For example, for vlan1:

access-list 101 permit ip any 10.255.0.0 0.255.255.255
access-list 101 permit ip any 10.255.4.0 0.255.255.255
access-list 101 permit tcp any 174.128.1.0 0.255.255.255 eq 80
access-list 101 permit tcp any 174.128.1.0 0.255.255.255 eq 443

class-map match-all cm-mark-vlan1
  match access-group 101

policy-map pm-mark-vlan1
  class cm-mark-vlan1
    set ip dscp af21

Dan Lukes
VIP Alumni
VIP Alumni

Note this thread is off topic in this community (no topic is appropriate in this community).

Thus it may be deleted in the future. If deleted, it will not help to future readers. Moreover Philip D'Ath  will lost all reward gained for their valuable help.

You may consider to move it to community according the topic (use blue edit button on right top to move).

Review Cisco Networking for a $25 gift card