Solved: Policy Map for ICMP Priority over VRF GRE Tunnel

amercer · ‎07-30-2014

Overview:
We currently have a GRE VRF tunnel to a remote location.
Like this: MainOfficeRouter <----->GRETunnel<----->RemoteOfficeRouter.
The remote location has a 3Mb max DSL with 8Mb max shared in the cloud with other customers.
We use a WhutsUpGold server at our main office to monitor servers at the remote location using ping.
We backup servers at the remote location to our main office nightly.
It seems when we backup the servers every night, the backup creates so much traffic, that pings from WhutsUpGold to the remote location don't get through.
This causes WhatsUpGold to trigger an alarm and page people at home.
I'm trying to implement traffic shaping on the GRE VRF tunnel to give some priority to ICMP.
This is what I have so far:

Main Office Router Config:

interface Loopback100

ip address 10.172.192.55 255.255.255.255

!

interface Tunnel100

description Isolated Tunnel To Remote Office

ip vrf forwarding ISOLATEDNETWORK

ip address 10.192.200.1 255.255.255.252

no ip redirects

ip mtu 1400

ip tcp adjust-mss 1360

tunnel source Loopback100

tunnel destination 10.172.192.56

service-policy output TUNNEL

Remote Office Router Config:

interface Loopback100

ip address 10.172.192.56 255.255.255.255

!

interface Tunnel100

description Isolated Tunnel To Main Office

ip vrf forwarding ISOLATEDNETWORK

ip address 10.192.200.2 255.255.255.252

no ip redirects

ip mtu 1400

ip tcp adjust-mss 1360

tunnel source Loopback100

tunnel destination 10.172.192.55

service-policy output TUNNEL

Traffic Shaping Policy:

policy-map TUNNEL

class class-default

shape average 3000000 <---Should I do this or "shape peak 1500000 3000000 3000000"

service-policy ICMPPRIORITY

policy-map ICMPPRIORITY

class ICMPTRAFFIC

bandwidth percent 10 <---Should I do this or "priority percent 10"

class-map match-any ICMPTRAFFIC

match protocol icmp

I'm just curious about how my Traffic Shaping Policy looks. Any suggestions or recommendations would be helpful.

Thanks,

Allen

Akash Agrawal · ‎07-30-2014

Hi Allen,

policy-map TUNNEL

class class-default

shape average 3000000 <--- Shape average is ok

service-policy ICMPPRIORITY

policy-map ICMPPRIORITY

class ICMPTRAFFIC

bandwidth percent 10 <---Should I do this or "priority percent 10"

class-map match-any ICMPTRAFFIC

match protocol icmp

If you expect a DOS attack of ICMP packets then you may want to limit the traffic otherwise assigning bandwidth percent 10 would be sufficient. Also assign remaining bandwidth to class-default.

Second thing to match icmp traffic, i would suggest to use ACL instead of match protocol icmp (NBAR) which will be more CPU extensive. Below class-map can be used

class-map match-nay ICMPTRAFFIC

match access-group 101

!

access-list 101 permit icmp any any

------------ Please don't forget to rate helpful post. ----------------

-Akash

View solution in original post

Akash Agrawal · ‎07-30-2014

Hi Allen,

policy-map TUNNEL

class class-default

shape average 3000000 <--- Shape average is ok

service-policy ICMPPRIORITY

policy-map ICMPPRIORITY

class ICMPTRAFFIC

bandwidth percent 10 <---Should I do this or "priority percent 10"

class-map match-any ICMPTRAFFIC

match protocol icmp

If you expect a DOS attack of ICMP packets then you may want to limit the traffic otherwise assigning bandwidth percent 10 would be sufficient. Also assign remaining bandwidth to class-default.

Second thing to match icmp traffic, i would suggest to use ACL instead of match protocol icmp (NBAR) which will be more CPU extensive. Below class-map can be used

class-map match-nay ICMPTRAFFIC

match access-group 101

!

access-list 101 permit icmp any any

------------ Please don't forget to rate helpful post. ----------------

-Akash