cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1557
Views
10
Helpful
5
Replies

QoS and DMVPN

jmperlewitz
Level 1
Level 1

I have a hub-spoke model using DMVPN.  I have created a spoke QoS policy for each remote site to make sure that certain traffic gets prioritized over the tunnel back to the head-end router.  However, I am a little confused about what kind of policy I should put on the head-end router to make sure my prioritized traffic leaving the spoke remains prioritized coming back during times of spoke congestion.  

 

Each spoke has a 100Mb link, but the head-end router uses a 10G link.  Since the head-end link is so large, it will never experience congestion so I am not sure CBWFQ will kick in.  I also do not want to use the same bandwidth reservation requirements on the head-end that I use on the Spoke for fear of throttling the 10G link too much. 

 

I have already implemented per-tunnel traffic-shaping on the head-end to ensure that traffic does not go over the Spoke 100Mb limit.  I am just trying to figure out if I need to implement a output policy on the head-end router to ensure certain traffic stays prioritized going back to the spoke, or if the fact that the spoke already prioritizes the traffic leaving the spoke if it will still come back in without being affected by other less prioritized traffic.  Thanks!

1 Accepted Solution

Accepted Solutions

Hello,

 

sorry for my late reply.

 

What you have configured on the head end is sufficient. You would only need an outbound policy (on the physical interface) if the aggregated bandwidth of all spokes would exceed the 10G (which would equal 100+ spokes, which I assume you don't have). So your config looks good as is.

View solution in original post

5 Replies 5

Hello,

 

can you post what you have configured (hub/spoke configs) ?

 

If your IOS supports it, you might consider Per-Tunnel QoS for DMVPN, which makes the configurations somewhat less complicated...

 

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_dmvpn/configuration/15-mt/sec-conn-dmvpn-15-mt-book/sec-conn-dmvpn-per-tunnel-qos.html

Head-end router:

policy-map 100_MB
 class class-default
  shape average 104857600
!
interface Tunnel100
nhrp map group Spoke_100_MB service-policy output 100_MB

I am wondering if I need to build a child policy to nest with the policy-map 100_MB policy.

 

Spoke router:

interface Tunnel100
 nhrp group Spoke_100_MB
!
class-map match-any D4_PREC4
 match ip dscp af41 
 match ip dscp af42 
 match ip dscp af43 
 match ip precedence 4 
class-map match-any D3_PREC3
 match ip dscp af31 
 match ip dscp af32 
 match ip dscp af33 
 match ip dscp cs6 
 match ip dscp cs3 
 match ip precedence 6
class-map match-any D2_PREC2
 match ip dscp af21 
 match ip dscp af22 
 match ip dscp af23 
 match ip dscp cs2 
class-map match-any D1_PREC1
 match ip dscp af11 
 match ip dscp af12 
 match ip dscp af13 
 match ip dscp cs1
class-map POS
 match access-group name POS 
class-map match-any NETWORK_MGMT
 match protocol ssh
 match protocol snmp
 match protocol ftp
 match protocol syslog
 match protocol tacacs 
 match protocol icmp
class-map SKYPE
 match access-group name SKYPE
class-map RTSP
 match application rtsp
class-map match-any FILE-SERVICES
 match protocol nfs
 match protocol rdp
!
policy-map QUEUE-OUTPUT
 class D3_PREC3
  priority 20480
 class D4_PREC4
  bandwidth remaining percent 40
 class D2_PREC2
  bandwidth remaining percent 30
class D1_PREC1
 bandwidth remaining percent 20
class class-default
 queue-limit 1600 packets
!
policy-map SHAPE-OUTPUT
 class class-default
  shape average 100m
   service-policy QUEUE-OUTPUT
!
policy-map MARK-INPUT
 class POS
  set ip dscp af31
 class NETWORK_MGMT
  set ip dscp cs2
 class SKYPE
  set ip dscp af41
 class RTSP
  set ip dscp af43
 class FILE-SERVICES
  set ip dscp af21
 class class-default
!
ip access-list extended POS
 permit ip object-group POS_A any
 permit ip object-group POS_B any
 permit ip object-group POS_C any
!
ip access-list extended SKYPE
 permit udp any any range 3478 3481
 permit udp any any range 49512 65535
 permit tcp any any range 49512 65535
!
int gi0/0/2
 load-interval 30
 service-policy output SHAPE-OUTPUT
!
int po1.100
 service-policy input MARK-INPUT
!
int po1.102
 service-policy input MARK-INPUT
!
int po1.104
 service-policy input MARK-INPUT
!
int po1.106
 service-policy input MARK-INPUT
!
int po1.108
 service-policy input MARK-INPUT
!
int po1.110
 service-policy input MARK-INPUT

 

jmperlewitz
Level 1
Level 1

HUB Config

interface Tunnel100
  nhrp map group Spoke_100_MB service-policy output 100_MB
!
policy-map 100_MB class class-default shape average 104857600

I am wondering if I need to create a child policy to nest with the 100_MB policy.

 

SPOKE Config

interface Tunnel100
 nhrp group Spoke_100_MB
!
class-map match-any D4_PREC4
 match ip dscp af41 
 match ip dscp af42 
 match ip dscp af43 
 match ip precedence 4 
class-map match-any D3_PREC3
 match ip dscp af31 
 match ip dscp af32 
 match ip dscp af33 
 match ip dscp cs6 
 match ip dscp cs3 
 match ip precedence 6
class-map match-any D2_PREC2
 match ip dscp af21 
 match ip dscp af22 
 match ip dscp af23 
 match ip dscp cs2 
class-map match-any D1_PREC1
 match ip dscp af11 
 match ip dscp af12 
 match ip dscp af13 
 match ip dscp cs1
class-map POS
 match access-group name POS 
class-map match-any NETWORK_MGMT
 match protocol ssh
 match protocol snmp
 match protocol ftp
 match protocol syslog
 match protocol tacacs 
 match protocol icmp
class-map SKYPE
 match access-group name SKYPE
class-map RTSP
 match application rtsp
class-map match-any FILE-SERVICES
 match protocol nfs
 match protocol rdp
!
policy-map QUEUE-OUTPUT
 class D3_PREC3
  priority 20480
 class D4_PREC4
  bandwidth remaining percent 40
 class D2_PREC2
  bandwidth remaining percent 30
 class D1_PREC1
  bandwidth remaining percent 20
 class class-default
  queue-limit 1600 packets
!
policy-map SHAPE-OUTPUT
 class class-default
    shape average 100m
    service-policy QUEUE-OUTPUT
!
policy-map MARK-INPUT
 class POS
  set ip dscp af31
 class NETWORK_MGMT
  set ip dscp cs2
 class SKYPE
  set ip dscp af41
 class RTSP
  set ip dscp af43
 class FILE-SERVICES
  set ip dscp af21
 class class-default
!
ip access-list extended POS
  permit ip object-group POS_A any
  permit ip object-group POS_B any
  permit ip object-group POS_C any
ip access-list extended SKYPE
  permit udp any any range 3478 3481
  permit udp any any range 49512 65535
  permit tcp any any range 49512 65535
!
int gi0/0/2
load-interval 30
service-policy output SHAPE-OUTPUT
!
int po1.100
service-policy input MARK-INPUT
!
int po1.102
service-policy input MARK-INPUT
!
int po1.104
service-policy input MARK-INPUT
!
int po1.106
service-policy input MARK-INPUT
!
int po1.108
service-policy input MARK-INPUT
!
int po1.110
service-policy input MARK-INPUT

Hello,

 

sorry for my late reply.

 

What you have configured on the head end is sufficient. You would only need an outbound policy (on the physical interface) if the aggregated bandwidth of all spokes would exceed the 10G (which would equal 100+ spokes, which I assume you don't have). So your config looks good as is.

Joseph W. Doherty
Hall of Fame
Hall of Fame

Are spokes logically limited to 100 Mbps or physically limited? (An example of the former, interface running at gig, but WAN provider only providing 100 Mbps.) If the latter, you don't need to also shape them for 100 Mbps.

BTW, for your remote QoS, most routers would allow you to match and mark in egress classes too. I.e. you have the option of not needing your input policy.

To your question of should you have a child policy for your HQ tunnels - if you want to prioritize transmission and/or drops, when and if there's HQ tunnel egress congestion - the answer is yes. (NB: this is contrary to Georg's recommendation, but otherwise a shaper, alone, at least the later implementations, might only FIFO all your traffic.)

Also BTW, on some routers I'm unsure that Cisco's shapers always account for L2 overhead. If a shaper doesn't appear to be doing so, set it about 15% slower than the nominal bandwidth (to allow for typical L2 overhead).

Another BTW, when matching DSCP tags like:

class-map match-any D3_PREC3
match ip dscp af31
match ip dscp af32
match ip dscp af33
match ip dscp cs6
match ip dscp cs3
match ip precedence 6

Matching IPPrec 6 will also match DSCP CS6. Also, if you match IPPrec 3, it will match CS3, AF31, AF32 and AF33. (Remember IPPrec is the first 3 bits of the DSCP.)

Lastly, when matching NBAR's SSH, that includes SCP.

I also suggest, when setting up a QoS policy, start with everything in class-default using FQ. Only place traffic in other classes that really, really need it. Also don't forget, besides guaranteeing better service to some classes, much can often be accomplished by decreasing priority to some traffic. Also know how you manage drops can be almost as crucial as how you manage bandwidth. (The last is because of your using something like your:
class class-default
queue-limit 1600 packets
as too large queue limits can be counter productive.)