cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1916
Views
10
Helpful
12
Replies

QoS with DMVPN

Sam22
Level 1
Level 1

Hi all, Now I have issue with configure QoS on DMVPN. I have tried to classify my target with ALC . even I configure ALC with permit any any , ALC not show with matching result. But if I show policy-map multi , it seem traffic increase and match with packet I testing.

Question: Does QoS DMVPN support with access-list ? and it show with match result ?

Here is config :

+HUB

class-map match-all CRITICAL_QoS
match access-group 100
!
policy-map CRITICAL_POLICY_QoS
class CRITICAL_QoS
bandwidth percent 40
policy-map SHAPE_20M
class class-default
shape average 20000000
service-policy CRITICAL_POLICY_QoS
!
Extended IP access list 100
10 permit ip any any

int tun3
nhrp map group GROUP-20M service-policy output SHAPE_20M

+SPOKE

int tun3

nhrp group GROUP-20M

========================================

show policy-map mult

Interface Tunnel3 <--> 10.xxx.xxx.24

Service-policy output: SHAPE_20M

Class-map: class-default (match-any)
292002 packets, 141513153 bytes
5 minute offered rate 286000 bps, drop rate 0000 bps
Match: any
Queueing
queue limit 83 packets
(queue depth/total drops/no-buffer drops) 0/0/0
(pkts output/bytes output) 279144/157421504
shape (average) cir 20000000, bc 80000, be 80000
target shape rate 20000000

Service-policy : CRITICAL_POLICY_QoS

Class-map: CRITICAL_QoS (match-all)
92962 packets, 45559921 bytes
5 minute offered rate 276000 bps, drop rate 0000 bps
Match: access-group 100
Queueing
queue limit 64 packets
(queue depth/total drops/no-buffer drops) 0/0/0
(pkts output/bytes output) 95450/52751580
bandwidth 40% (8000 kbps)

Class-map: class-default (match-any)
193923 packets, 93588159 bytes
5 minute offered rate 0000 bps, drop rate 0000 bps
Match: any

queue limit 83 packets
(queue depth/total drops/no-buffer drops) 0/0/0
(pkts output/bytes output) 183694/104669924

2 Accepted Solutions

Accepted Solutions

My device is Cisco ISR 4000 series. 

View solution in original post

I already got confirmed from Cisco TAC, that is ACL not display of DMVPN QoS.

Regards,

View solution in original post

12 Replies 12

Hello,

I tried to test this, but I am getting the same results as you: My guess is: ACLs should work. But 'ip any any' is basically the same as 'class-default' since it matches any traffic. So you end up with two policies (child and parent) 'competing' for the same traffic. That is probably why you don't see all packets matched...

Try an ACL with an actual source and destination, and check if traffic matches...

Hi Georg, 

Yes of course, if I tried with ACL  "an actual source and destination " I saw the traffic was matched and packet also increase. But one more question that, why this ACL doesn't show match result ? typically,  if ALC was match with the particular source and destination , it should show with matching result , right? and it also work with QoS on DMVPN?  so that why I am not sure that my policy-map is match with my configure or not. 

for example : 

Extended IP access list 100
10 permit ip192.168.1.0 0.0.0.255 ip 172.16.1.0 0.0.0.255 (match ..)

I think it should show with matching result like this. but  I don't see it show matching result.

Best regards and thanks.

I will run lab check this case today

Hi , 

If you have done with your lab, please let me know if the result is same issue with mine.

Thank you.

my IOS version 17.6

I run lab and I see match, 

show policy map multi 
show access-list

can you ping from behind the hub to behind the spoke and check again, 
please notice:- you need any traffic flow through tunnel <THROUGH not BYPASS>

Screenshot (210).png

Hi  MHM Cisco World ,

Actually, If tested in my lab , it also show with matching with ACL as well. However, when I've applied with my real environment ( physical device) it does not show up result with ACL but if I show policy map multi , packets was increased as we expectation.

Does QoS process with HW or Software for cisco router?

Note: I've verified all traffic flow is under tunnel, routing is correct, I would confirm all traffic is under tunnel interface.

Thank you.

platform qos match-statistics per-ace <<- can you try this command and check again, 

for you Q, about the ACL Yes if it SW then there it can be done in HW not SW. 
but still check the command above and see if you get hit in ACL of QoS. 
thanks 

Dear , MHM,

After I tried to apply command above it shows

"platform qos match-statistics per-filter
Either a) A system RELOAD or
b) Remove all service-policies, re-apply the change
to the 'platform qos match-statistics per-filter', re-apply all service-policies
is required before this command will be activated."

Therefore, I will find schedule to applied this for testing  and let you know if it is working.

One more thing, cisco router,  if it is processing with HW , I think ACL for QoS won't hit count show, right ?

Best regards,

QoS ACL in TCAM (HW) or QoS ACL in CPU (SW)?
I think this depend on platform, C9000 series have QoS ACL in TCAM so it HW, but I think you run IOS XE in ASR1000 series, 
here I need to check if the ASR is SW or hybrid (SW & HW), and check if QoS ACL is run in HW and SW.

https://www.cisco.com/c/en/us/support/docs/switches/catalyst-9200-series-switches/218446-understand-qos-hardware-resources-on-cat.pdf

My device is Cisco ISR 4000 series. 

I already got confirmed from Cisco TAC, that is ACL not display of DMVPN QoS.

Regards,

Review Cisco Networking for a $25 gift card