Solved: Re: Traffic Shaping VPN

Raimund Schimanovits · ‎11-18-2020

Hi

How can i shape the traffic over an VPN Tunnel . So i have 2 NAS and the are syncing over a VPN. When the sync starts nothing ohter can be done. So i have to limit the traffic to 10Mbit.

The command traffic shape is on the Tunnel Interface not available.

Best regards

Georg Pauwen · ‎11-19-2020

Hello,

that is certainly possible. Actually, you also might want to configure a child/parent policy, where you shape the traffic that is not reserved for the NAS as well. This would look like below:

ip access-list extended SHAPE_NAS_ACL
permit ip host x.x.x.x any --> where x.x.x.x is the IP address of the NAS
!
class-map match-all SHAPE_NAS_CM
match access-group SHAPE_NAS_ACL
!
policy-map CHILD_SHAPER_NAS_PM
class SHAPE_NAS_CM
shape average 10000000
!
policy-map PARENT_SHAPER_NAS_PM
class class-default
shape average 100000000
service-policy CHILD_SHAPER_NAS_PM
!
interface Tunnel1
description VPN to Site X
ip address 172.16.1.1 255.255.255.0
ip mtu 1400
service-policy output PARENT_SHAPER_NAS_PM
qos pre-classify
ip tcp adjust-mss 1360
tunnel source GigabitEthernet0/0
tunnel destination x.x.x.x
crypto map VPN_CRYPTO_MAP

View solution in original post

Joseph W. Doherty · ‎11-19-2020

BTW, DMVPN was mentioned as being used, if so, QoS is done a bit differently for that vs. what Georg is showing.

Also BTW, in Georg's example, "qos pre-classify" isn't needed on a tunnel interface, it's needed when doing classification of tunnel traffic on the physical interface. Also, when used, it's more limited than what you can do on the tunnel interface because only a copy of the tunnel's pre-encapsulation IP header is used.

As I posted earlier, you can manage your NAS traffic, w/o shaping it.

e.g.: (using Georg's child policy . . .)
policy-map CHILD_SHAPER_NAS_PM
class SHAPE_NAS_CM
bandwidth percent 1
class class-default
bandwidth percent 99

Basically, the above would allow NAS traffic to use all the avaiable bandwidth, but if there is other traffic, NAS traffic will yield up to 99% of the bandwidth to it. Effectively, only giving the NAS available bandwidth. If you wanted to "guarantee" NAS traffic more bandwidth, you would just change the bandwidth percentages.

Lastly, if not using DMVPN, I would recommend VTI tunnels vs. using crypto maps.

View solution in original post

marce1000 · ‎11-18-2020

- Depends on what device infrastructure such as models and types you are using at both ends of the tunnel (?)

M.

-- ' 'Good body every evening' ' this sentence was once spotted on a logo at the entrance of a Weight Watchers Club !

Raimund Schimanovits · ‎11-19-2020

There are 2 Router 1921 and 2921 with a DMVPN connected.

So i need to control the traffic from the nas over the tunnel interface.

br

Joseph W. Doherty · ‎11-18-2020

BTW, you may be able to de-prioritize the NAS traffic, rather than shaping it. Such would allow full usage of bandwidth w/o the NAS traffic being adverse to other traffic.

What you can do depends on devices.

Raimund Schimanovits · ‎11-19-2020

so i should use QoS instead of traffic shaping?

br

Joseph W. Doherty · ‎11-19-2020

Actually, in your case, ideally you'll likely want to use both.

You use shaping to restrict overall bandwidth to what's available to your VPN. Then, if the shaping creates any congestion, you manage it using QoS statements.

If you want suggestions on "how", you'll need to fully describe your WAN topology and devices.

Georg Pauwen · ‎11-19-2020

Hello,

something like the below could work:

policy-map SHAPE_VPN_TUNNEL
class class-default
shape average 10000000
!
interface Tunnel1
description VPN to Site X
ip address 172.16.1.1 255.255.255.0
ip mtu 1400
service-policy output SHAPE_VPN_TUNNEL
qos pre-classify
ip tcp adjust-mss 1360
tunnel source GigabitEthernet0/0
tunnel destination x.x.x.x
crypto map VPN_CRYPTO_MAP

Raimund Schimanovits · ‎11-19-2020

Hello

This looks nice Is it possible to shape the traffic with a access list where only the ip from the NAS is inside?

The other hosts are not shaped?

best regards

Georg Pauwen · ‎11-19-2020

Hello,

that is certainly possible. Actually, you also might want to configure a child/parent policy, where you shape the traffic that is not reserved for the NAS as well. This would look like below:

ip access-list extended SHAPE_NAS_ACL
permit ip host x.x.x.x any --> where x.x.x.x is the IP address of the NAS
!
class-map match-all SHAPE_NAS_CM
match access-group SHAPE_NAS_ACL
!
policy-map CHILD_SHAPER_NAS_PM
class SHAPE_NAS_CM
shape average 10000000
!
policy-map PARENT_SHAPER_NAS_PM
class class-default
shape average 100000000
service-policy CHILD_SHAPER_NAS_PM
!
interface Tunnel1
description VPN to Site X
ip address 172.16.1.1 255.255.255.0
ip mtu 1400
service-policy output PARENT_SHAPER_NAS_PM
qos pre-classify
ip tcp adjust-mss 1360
tunnel source GigabitEthernet0/0
tunnel destination x.x.x.x
crypto map VPN_CRYPTO_MAP

Joseph W. Doherty · ‎11-19-2020

BTW, DMVPN was mentioned as being used, if so, QoS is done a bit differently for that vs. what Georg is showing.

Also BTW, in Georg's example, "qos pre-classify" isn't needed on a tunnel interface, it's needed when doing classification of tunnel traffic on the physical interface. Also, when used, it's more limited than what you can do on the tunnel interface because only a copy of the tunnel's pre-encapsulation IP header is used.

As I posted earlier, you can manage your NAS traffic, w/o shaping it.

e.g.: (using Georg's child policy . . .)
policy-map CHILD_SHAPER_NAS_PM
class SHAPE_NAS_CM
bandwidth percent 1
class class-default
bandwidth percent 99

Basically, the above would allow NAS traffic to use all the avaiable bandwidth, but if there is other traffic, NAS traffic will yield up to 99% of the bandwidth to it. Effectively, only giving the NAS available bandwidth. If you wanted to "guarantee" NAS traffic more bandwidth, you would just change the bandwidth percentages.

Lastly, if not using DMVPN, I would recommend VTI tunnels vs. using crypto maps.

Raimund Schimanovits · ‎11-19-2020

Hello

Perfect. I will test it today.

Thanks a lot.

br

Raimund Schimanovits · ‎11-20-2020

Hello

now i tested it but i cannot add the policy to the tunnel interface

i only had this command available

Zentrale-Spoke2(config-if)#service-policy type packet-service output Parent_Shape_NAS_PM
policy map should be of same type
Zentrale-Spoke2(config-if)#

br

Joseph W. Doherty · ‎11-20-2020

Well, I did mention earlier, DMVPN QoS is done a bit differently. Its QoS features also vary, as do other QoS feature sets, with IOS version.

So, to possibly help, you'll need to provide more information, such as the actual device you're trying this on, its IOS version, it's current configuration (as also mentioned earlier, you overall topology).

Raimund Schimanovits · ‎11-20-2020

Hello

Here is the config and version

Cisco IOS Software, C1900 Software (C1900-UNIVERSALK9-M), Version 15.6(2)T2, RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2017 by Cisco Systems, Inc.
Compiled Thu 19-Jan-17 07:28 by prod_rel_team

Suite License Information for Module:'c1900'

--------------------------------------------------------------------------------
Suite Suite Current Type Suite Next reboot
--------------------------------------------------------------------------------
FoundationSuiteK9 None None None
securityk9
datak9

Technology Package License Information for Module:'c1900'

------------------------------------------------------------------------
Technology Technology-package Technology-package
Current Type Next reboot
------------------------------------------------------------------------
ipbase ipbasek9 Permanent ipbasek9
security securityk9 Permanent securityk9
data None None None

Configuration register is 0x2102

version 15.6
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime
service password-encryption
service compress-config
service sequence-numbers
!
hostname Zentrale-Spoke2
!
boot-start-marker
boot system flash0:c1900-universalk9-mz.SPA.157-3.M7.bin
boot-end-marker
!
!
logging buffered 1024576
enable secret 5 <removed>
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login local_list local
aaa authentication ppp default local
aaa authorization exec default local
aaa authorization network local_list local
!
!
!
!
!
aaa session-id common
ethernet lmi ce
clock timezone CET 1 0
clock summer-time CET recurring last Sun Mar 2:00 last Sun Oct 3:00
!
!
!
!
!
!
no ip source-route
no ip gratuitous-arps
!
!
!
!
!
!
no ip bootp server
ip domain name ascom.local
ip inspect max-incomplete low 250
ip inspect max-incomplete high 400
ip inspect one-minute low 400
ip inspect one-minute high 2000
ip inspect udp idle-time 300
ip inspect tcp finwait-time 4
ip inspect tcp synwait-time 25
ip inspect tcp max-incomplete host 250 block-time 60
ip inspect name Firewall ftp timeout 600
ip inspect name Firewall tcp timeout 3600
ip inspect name Firewall udp timeout 300
ip inspect name Firewall ssh timeout 300
ip inspect name Firewall http timeout 3600
ip inspect name Firewall icmp timeout 300
ip inspect name Firewall sip timeout 3600
ip inspect name Firewall sip-tls timeout 3600
ip inspect name Firewall ntp
ip inspect name Firewall https timeout 3600
ip inspect name Firewall esmtp timeout 3600
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
!
key chain EIGRP1-key
key 1
key-string 7 <removed>
key chain TUNNEL1-key
key 2
key-string 7 <removed>
cts logging verbose
!
!
license udi pid CISCO1921/K9 sn FCZ1902C2AH
!
!
archive
log config
hidekeys
username <removed> privilege 15 secret 5 <removed>
username <removed> privilege 0 secret 5 <removed>
!
redundancy
!
!
!
!
!
ip tcp synwait-time 5
ip tcp path-mtu-discovery age-timer 30
!
class-map match-all Traffic
match access-group name NAS-Traffic
!
policy-map Traffic-Shape
class Traffic
shape average 10000000
!
!
!
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 5
crypto isakmp key <removed> address 0.0.0.0
crypto isakmp fragmentation
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 10 3 periodic
crypto isakmp nat keepalive 20
!
crypto ipsec security-association replay window-size 256
!
crypto ipsec transform-set ESP-AES256-SHA esp-aes 256 esp-sha-hmac
mode transport
crypto ipsec df-bit clear
!
crypto ipsec profile DMVPN
set transform-set ESP-AES256-SHA
set pfs group5
!
!
!
!
!
!
!
interface Tunnel1
description DMVPN zu ONE-HUB1
bandwidth 10000
ip address 10.0.10.11 255.255.255.0
no ip redirects
no ip proxy-arp
ip mtu 1400
ip authentication mode eigrp 1 md5
ip authentication key-chain eigrp 1 EIGRP1-key
ip nhrp authentication KEYYYY
ip nhrp map multicast <removed>
ip nhrp map 10.0.10.2 <removed>
ip nhrp map multicast <removed>
ip nhrp map 10.0.10.1 <removed>
ip nhrp network-id 1
ip nhrp nhs 10.0.10.2
ip nhrp nhs 10.0.10.1
ip nhrp registration no-unique
ip nhrp redirect
ip verify unicast reverse-path
ip tcp adjust-mss 1360
snmp trap ip verify drop-rate
keepalive 10 3
cdp enable
tunnel source GigabitEthernet0/1
tunnel mode gre multipoint
tunnel key 2
tunnel path-mtu-discovery
tunnel protection ipsec profile DMVPN
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description ***Inside***
ip address 192.168.3.250 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip authentication mode eigrp 1 md5
ip authentication key-chain eigrp 1 EIGRP1-key
ip verify unicast reverse-path
load-interval 30
duplex auto
speed auto
snmp trap ip verify drop-rate
service-policy output Traffic-Shape
!
interface GigabitEthernet0/1
description ***Outside***
ip address <removed>
ip access-group Outside_in in
no ip redirects
no ip unreachables
no ip proxy-arp
ip verify unicast reverse-path
load-interval 30
duplex auto
speed auto
snmp trap ip verify drop-rate
no cdp enable
!
!
router eigrp 1
network 10.0.10.0 0.0.0.255
network 192.168.3.0
passive-interface GigabitEthernet0/1
eigrp router-id 192.168.3.250
!
ip forward-protocol nd
!
no ip http server
ip http secure-server
ip flow-top-talkers
top 10
sort-by bytes
!
ip route 0.0.0.0 0.0.0.0 <removed>
ip route 10.10.1.15 255.255.255.255 192.168.3.1
ip ssh authentication-retries 4
ip ssh version 2
!
ip access-list extended NAS-Traffic
permit ip host 10.0.0.6 host 192.168.1.30
ip access-list extended Outside_in
remark *****ACL out->in*****
remark -----VPN-IPSec-DMVPN-----
permit esp any any
permit udp any any eq isakmp
permit udp any any eq non500-isakmp
remark -----Access SSH------
permit tcp any any eq 22
permit ip host <removed> any
permit ip host <removed> any
remark -----NTP-----
permit udp host 131.130.1.12 any eq ntp
remark -----ICMP-unreachable-----
permit icmp any any unreachable
permit icmp any any echo-reply
permit icmp host <removed> any
permit icmp host <removed> any
deny ip any any log
!
kron occurrence Backup at 23:10 Mon recurring
policy-list Backup
!
kron policy-list Backup
cli show run | redirect tftp://192.168.1.30/Zentrale-Spoke2-confg.txt
!
logging host 192.168.1.120
!
!
snmp-server community <removed> RO
!
!
!
control-plane
!
!
privilege exec level 0 reload
!
line con 0
line aux 0
modem InOut
transport input all
transport output all
stopbits 1
flowcontrol hardware
line 2
no activation-character
no exec
transport preferred none
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
length 0
transport input ssh
!
scheduler allocate 20000 1000
ntp server 131.130.1.12
!
end

br

Raimund Schimanovits · ‎11-20-2020

Hello

do you know why i cannot add a service-policy to the tunnel interface?

this is the only command

service-policy type packet-service output Parent_Shape_NAS_PM

br