01-17-2013 03:42 AM - edited 02-21-2020 06:37 PM
Dear All,
we have the unusual situation that on of our DMVPN Spoke Sites has a higher bandwidth rate (33 Mbit/s) than our
DMVPN Hub Site.
Therefore, we need to apply traffic shaping to 10 Mbit/s on the tunnel interface on the spoke.
The following link only describes how to apply shaping on the hub end but not on the spoke end site:
How should we proceed with this on the spoke router ?
Will creating a service policy and then applying it to the tunnel interface do the job ? Will shaping be done then after the traffic encryption or before ?
And would we then need to increase the replay window-size buffer of 1024 to something higher ?
Would the following example work ? We would apply the Policy outbound to the Tunnel interface:
class-map match-any CLASS_ANY
match any
policy-map POLICY_SHAPE10MEG
class CLASS_ANY
shape average 10000000
interface Tunnel 0
service-policy output POLICY_SHAPE10MEG
Thanks for your help,
Thorsten
Solved! Go to Solution.
01-21-2013 01:48 AM
I see on the hub that the policy is applied successfully on the tunnel. The POL_SHAPE10MEG policy is applied on the tunnel that you wanted, this way the spoke will not be able to consume hub's bandwidth eventhough it has higher bandwidth.
01-21-2013 02:22 AM
you're very welcome, please rate useful posts and mark this question as Answered so that other people know the problem has been solved.
01-17-2013 07:10 AM
You can configure the shaping on the hub, then it will apply to all the spoke, no matter if the spoke has bigger or smaller bandwidth than the hub. Actually that is the benefit of configuring the QoS on the DMVPN and it is explained on that link you've provided above. Check the "Benefits of Per-Tunnel QoS for DMVPN" section.
As to your config example, to apply the service policy to the tunnel interface is done by using following command: (also explained on that link)
ip nhrp map group group-name service-policy output qos-policy-map-name
HTH
01-18-2013 05:19 AM
Dear Rudy,
thanks very much for your answer.
I have implemented it now but how can I find out if the shaping is really applied on the spoke end site ?
Sorry for this perhaps silly question but I'm a newbie to QoS and traffic shaping.
Thanks,
Thorsten
01-18-2013 05:30 AM
By using show tunnel endpoints command, this command will displays the QoS policy applied on the spoke tunnel. (also mentioned on that link) it's not a newbie question and don't worry about that, people learn by asking questions right
HTH
*please rate helpful post
01-18-2013 07:37 AM
Hi Rudy,
thanks very much . Unfortunately, when I enter "sh tunnel endpoints" I'm only getting the following output. But it doesn't show a QoS policy as being applied.
Do you have any idea why this doesn't show up here ? Thanks.
DERT0001#sh tunnel endpoints
Tunnel1 running in multi-GRE/IP mode
Endpoint transport 195.65.178.237 Refcount 3 Base 0x29CE2D6C Create Time 7w6d
overlay 172.20.53.1 Refcount 2 Parent 0x29CE2D6C Create Time 7w6d
Tunnel Subblocks:
tunnel-nhrp-sb:
NHRP subblock has 1 entries
Tunnel0 running in multi-GRE/IP mode
Endpoint transport 195.65.178.239 Refcount 3 Base 0x29CE2E7C Create Time 4w5d
overlay 172.20.54.1 Refcount 2 Parent 0x29CE2E7C Create Time 4w5d
Tunnel Subblocks:
tunnel-nhrp-sb:
NHRP subblock has 1 entries
01-18-2013 08:47 AM
please provide the output from following commands:
- show dmvpn detail
- show ip nhrp
- show ip nhrp group-map
- show policy-map multipoint
01-21-2013 12:23 AM
Hi Rudy,
thanks. Please find attached the complete output as requested for the DMVPN spoke. As you can see the tunnel group has been created under Tunnel 1 and also is propagated to the Hub but it doesn't look like the Spoke is applying the QoS on its side. Thanks,
Thorsten
sh dmvpn deta
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
N - NATed, L - Local, X - No Socket
# Ent --> Number of NHRP entries with same NBMA peer
NHS Status: E --> Expecting Replies, R --> Responding
UpDn Time --> Up or Down Time for a Tunnel
==========================================================================
Interface Tunnel0 is up/up, Addr. is 172.20.54.20, VRF ""
Tunnel Src./Dest. addr: XXXXXXXXX /MGRE, Tunnel VRF ""
Protocol/Transport: "multi-GRE/IP", Protect "PROFILE_MEPHA"
Interface State Control: Disabled
IPv4 NHS: 172.20.54.1 RE
Type:Spoke, Total NBMA Peers (v4/v6): 1
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb Target Network
----- --------------- --------------- ----- -------- ----- -----------------
1 XXXXXXXXX 172.20.54.1 UP 5w1d S 172.20.54.1/32
Interface Tunnel1 is up/up, Addr. is 172.20.53.20, VRF ""
Tunnel Src./Dest. addr: XXXXXXXXXXXXX/MGRE, Tunnel VRF ""
Protocol/Transport: "multi-GRE/IP", Protect "PROFILE_MEPHA"
Interface State Control: Disabled
IPv4 NHS: 172.20.53.1 RE
Type:Spoke, Total NBMA Peers (v4/v6): 1
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb Target Network
----- --------------- --------------- ----- -------- ----- -----------------
1 XXXXXXXXXXXXX 172.20.53.1 UP 2d19h S 172.20.53.1/32
Crypto Session Details:
--------------------------------------------------------------------------------
Interface: Tunnel1 Tunnel0
Session: [0x29DA95D4]
IKE SA: local XXXXXXXXX/500 remote XXXXXXXXXXXXXX/500 Active
Capabilities:D connid:1126 lifetime:15:08:17
Crypto Session Status: UP-ACTIVE
fvrf: (none), Phase1_id: XXXXXXXXXXXX
IPSEC FLOW: permit 47 host XXXXXXXXX host XXXXXXXXXXXXXXX
Active SAs: 2, origin: crypto map
Inbound: #pkts dec'ed 192660927 drop 0 life (KB/Sec) 4204198/2051
Outbound: #pkts enc'ed 275979781 drop 0 life (KB/Sec) 4255138/2051
Outbound SPI : 0x265CC589, transform : esp-aes esp-sha-hmac
Socket State: Open
Interface: Tunnel1 Tunnel0
Session: [0x29DA96C4]
IKE SA: local XXXXXXXXXXXXXX/500 remote XXXXXXXXXXXXXXXXX/500 Active
Capabilities:D connid:1125 lifetime:04:53:56
Crypto Session Status: UP-ACTIVE
fvrf: (none), Phase1_id: XXXXXXXXXXXXXXXXX
IPSEC FLOW: permit 47 host XXXXXXXXXXXXXX host XXXXXXXXXXXXXXXXXXXXXXX
Active SAs: 4, origin: crypto map
Inbound: #pkts dec'ed 1305180 drop 0 life (KB/Sec) 4572686/3505
Outbound: #pkts enc'ed 2941702 drop 3111 life (KB/Sec) 4572685/3505
Outbound SPI : 0xC7C93135, transform : esp-aes esp-sha-hmac
Socket State: Open
Pending DMVPN Sessions:
DERT0001#sh ip nhrp
172.20.54.1/32 via 172.20.54.1
Tunnel0 created 5w1d, never expire
Type: static, Flags: used
NBMA address: XXXXXXXXXXXXXXXXXXXXX
172.20.53.1/32 via 172.20.53.1
Tunnel1 created 8w2d, never expire
Type: static, Flags: used
NBMA address: XXXXXXXXXXXXXXXXXXXXX
DERT0001#sh ip nhrp group-map ?
WORD group name
| Output modifiers
DERT0001#sh ip nhrp group-map MIESBACH_QOS
NHRP group: MIESBACH_QOS does not exist
DERT0001#sh policy-map multipoint
DERT0001#
DERT0001#
DERT0001#sh tunnel endpoints
Tunnel1 running in multi-GRE/IP mode
Endpoint transport XXXXXXXXXXXXX Refcount 3 Base 0x29CE2D6C Create Time 8w2d
overlay 172.20.53.1 Refcount 2 Parent 0x29CE2D6C Create Time 8w2d
Tunnel Subblocks:
tunnel-nhrp-sb:
NHRP subblock has 1 entries
Tunnel0 running in multi-GRE/IP mode
Endpoint transport XXXXXXXXXXXXXXXXX Refcount 3 Base 0x29CE2E7C Create Time 5w1d
overlay 172.20.54.1 Refcount 2 Parent 0x29CE2E7C Create Time 5w1d
Tunnel Subblocks:
tunnel-nhrp-sb:
NHRP subblock has 1 entries
DERT0001#sh run int tunnel 1
Building configuration...
Current configuration : 550 bytes
!
interface Tunnel1
description DMVPN2
bandwidth 10000
ip address 172.20.53.20 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1400
ip nhrp authentication XXXXXXXXXXXXXXXXXXX
ip nhrp group MIESBACH_QOS
ip nhrp map multicast XXXXXXXXXXXXXXXXXX
ip nhrp map 172.20.53.1 XXXXXXXXXXXXXXXXXXXXX
ip nhrp network-id 2
ip nhrp holdtime 300
ip nhrp nhs 172.20.53.1
ip tcp adjust-mss 1360
cdp enable
tunnel source GigabitEthernet0/1
tunnel mode gre multipoint
tunnel key 100002
tunnel protection ipsec profile PROFILE_XXXXX shared
01-21-2013 12:54 AM
Normally when each spoke register with the hub, the group policy configured for that spoke will be applied to the hub-spoke tunnel. I see that the MIESBACH_QOS is the group name, what is the name of the QoS policy that you've configured on the hub? Can you also provide the output from the same commands on the hub side?
01-21-2013 01:16 AM
Hi Rudy,
thanks for your feedback. Please find below the output of the same commands on the Hub end side. The name of the QoS Policy is: POL_SHAPE10MEG and it is applied to the NHRP group as output - as you can also see below:
policy-map POL_SHAPE10MEG
class class-default
shape average 10000000
interface Tunnel0
ip nhrp map group MIESBACH_QOS service-policy output POL_SHAPE10MEG
sh dmvpn det
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
N - NATed, L - Local, X - No Socket
# Ent --> Number of NHRP entries with same NBMA peer
NHS Status: E --> Expecting Replies, R --> Responding
UpDn Time --> Up or Down Time for a Tunnel
==========================================================================
Intferface Tunnel0 is up/up, Addr. is 172.20.53.1, VRF ""
Tunnel Src./Dest. addr: XXXXXXXXXXXXXXXXXXXX/MGRE, Tunnel VRF ""
Protocol/Transport: "multi-GRE/IP", Protect "PROFILE_MEPHA"
Type:Hub, Total NBMA Peers (v4/v6): 2
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb Target Network
----- --------------- --------------- ----- -------- ----- -----------------
1 XXXXXXXXXXXXX 172.20.53.14 UP 2d20h D 172.20.53.14/32
1 XXXXXXXXXXXXXX 172.20.53.20 UP 2d20h D 172.20.53.20/32
NHRP group: MIESBACH_QOS
Output QoS service-policy applied: POL_SHAPE10MEG
Crypto Session Details:
--------------------------------------------------------------------------------
Interface: Tunnel0
Session: [0x46A6F4C4]
IKE SA: local XXXXXXXXXXXXX/500 remote XXXXXXXXXXXXX/500 Active
Capabilities:(none) connid:1005 lifetime:03:57:55
Crypto Session Status: UP-ACTIVE
fvrf: (none), Phase1_id: XXXXXXXXXXXXX
IPSEC FLOW: permit 47 host XXXXXXXXXXXXX host XXXXXXXXXXXXX
Active SAs: 2, origin: crypto map
Inbound: #pkts dec'ed 59467 drop 0 life (KB/Sec) 4451683/131
Outbound: #pkts enc'ed 59464 drop 0 life (KB/Sec) 4451683/131
Outbound SPI : 0x4BFCD060, transform : esp-aes esp-sha-hmac
Socket State: Open
Interface: Tunnel0
Session: [0x46A6F5B4]
IKE SA: local XXXXXXXXXXXXX/500 remote XXXXXXXXXXXXX/500 Active
Capabilities:(none) connid:1006 lifetime:03:58:42
Crypto Session Status: UP-ACTIVE
fvrf: (none), Phase1_id: XXXXXXXXXXXXX
IPSEC FLOW: permit 47 host XXXXXXXXXXXXX host XXXXXXXXXXXXX
Active SAs: 2, origin: crypto map
Inbound: #pkts dec'ed 59491 drop 0 life (KB/Sec) 4487246/189
Outbound: #pkts enc'ed 59709 drop 0 life (KB/Sec) 4487245/189
Outbound SPI : 0x8CD4A88C, transform : esp-aes esp-sha-hmac
Socket State: Open
Pending DMVPN Sessions:
rt-vpn-e-2811-192-111#sh ip nhrp
172.20.53.14/32 via 172.20.53.14
Tunnel0 created 2d20h, expire 00:04:35
Type: dynamic, Flags: unique registered
NBMA address: XXXXXXXXXXXXX
172.20.53.20/32 via 172.20.53.20
Tunnel0 created 2d20h, expire 00:04:29
Type: dynamic, Flags: unique registered
NBMA address: XXXXXXXXXXXXX
Group: MIESBACH_QOS
rt-vpn-e-2811-192-111#sh ip nhrp group-map MIESBACH_QOS
Interface: Tunnel0
NHRP group: MIESBACH_QOS
QoS policy: POL_SHAPE10MEG
Tunnels using the QoS policy:
Tunnel destination overlay/transport address
172.20.53.20/XXXXXXXXXXXXX
rt-vpn-e-2811-192-111#sh policy-map multipoint
Interface Tunnel0 <--> XXXXXXXXXXXXX
Service-policy output: POL_SHAPE10MEG
Class-map: class-default (match-any)
59641 packets, 6628045 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: any
Queueing
queue limit 2500 packets
(queue depth/total drops/no-buffer drops) 0/0/0
(pkts output/bytes output) 248/45136
shape (average) cir 10000000, bc 40000, be 40000
target shape rate 10000000
rt-vpn-e-2811-192-111#sh tunnel endpoints
Tunnel0 running in multi-GRE/IP mode
Endpoint transport XXXXXXXXXXXXX Refcount 3 Base 0x46A18FD0 Create time 2d20h
overlay 172.20.53.14 Refcount 2 Parent 0x46A18FD0 Create time 2d20h
Endpoint transport XXXXXXXXXXXXX Refcount 3 Base 0x46A190E0 Create time 2d20h
Tunnel Subblocks:
tunnel-qos (Extend Forwarding):
Tunnel-QoS subblock, QoS policy applied: POL_SHAPE10MEG
overlay 172.20.53.20 Refcount 2 Parent 0x46A190E0 Create time 2d20h
01-21-2013 01:48 AM
I see on the hub that the policy is applied successfully on the tunnel. The POL_SHAPE10MEG policy is applied on the tunnel that you wanted, this way the spoke will not be able to consume hub's bandwidth eventhough it has higher bandwidth.
01-21-2013 02:00 AM
Hi Rudy,
thanks. I was assuming that there is a way to double-check or confirm on the Spoke end side if the QoS policy is really applied there as well. But if the "show dmvpn detail" output on the hub is the only way to confirm this that's fine as well.
Thanks very much,
Thorsten
01-21-2013 02:22 AM
you're very welcome, please rate useful posts and mark this question as Answered so that other people know the problem has been solved.
01-21-2013 02:29 AM
Hi Rudy,
thanks very much. I have marked it as answered. It was a very helpful contribution.
Thanks,
Thorsten
01-21-2013 02:31 AM
Great to hear that I can be of help!
05-20-2016 12:37 AM
Hi Rudy,
I have the same scenario, each branch has 6MP and run DMVPN I want to reduce the bandwidth to 5MP how we can use QoS to apply it on HUB?
can you please share the necessary configuration?
Thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide