Solved: How to configure traffic shaping on the DMVPN spoke end with higher bandwidth

ciscoprolin · ‎01-17-2013

Dear All,

we have the unusual situation that on of our DMVPN Spoke Sites has a higher bandwidth rate (33 Mbit/s) than our

DMVPN Hub Site.

Therefore, we need to apply traffic shaping to 10 Mbit/s on the tunnel interface on the spoke.

The following link only describes how to apply shaping on the hub end but not on the spoke end site:

http://www.cisco.com/en/US/docs/ios/sec_secure_connectivity/configuration/guide/sec_per_tunnel_qos.pdf

How should we proceed with this on the spoke router ?

Will creating a service policy and then applying it to the tunnel interface do the job ? Will shaping be done then after the traffic encryption or before ?

And would we then need to increase the replay window-size buffer of 1024 to something higher ?

Would the following example work ? We would apply the Policy outbound to the Tunnel interface:

class-map match-any CLASS_ANY

 match any

policy-map POLICY_SHAPE10MEG

 class CLASS_ANY

  shape average 10000000


interface Tunnel 0
 service-policy output POLICY_SHAPE10MEG

Thanks for your help,

Thorsten

Rudy Sanjoko · ‎01-21-2013

I see on the hub that the policy is applied successfully on the tunnel. The POL_SHAPE10MEG policy is applied on the tunnel that you wanted, this way the spoke will not be able to consume hub's bandwidth eventhough it has higher bandwidth.

View solution in original post

Rudy Sanjoko · ‎01-21-2013

you're very welcome, please rate useful posts and mark this question as Answered so that other people know the problem has been solved.

View solution in original post

Rudy Sanjoko · ‎01-17-2013

You can configure the shaping on the hub, then it will apply to all the spoke, no matter if the spoke has bigger or smaller bandwidth than the hub. Actually that is the benefit of configuring the QoS on the DMVPN and it is explained on that link you've provided above. Check the "Benefits of Per-Tunnel QoS for DMVPN" section.

As to your config example, to apply the service policy to the tunnel interface is done by using following command: (also explained on that link)

ip nhrp map group group-name service-policy output qos-policy-map-name

HTH

ciscoprolin · ‎01-18-2013

Dear Rudy,

thanks very much for your answer.

I have implemented it now but how can I find out if the shaping is really applied on the spoke end site ?

Sorry for this perhaps silly question but I'm a newbie to QoS and traffic shaping.

Thanks,

Thorsten

Rudy Sanjoko · ‎01-18-2013

By using show tunnel endpoints command, this command will displays the QoS policy applied on the spoke tunnel. (also mentioned on that link) it's not a newbie question and don't worry about that, people learn by asking questions right

HTH

*please rate helpful post

ciscoprolin · ‎01-18-2013

Hi Rudy,

thanks very much . Unfortunately, when I enter "sh tunnel endpoints" I'm only getting the following output. But it doesn't show a QoS policy as being applied.

Do you have any idea why this doesn't show up here ? Thanks.

DERT0001#sh tunnel endpoints
Tunnel1 running in multi-GRE/IP mode

Endpoint transport 195.65.178.237 Refcount 3 Base 0x29CE2D6C Create Time 7w6d
   overlay 172.20.53.1 Refcount 2 Parent 0x29CE2D6C Create Time 7w6d
   Tunnel Subblocks:
      tunnel-nhrp-sb:
         NHRP subblock has 1 entries
Tunnel0 running in multi-GRE/IP mode

Endpoint transport 195.65.178.239 Refcount 3 Base 0x29CE2E7C Create Time 4w5d
   overlay 172.20.54.1 Refcount 2 Parent 0x29CE2E7C Create Time 4w5d
   Tunnel Subblocks:
      tunnel-nhrp-sb:
         NHRP subblock has 1 entries

Rudy Sanjoko · ‎01-18-2013

please provide the output from following commands:

- show dmvpn detail

- show ip nhrp

- show ip nhrp group-map

- show policy-map multipoint

ciscoprolin · ‎01-21-2013

Hi Rudy,

thanks. Please find attached the complete output as requested for the DMVPN spoke. As you can see the tunnel group has been created under Tunnel 1 and also is propagated to the Hub but it doesn't look like the Spoke is applying the QoS on its side. Thanks,

Thorsten

sh dmvpn deta
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
N - NATed, L - Local, X - No Socket
# Ent --> Number of NHRP entries with same NBMA peer
NHS Status: E --> Expecting Replies, R --> Responding
UpDn Time --> Up or Down Time for a Tunnel
==========================================================================

Interface Tunnel0 is up/up, Addr. is 172.20.54.20, VRF ""
   Tunnel Src./Dest. addr: XXXXXXXXX /MGRE, Tunnel VRF ""
   Protocol/Transport: "multi-GRE/IP", Protect "PROFILE_MEPHA"
   Interface State Control: Disabled

IPv4 NHS: 172.20.54.1 RE
Type:Spoke, Total NBMA Peers (v4/v6): 1

# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb Target Network
----- --------------- --------------- ----- -------- ----- -----------------
1 XXXXXXXXX 172.20.54.1 UP 5w1d S 172.20.54.1/32

Interface Tunnel1 is up/up, Addr. is 172.20.53.20, VRF ""
   Tunnel Src./Dest. addr: XXXXXXXXXXXXX/MGRE, Tunnel VRF ""
   Protocol/Transport: "multi-GRE/IP", Protect "PROFILE_MEPHA"
   Interface State Control: Disabled

IPv4 NHS: 172.20.53.1 RE
Type:Spoke, Total NBMA Peers (v4/v6): 1

# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb Target Network
----- --------------- --------------- ----- -------- ----- -----------------
1 XXXXXXXXXXXXX 172.20.53.1 UP 2d19h S 172.20.53.1/32

Crypto Session Details:
--------------------------------------------------------------------------------

Interface: Tunnel1 Tunnel0
Session: [0x29DA95D4]
IKE SA: local XXXXXXXXX/500 remote XXXXXXXXXXXXXX/500 Active
          Capabilities:D connid:1126 lifetime:15:08:17
Crypto Session Status: UP-ACTIVE
fvrf: (none), Phase1_id: XXXXXXXXXXXX
IPSEC FLOW: permit 47 host XXXXXXXXX host XXXXXXXXXXXXXXX
        Active SAs: 2, origin: crypto map
        Inbound: #pkts dec'ed 192660927 drop 0 life (KB/Sec) 4204198/2051
        Outbound: #pkts enc'ed 275979781 drop 0 life (KB/Sec) 4255138/2051
   Outbound SPI : 0x265CC589, transform : esp-aes esp-sha-hmac
    Socket State: Open

Interface: Tunnel1 Tunnel0
Session: [0x29DA96C4]
IKE SA: local XXXXXXXXXXXXXX/500 remote XXXXXXXXXXXXXXXXX/500 Active
          Capabilities:D connid:1125 lifetime:04:53:56
Crypto Session Status: UP-ACTIVE
fvrf: (none), Phase1_id: XXXXXXXXXXXXXXXXX
IPSEC FLOW: permit 47 host XXXXXXXXXXXXXX host XXXXXXXXXXXXXXXXXXXXXXX
        Active SAs: 4, origin: crypto map
        Inbound: #pkts dec'ed 1305180 drop 0 life (KB/Sec) 4572686/3505
        Outbound: #pkts enc'ed 2941702 drop 3111 life (KB/Sec) 4572685/3505
   Outbound SPI : 0xC7C93135, transform : esp-aes esp-sha-hmac
    Socket State: Open

Pending DMVPN Sessions:

DERT0001#sh ip nhrp
172.20.54.1/32 via 172.20.54.1
   Tunnel0 created 5w1d, never expire
   Type: static, Flags: used
   NBMA address: XXXXXXXXXXXXXXXXXXXXX
172.20.53.1/32 via 172.20.53.1
   Tunnel1 created 8w2d, never expire
   Type: static, Flags: used
   NBMA address: XXXXXXXXXXXXXXXXXXXXX

DERT0001#sh ip nhrp group-map ?
WORD group name
| Output modifiers

DERT0001#sh ip nhrp group-map MIESBACH_QOS
NHRP group: MIESBACH_QOS does not exist

DERT0001#sh policy-map multipoint
DERT0001#
DERT0001#
DERT0001#sh tunnel endpoints
Tunnel1 running in multi-GRE/IP mode

Endpoint transport XXXXXXXXXXXXX Refcount 3 Base 0x29CE2D6C Create Time 8w2d
   overlay 172.20.53.1 Refcount 2 Parent 0x29CE2D6C Create Time 8w2d
   Tunnel Subblocks:
      tunnel-nhrp-sb:
         NHRP subblock has 1 entries
Tunnel0 running in multi-GRE/IP mode

Endpoint transport XXXXXXXXXXXXXXXXX Refcount 3 Base 0x29CE2E7C Create Time 5w1d
   overlay 172.20.54.1 Refcount 2 Parent 0x29CE2E7C Create Time 5w1d
   Tunnel Subblocks:
      tunnel-nhrp-sb:
         NHRP subblock has 1 entries
DERT0001#sh run int tunnel 1
Building configuration...

Current configuration : 550 bytes
!
interface Tunnel1
description DMVPN2
bandwidth 10000
ip address 172.20.53.20 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1400
ip nhrp authentication XXXXXXXXXXXXXXXXXXX
ip nhrp group MIESBACH_QOS
ip nhrp map multicast XXXXXXXXXXXXXXXXXX
ip nhrp map 172.20.53.1 XXXXXXXXXXXXXXXXXXXXX
ip nhrp network-id 2
ip nhrp holdtime 300
ip nhrp nhs 172.20.53.1
ip tcp adjust-mss 1360
cdp enable
tunnel source GigabitEthernet0/1
tunnel mode gre multipoint
tunnel key 100002
tunnel protection ipsec profile PROFILE_XXXXX shared

Rudy Sanjoko · ‎01-21-2013

Normally when each spoke register with the hub, the group policy configured for that spoke will be applied to the hub-spoke tunnel. I see that the MIESBACH_QOS is the group name, what is the name of the QoS policy that you've configured on the hub? Can you also provide the output from the same commands on the hub side?

ciscoprolin · ‎01-21-2013

Hi Rudy,

thanks for your feedback. Please find below the output of the same commands on the Hub end side. The name of the QoS Policy is: POL_SHAPE10MEG and it is applied to the NHRP group as output - as you can also see below:

policy-map POL_SHAPE10MEG

class class-default

shape average 10000000

interface Tunnel0

ip nhrp map group MIESBACH_QOS service-policy output POL_SHAPE10MEG

sh dmvpn det
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
N - NATed, L - Local, X - No Socket
# Ent --> Number of NHRP entries with same NBMA peer
NHS Status: E --> Expecting Replies, R --> Responding
UpDn Time --> Up or Down Time for a Tunnel
==========================================================================

Intferface Tunnel0 is up/up, Addr. is 172.20.53.1, VRF ""
Tunnel Src./Dest. addr: XXXXXXXXXXXXXXXXXXXX/MGRE, Tunnel VRF ""
Protocol/Transport: "multi-GRE/IP", Protect "PROFILE_MEPHA"
Type:Hub, Total NBMA Peers (v4/v6): 2

# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb Target Network
----- --------------- --------------- ----- -------- ----- -----------------
1 XXXXXXXXXXXXX 172.20.53.14 UP 2d20h D 172.20.53.14/32

1 XXXXXXXXXXXXXX 172.20.53.20 UP 2d20h D 172.20.53.20/32
NHRP group: MIESBACH_QOS
Output QoS service-policy applied: POL_SHAPE10MEG

Crypto Session Details:
--------------------------------------------------------------------------------

Interface: Tunnel0
Session: [0x46A6F4C4]
IKE SA: local XXXXXXXXXXXXX/500 remote XXXXXXXXXXXXX/500 Active
          Capabilities:(none) connid:1005 lifetime:03:57:55
Crypto Session Status: UP-ACTIVE
fvrf: (none), Phase1_id: XXXXXXXXXXXXX
IPSEC FLOW: permit 47 host XXXXXXXXXXXXX host XXXXXXXXXXXXX
        Active SAs: 2, origin: crypto map
        Inbound: #pkts dec'ed 59467 drop 0 life (KB/Sec) 4451683/131
        Outbound: #pkts enc'ed 59464 drop 0 life (KB/Sec) 4451683/131
   Outbound SPI : 0x4BFCD060, transform : esp-aes esp-sha-hmac
    Socket State: Open

Interface: Tunnel0
Session: [0x46A6F5B4]
IKE SA: local XXXXXXXXXXXXX/500 remote XXXXXXXXXXXXX/500 Active
          Capabilities:(none) connid:1006 lifetime:03:58:42
Crypto Session Status: UP-ACTIVE
fvrf: (none), Phase1_id: XXXXXXXXXXXXX
IPSEC FLOW: permit 47 host XXXXXXXXXXXXX host XXXXXXXXXXXXX
        Active SAs: 2, origin: crypto map
        Inbound: #pkts dec'ed 59491 drop 0 life (KB/Sec) 4487246/189
        Outbound: #pkts enc'ed 59709 drop 0 life (KB/Sec) 4487245/189
   Outbound SPI : 0x8CD4A88C, transform : esp-aes esp-sha-hmac
    Socket State: Open

Pending DMVPN Sessions:

rt-vpn-e-2811-192-111#sh ip nhrp
172.20.53.14/32 via 172.20.53.14
   Tunnel0 created 2d20h, expire 00:04:35
   Type: dynamic, Flags: unique registered
   NBMA address: XXXXXXXXXXXXX
172.20.53.20/32 via 172.20.53.20
   Tunnel0 created 2d20h, expire 00:04:29
   Type: dynamic, Flags: unique registered
   NBMA address: XXXXXXXXXXXXX
   Group: MIESBACH_QOS

rt-vpn-e-2811-192-111#sh ip nhrp group-map MIESBACH_QOS
Interface: Tunnel0
NHRP group: MIESBACH_QOS
QoS policy: POL_SHAPE10MEG
Tunnels using the QoS policy:
Tunnel destination overlay/transport address
172.20.53.20/XXXXXXXXXXXXX

rt-vpn-e-2811-192-111#sh policy-map multipoint

Interface Tunnel0 <--> XXXXXXXXXXXXX

Service-policy output: POL_SHAPE10MEG

    Class-map: class-default (match-any)
      59641 packets, 6628045 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: any
      Queueing
      queue limit 2500 packets
      (queue depth/total drops/no-buffer drops) 0/0/0
      (pkts output/bytes output) 248/45136
      shape (average) cir 10000000, bc 40000, be 40000
      target shape rate 10000000

rt-vpn-e-2811-192-111#sh tunnel endpoints
Tunnel0 running in multi-GRE/IP mode

Endpoint transport XXXXXXXXXXXXX Refcount 3 Base 0x46A18FD0 Create time 2d20h
   overlay 172.20.53.14 Refcount 2 Parent 0x46A18FD0 Create time 2d20h
Endpoint transport XXXXXXXXXXXXX Refcount 3 Base 0x46A190E0 Create time 2d20h
Tunnel Subblocks:
    tunnel-qos (Extend Forwarding):
       Tunnel-QoS subblock, QoS policy applied: POL_SHAPE10MEG
   overlay 172.20.53.20 Refcount 2 Parent 0x46A190E0 Create time 2d20h

Rudy Sanjoko · ‎01-21-2013

I see on the hub that the policy is applied successfully on the tunnel. The POL_SHAPE10MEG policy is applied on the tunnel that you wanted, this way the spoke will not be able to consume hub's bandwidth eventhough it has higher bandwidth.

ciscoprolin · ‎01-21-2013

Hi Rudy,

thanks. I was assuming that there is a way to double-check or confirm on the Spoke end side if the QoS policy is really applied there as well. But if the "show dmvpn detail" output on the hub is the only way to confirm this that's fine as well.

Thanks very much,

Thorsten

Rudy Sanjoko · ‎01-21-2013

you're very welcome, please rate useful posts and mark this question as Answered so that other people know the problem has been solved.

ciscoprolin · ‎01-21-2013

Hi Rudy,

thanks very much. I have marked it as answered. It was a very helpful contribution.

Thanks,

Thorsten

Rudy Sanjoko · ‎01-21-2013

Great to hear that I can be of help!

Steev112 · ‎05-20-2016

Hi Rudy,

I have the same scenario, each branch has 6MP and run DMVPN I want to reduce the bandwidth to 5MP how we can use QoS to apply it on HUB?

can you please share the necessary configuration?

Thanks