qos for ipsec vpnsd2zmdbbm9feqrf.cloudfront.net/2013/usa/pdf/brkrst-2513.pdf · site-to-site dmvpn...
TRANSCRIPT
QoS For IPSec VPNs BRKRST-2513
Robert Barton
Systems Engineer
CCIE #6660
CCDE #2013::6
© 2013 Cisco and/or its affiliates. All rights reserved. BRKRST-2513 Cisco Public
Presentation Source Material
End-to-End QoS Network Design
– 2nd Edition to be published later in 2013
First Edition one of best selling Cisco Press books of all time
– It was time for a 2nd edition!
Book is organized around PINs (Places in the Network), e.g. Data Center, WAN, Wireless, VPN, Campus
Content in this session primarily based on the “QoS Design for IPSec” section
3
On the Shelves Late 2013 / Early
2014
© 2013 Cisco and/or its affiliates. All rights reserved. BRKRST-2513 Cisco Public
• End-to-End QoS Design
• IPSec QoS Design Considerations
• DMVPN QoS Design
• GETVPN QoS
• Wrap-up and Final Thoughts
QoS For IPSec VPNs AGENDA
© 2013 Cisco and/or its affiliates. All rights reserved. BRKRST-2513 Cisco Public
Making the Case for QoS in IPSec
The Internet is full of congestion and oversubscription – does QoS really have a role?
Since many IPSec deployment models use the Internet, why bother!
– What about Site-to-Site VPN over Internet?
– Remote Access VPN from home
We can only control what we can control
– We cannot control the Internet, but we can stop from tripping over ourselves!
– IPSec is also used in private networks
Why bother do QoS in IPSec?
5
© 2013 Cisco and/or its affiliates. All rights reserved. BRKRST-2513 Cisco Public
The Different IPSec Deployment Models
Four Major VPN Deployment Models
Different IPSec Models Require Different QoS Considerations
6
Traditional Site-to-Site
DMVPN FLEXVPN GETVPN Remote Access
VPN Use Case
Router-to-Router over
Internet
Large Scale over public networks
IKEv2 Large Scale over
public networks
Private Clouds (MPLS)
Remote teleworker
QoS Model Apply QoS to Static Tunnel
Endpoints
Per-Tunnel QoS
Per-Tunnel QoS
VPN QoS Without Tunnels
Limited to None
© 2013 Cisco and/or its affiliates. All rights reserved. BRKRST-2513 Cisco Public
Unique Challenges Posed by IPSec
Scaling large VPNs
– Has required the development of new topologies, such as DMVPN, FlexVPN, and GETVPN
Traffic classification in the face of encryption
– How do we perform QoS classification when the packet gets encrypted?
MTU issues
– IPSec and GRE add a significant number of bytes which often causes severe QoE issues
Bandwidth Mismatch Challenges
– Headend Router oversubscription fan-out
– How do things like WAAS and voice compression codes affect QoS and QoE?
IPSec introduces many challenges not seen in the campus network
7
© 2013 Cisco and/or its affiliates. All rights reserved. BRKRST-2513 Cisco Public
• End-to-End QoS Design
• IPSec QoS Design Considerations
• DMVPN QoS Design
• GETVPN QoS
• Wrap-up and Final Thoughts
QoS For IPSec VPNs AGENDA
© 2013 Cisco and/or its affiliates. All rights reserved. BRKRST-2513 Cisco Public
Three Common QoS Strategies
9
Transactional Data
Realtime
4-Class Model
Best Effort
Control Signaling
Transactional Data
Multimedia Conferencing
Voice
8-Class Model
Scavenger
Best Effort
Multimedia Streaming
Network Control
OAM
Realtime Interactive
Transactional Data
Multimedia Conferencing
Voice
12-Class Model
Bulk Data
Scavenger
Best Effort
Multimedia Streaming
Network Control
Broadcast Video
Signaling
© 2013 Cisco and/or its affiliates. All rights reserved. BRKRST-2513 Cisco Public
What QoS Tools are Used in IPSec VPNs? Not all QoS tools are used everywhere
10
QoS Tool Description
HQoS One of the primary tools used to support per-tunnel QoS
1. Shaping Used in concert with HQoS to apply artificial backpressure
2. CBWFQ After shaping, CBWFQ is used to apply your class model
AVC Can be used to manage certain applications
WRED Useful for high TCP Serialization (part of CBWFQ)
DSCP Marking Typically not used here (marking should happen at edge)
Policing Typically not used here (marking should happen at edge)
© 2013 Cisco and/or its affiliates. All rights reserved. BRKRST-2513 Cisco Public
Quick Level Set: IPSec Packet Structure Transport Mode
11
Transport Mode makes a copy of the original IP header
– Has some pros and cons:
QoS gets easier, but inside networks are exposed
Original IP
Header
ESP
Header
IP
Header
TCP/UD
P Data
ESP
Trailer ESP Auth
Original IP Header
Encrypted with IPSec (ESP)
Authenticated with IPSec (ESP)
© 2013 Cisco and/or its affiliates. All rights reserved. BRKRST-2513 Cisco Public
Quick Level Set: IPSec Packet Structure IPSec Tunnel Mode
12
Tunnel Mode is the default mode in IOS routers
– Original IP packet is encased in a new ESP IP packet
– ToS byte (DSCP value) is copied, but other elements of inside header are hidden
New IP
Header
ESP
Header
IP
Header
TCP/UD
P Data
ESP
Trailer ESP Auth
Original IP Header
Encrypted with IPSec (ESP)
Authenticated with IPSec (ESP)
© 2013 Cisco and/or its affiliates. All rights reserved. BRKRST-2513 Cisco Public
VPN Packet Classification
Most common approach is to use IPSec Tunnel mode with GRE encapsulation
Effect of multiple encapsulations
13
IP
Header
TCP/UD
P Data Original IP Packet
Orig IP
Header
TCP/UD
P Data
Orig IP
Header
TCP/UD
P Data
GRE IP
Header GRE
GRE IP
Header GRE
ESP
Trailer
ESP
Auth
New IP
Header
ESP
Header
GRE Encapsulated
Encrypted by IPSec
ToS Byte is Copied to
GRE Header
ToS Byte is Copied to
new IP Header
© 2013 Cisco and/or its affiliates. All rights reserved. BRKRST-2513 Cisco Public
VPN Packet Classification
Encapsulating the packet limits the ability to classify for QoS
By default, the ToS byte is always copied from the inner packet to the IPSec and GRE headers (this always happens)
Due to IOS order of operations, once a packet is encrypted, it is impossible to see the original packet, thus classification beyond the ToS byte is limited (e.g. classification based on IP address, protocol type, TCP/UDP port numbers)
Effect of multiple encapsulations
14
QoS Classification
Tunneling and
Encryption
© 2013 Cisco and/or its affiliates. All rights reserved. BRKRST-2513 Cisco Public
IOS Pre-Classify Feature
The QoS “QoS Pre-Classify” Feature has the effect of reversing this order of operations
The router makes a “clone” of the original packet header and keeps it in memory to be used later in case more elaborate classification is required
QoS Pre-Classify Feature was Developed to Overcome this Limitation
15
QoS Classification
Tunneling and
Encryption
© 2013 Cisco and/or its affiliates. All rights reserved. BRKRST-2513 Cisco Public
IOS Pre-Classify Feature (2)
Example:
– Classify incoming traffic not on DSCP, but on TCP port number (23)
– QoS Pre-Classify command instructs router to make a clone of original IP packet to use for classification
Packet Header Cloning
16
© 2013 Cisco and/or its affiliates. All rights reserved. BRKRST-2513 Cisco Public
IOS Pre-Classify Feature
As a best practice, always configure QoS Pre-Classify
Minimal CPU impact – good practice to always have it on
Sample Configuration of QoS Pre-Classify
17
crypto map MYMAP 10 ipsec-isakmp
set peer 10.1.1.1
set transform-set MYSET
match address ACL
qos pre-classify
!
interface FastEthernet 0/0
ip address 10.1.1.100 crypto map MYMAP
interface Tunnel500
ip address 192.168.1.0 255.255.255.252
qos pre-classify
tunnel source 192.168.1.1
tunnel destination 192.168.2
!
interface FastEthernet 0/0
ip address 10.1.1.100
© 2013 Cisco and/or its affiliates. All rights reserved. BRKRST-2513 Cisco Public
Compression Helps QoE
To improve WAN performance over a VPN, compression techniques are often used. Two key compression techniques are worth considering:
– Wide Area Application Services (WAAS)
– Voice Codec compression
When congestion occurs at one end of the VPN, WAAS can compress the data, greatly alleviating congestion issues, and improve performance.
TCP Strategy – Use WAAS
18
To protect real-time applications, QoS is still required on WAN accelerated links
WAAS leaves entire IP packet header in tact, meaning there is no impact to QoS classification
© 2013 Cisco and/or its affiliates. All rights reserved. BRKRST-2513 Cisco Public
Compression Strategies Over VPN (2)
Another design consideration is what voice code to choose
– iLBC is generally the better choice over G.729
– Widely supported in Cisco IP phones
RTP Strategy - Choosing the Right Voice Codec
19
© 2013 Cisco and/or its affiliates. All rights reserved. BRKRST-2513 Cisco Public
What About a VPN Remote Access Client?
In short, there is no QoS capability in the AnyConnect client itself
Internal QoS markings are copied to the AnyConnect VPN packet header so they can be handled in a PHB by routers in the path.
AnyConnect does utilize DTLS
– DTLS improves overall user experience for realtime applications
QoS on the AnyConnect Client
20
© 2013 Cisco and/or its affiliates. All rights reserved. BRKRST-2513 Cisco Public
Datagram Transport Layer Security (DTLS)
The AnyConnect client supports DTLS for real-time apps (Jabber, video, etc.)
Basic problem with SSL-based TLS is that it is TCP-based
– Any application that is sensitive to packet loss, latency, or jitter (real-time apps) suffer greatly when transported over TCP
AnyConnect is smart enough to detect real-time traffic, then chop it into datagrams to mimic UDP
– A datagram model for TLS
DTLS Overview
21
Encrypted
TCP SSL
Session
Voice packet 1
Voice packet 2
Voice packet n
Encrypted
Packet (TLS)
Voice packet 1
Encrypted
Packet (TLS)
Voice packet n
© 2013 Cisco and/or its affiliates. All rights reserved. BRKRST-2513 Cisco Public
Datagram Transport Layer Security (DTLS) DTLS Example
22
Encrypted
TCP Session
Data packet 1
Data packet 2
Data packet n
Encrypted
Datagram
Voice packet 1
Encrypted
Datagram
Voice packet 2
Encrypted
Datagram
Voice packet n
Non-Real
Time Data
Real
Time Data
© 2013 Cisco and/or its affiliates. All rights reserved. BRKRST-2513 Cisco Public
• End-to-End QoS Design
• IPSec QoS Design Considerations
• DMVPN QoS Design
• GETVPN QoS
• Wrap-up and Final Thoughts
QoS For IPSec VPNs AGENDA
© 2013 Cisco and/or its affiliates. All rights reserved. BRKRST-2513 Cisco Public
DMVPN Use Cases
DMVPN is one of the most popular IPSec topologies in use today
– Utilizes multipoint GRE to pass traffic, which is encrypted by IPSec tunnel mode.
DMVPNs are used over public, untrusted networks, such as the Internet
DMVPN allows dynamic spoke-to-spoke communication using
DMVPN is simple to deploy and manage
– A new QoS feature, supported on ISR G2 & ASR 1K was developed for DMVPNs called:
DMVPN is Widely, Widely Deployed
24
Per-Tunnel QoS for DMVPN
© 2013 Cisco and/or its affiliates. All rights reserved. BRKRST-2513 Cisco Public
DMVPN QoS Design
• All DMVPN routers have implicit trust of the DSCP marking of incoming packets (no remarking)
• HQoS is used at the WAN aggregation router and the remote spoke routers
• The DMVPN hub performs per-SA (per tunnel) QoS
25
DMVPN Hub Router
Spoke Spoke
Spoke
Implicit trust on LAN side (no remarking)
HQoS + CBWFQ on WAN Interface
© 2013 Cisco and/or its affiliates. All rights reserved. BRKRST-2513 Cisco Public
DMVPN Building Blocks
1. Multipoint GRE (mGRE)
– One GRE tunnel interface to rule them all!
– A challenge for QoS – with a different GRE tunnel endpoint, you can apply a policy map to each GRE tunnel interface (not so with mGRE)
2. Dynamic Discovery of IPSec Tunnel Endpoints, Crypto Profiles, and QoS policies
– Everything about DMVPN was designed to be dynamic – including QoS
3. Next Hop Routing Protocol (NHRP)
– NHRP is the “brains of the operation”
3 Key Building Blocks
26
© 2013 Cisco and/or its affiliates. All rights reserved. BRKRST-2513 Cisco Public
NHRP Registration Process
• A spoke uses NHRP to register itself with the DMVPN hub
• The DMVPN hub keeps an NHRP database of the spokes
• NHRP database includes information about what kind of a QoS policy is applied to each particular spoke
27
DMVPN Hub Router
Spoke
Spoke
Spoke
NHRP
DB
mGRE Interface
Serves all tunnels
Dynamic DHCP
Address
On-Demand Tunnels
Headend router
maintains NHRP DB
© 2013 Cisco and/or its affiliates. All rights reserved. BRKRST-2513 Cisco Public
The Need for a Different Approach in DMVPN
In the past, each VPN tunnel had a QoS service policy attached
Additionally, a global egress QoS policy was attached to the WAN interface
This was often deployed as a two-box solution
Since mGRE uses a *single* GRE tunnel interface, this approach does not work
Why Doesn’t the traditional QoS approach stack up?
28
DMVPN Hub Router
• Need a QoS policy on each tunnel
interface (downstream)
• Plus, need a global policy on egress
interface
© 2013 Cisco and/or its affiliates. All rights reserved. BRKRST-2513 Cisco Public
How Does HQoS Work?
IMPORTANT: QoS policies only ever kick in when congestion is experienced on an interface!!!
If no congestion detected by router, QoS WILL NOT kick in
A packet shaper can simulate “back pressure” telling the router that congestion has occurred
CAUTION!
– This is very taxing on the router CPU (especially ISR G2)
– Consult the spec sheets for guidelines
HQoS is the answer (part 1)
29
Parent
Policy
Child
Policy
Traffic Shaper
(shape to tunnel bandwidth – creates congestion)
QoS CBWFQ Policy
Rea
ltim
e (
33
%)
Con
trol (7
%)
X-D
ata
(35
%)
Defa
ult (
25
%)
Pare
nt S
ignals
to the C
hild
© 2013 Cisco and/or its affiliates. All rights reserved. BRKRST-2513 Cisco Public
Per-Tunnel QoS for DMVPN
The hub router keeps a profile of the QoS profiles for each kind of spoke
These are called “NHRP groups”
When spokes register they announce to the hub what group they are a part of
How does the router know which QoS policy to apply to each spoke?
30
DMVPN Hub Router
DMVPN Spoke Router
Spoke sends NHRP Registration and
“Group” membership name to the hub
Oh, you’re part of “Spoke Group 1”. Okay, I’ll assign to you the QoS policy
for group 1.
Hey, I’m in NHRP spoke “Group 1”.
Make sure I get the right QoS profile for
“Group 1”
NHRP
© 2013 Cisco and/or its affiliates. All rights reserved. BRKRST-2513 Cisco Public
DMVPN Design Example
A DMVPN hub with three kinds of spokes:
Let’s Consider an Example:
31
DMVPN Hub Router
Small Spoke
I’m in Spoke Group 1
Medium Spoke
Large Spoke
I’m in Spoke Group 3
I’m in Spoke Group 2
My configuration says NHRP Group 1 gets 1.5 Mbps,
Group 2 gets 10 Mbps, and Group 3 gets 50 Mbps
Group 1 = 1.5 Mbps
Group 2 = 10 Mbps
Group 3 = 50 Mbps
© 2013 Cisco and/or its affiliates. All rights reserved. BRKRST-2513 Cisco Public
DMVPN QoS Configuration Steps Design Example
32
Spoke Group Name Bandwidth Required
at Spoke
Types of
Applications in Use
QoS Model
Group 1 (small
groups)
1.5 Mbps • Voice
• Web Applications
4-Class
Group 2 (medium
size groups)
10 Mbps • Voice
• TelePresense
• Jabber
• Web Applications
8-Class
Group 3 (large
spokes)
50 Mbps • Voice
• TelePresense
• Jabber
• Web Applications
• Broadcast Video
12-Class
© 2013 Cisco and/or its affiliates. All rights reserved. BRKRST-2513 Cisco Public
Small Branches: 4-Class Model Definition
33
Transactional Data
Realtime
Classes
Best Effort
Control
AF21
EF
DSCP
DF
CS3
Database Apps,
Email, FTP, Backups
CRM Apps,
Broadcast Video
Multimedia Streaming
IP Phones,
TelePresense,
WebEx,
Jabber
Application Examples
Everything Else
OAM, Routing Protocols
35% BW Guarantee
WRED
33% of BW,
Strict Priority
QoS Handling
25% BW Guarantee
WRED
7% of BW Guarantee
© 2013 Cisco and/or its affiliates. All rights reserved. BRKRST-2513 Cisco Public
DPMVN Configuration Example
Step 1: Create the Class Maps
– Defines the basic traffic classification
Step 2: Configure the “Child” Policy
– This is the CBWFQ policies
Step 3: Configure the “Parent” Policy
– This is the shaper used per spoke
Step 4: Attach the parent shaper to the mGRE tunnel interface
– This step also associates the NHRP group membership to each parent shaper
Step 5: Verify QoS is working correctly
Hub Router Configuration Steps
34
© 2013 Cisco and/or its affiliates. All rights reserved. BRKRST-2513 Cisco Public
DPMVN Configuration Example Step 1: Create the Class Maps for Each Model
35
ASR1K(config)# class-map match-all 4-CLASS-MODEL
ASR1K(config-cmap)# class REALTIME
ASR1K(config-cmap)# match dscp ef
ASR1K(config-cmap)# class CONTROL
ASR1K(config-cmap)# match dscp cs3
ASR1K(config-cmap)# class TRANSACTIONAL-DATA
ASR1K(config-cmap)# match dscp af21
ASR1K(config-cmap)# class DEFAULT
Configure the required class maps
Depending on what QoS Class model you choose, this will vary
In this example, there are THREE spoke groups, thus class maps for all three need to be configured on the hub router
© 2013 Cisco and/or its affiliates. All rights reserved. BRKRST-2513 Cisco Public
DPMVN Configuration Example
This policy-map is a “Child” of the parent policy map that is responsible for shaping all 4-class spokes
When the shaper creates artificial backpressure, this policy-map is invoked by the router
This policy will not be used unless the parent policy signals “congestion” to the router
Step 2: Hub Router Child Policy
36
ASR1000(config)# policy-map 4-CLASS-CHILD
ASR1000(config-pmap)# class REALTIME
ASR1000(config-pmap-c)# priority percent 33
ASR1000(config-pmap)# class CONTROL
ASR1000(config-pmap-c)# bandwidth percent 7
ASR1000(config-pmap)# class TRANSACTIONAL-DATA
ASR1000(config-pmap-c)# bandwidth percent 35
ASR1000(config-pmap-c)# fair-queue
ASR1000(config-pmap)# class class-default
ASR1000(config-pmap-c)# bandwidth percent 25
ASR1000(config-pmap-c)# fair-queue
ASR1000(config-pmap-c)# random-detect
© 2013 Cisco and/or its affiliates. All rights reserved. BRKRST-2513 Cisco Public
DPMVN Configuration Example
4-Class Parent Policy (shapes to 1.5 Mbps)
8-Class Parent Policy (shapes to 10 Mbps)
12-Class Parent Policy (shapes to 50 Mbps)
Step 3: Configure Parent Policy – The Nested service policy calls the child policy
37
ASR1000(config)# policy-map 4-CLASS-PARENT
ASR1000(config-pmap)# class class-default
ASR1000(config-pmap)# shape average 1500000
ASR1000(config-pmap)# service-policy 4-CLASS-CHILD
ASR1000(config)# policy-map 8-CLASS-PARENT
ASR1000(config-pmap)# class class-default
ASR1000(config-pmap)# shape average 10000000
ASR1000(config-pmap)# service-policy 8-CLASS-CHILD
ASR1000(config)# policy-map 12-CLASS-PARENT
ASR1000(config-pmap)# class class-default
ASR1000(config-pmap)# shape average 50000000
ASR1000(config-pmap)# service-policy 12-CLASS-CHILD
© 2013 Cisco and/or its affiliates. All rights reserved. BRKRST-2513 Cisco Public
DPMVN Configuration Example
Multiple service policies may be attached to the same mGRE interface
Step 4: Attach the Service Policy to the mGRE Interface
38
ASR1000(config)# interface Tunnel10
ASR1000(config-if)# ip address 10.1.1.254 255.255.255.0
ASR1000(config-if)# ip nhrp authentication hector
ASR1000(config-if)# ip nhrp map multicast dynamic
ASR1000(config-if)# ip nhrp map group SPOKE-1-GROUP service-policy output 4-CLASS-PARENT
ASR1000(config-if)# ip nhrp map group SPOKE-2-GROUP service-policy output 8-CLASS-PARENT
ASR1000(config-if)# ip nhrp map group SPOKE-3-GROUP service-policy output 12-CLASS-PARENT
ASR1000(config-if)# ip nhrp network-id 12300
ASR1000(config-if)# tunnel source GigabitEthernet0/0/0
ASR1000(config-if)# tunnel mode gre multipoint
ASR1000(config-if)# tunnel key 3210
ASR1000(config-if)# qos pre-classify
ASR1000(config-if)# tunnel protection ipsec profile MY-BIG-VPN
© 2013 Cisco and/or its affiliates. All rights reserved. BRKRST-2513 Cisco Public
DPMVN Configuration Example
Useful commands to verify your config:
show ip nhrp group-map
– Useful to see what QoS policies have been applied to each DMVPN NHRP group
show policy-map multipoint
show dmvpn detail
Step 5: Verify DMVPN QoS Configuration
39
ASR1000# show ip nhrp group-map
!
Interface: Tunnel10
NHRP group: SPOKE-1-GROUP
QoS policy: 4-CLASS-PARENT
Tunnels using the QoS policy:
Tunnel destination overlay/transport address
10.1.1.30/172.17.10.1
NHRP group: SPOKE-2-GROUP
QoS policy: 8-CLASS-PARENT
Tunnels using the QoS policy:
Tunnel destination overlay/transport address
10.1.1.40/172.16.20.1
NHRP group: SPOKE-3-GROUP
QoS policy: 12-CLASS-PARENT
…
© 2013 Cisco and/or its affiliates. All rights reserved. BRKRST-2513 Cisco Public
DMVPN Spoke Router Considerations DMVPN Spoke Router Requirements are Different
40
ISP Provided Router
InternetHome Router
Router is sending in
excess of 10 Mbps
Since ISP limits Bandwidth
to 10 Mbps, congestion is
encounter here causing
packet loss
Link with ISP router is 100
Mbps Full-Duplex. No
congestion encountered here.
© 2013 Cisco and/or its affiliates. All rights reserved. BRKRST-2513 Cisco Public
DPMVN Spoke Configuration Example
Step 1: Create the class maps
Step 2: Define the child policy maps with CBWFQ
Step 3: Define the parent policy map a packet shaper
Step 4: Attach the policy map to the GRE interface
Step 5: Add NHRP group membership detail to GRE interface
41
© 2013 Cisco and/or its affiliates. All rights reserved. BRKRST-2513 Cisco Public
Spoke Router Configuration Configure NHRP To Announce Group Membership
42
ISR1941_SPOKE_1(config)# interface tunnel10
ISR1941_SPOKE_1(config-if)# ip address 10.1.1.30 255.255.255.0
ISR1941_SPOKE_1(config-if)# ip nhrp authentication hector
ISR1941_SPOKE_1(config-if)# ip nhrp group SPOKE-1-GROUP
ISR1941_SPOKE_1(config-if)# ip nhrp map 10.1.1.254 172.25.1.254
ISR1941_SPOKE_1(config-if)# ip nhrp map multicast 172.25.1.254
ISR1941_SPOKE_1(config-if)# ip nhrp network-id 12300
ISR1941_SPOKE_1(config-if)# ip nhrp nhs 10.1.1.254
ISR1941_SPOKE_1(config-if)# ip tcp adjust-mss 1360
ISR1941_SPOKE_1(config-if)# tunnel source GigabitEthernet0/0
ISR1941_SPOKE_1(config-if)# tunnel mode gre multipoint
ISR1941_SPOKE_1(config-if)# tunnel key 3210
ISR1941_SPOKE_1(config-if)# tunnel protection ipsec profile MY-BIG-VPN
© 2013 Cisco and/or its affiliates. All rights reserved. BRKRST-2513 Cisco Public
What About FlexVPN QoS?
FlexVPN follows the same per-tunnel (per-SA) QoS model as DMVPN
FlexVPN uses “virtual-template” tunnel interfaces
Use NHRP and per-tunnel QoS on the virtual-template interface
Does not support spoke-2-Spoke
Very Similar to DMVPN
43
crypto ikev2 authorization policy default
pool FlexSpokes
!
crypto ikev2 profile Flex_IKEv2
match identity remote fqdn domain cisco.com
authentication remote rsa-sig
authentication local rsa-sig
aaa authorization group cert list default default
virtual-template 1
!
crypto ipsec transform-set IKEv2 esp-gcm
mode transport
!
crypto ipsec profile default
set ikev2-profile Flex_IKEv2 interface Virtual-Template1 type tunnel
ip unnumbered Loopback100
ip nhrp network-id 2
ip nhrp redirect
ip nhrp group SPOKE-1-GROUP
tunnel protection ipsec profile default
© 2013 Cisco and/or its affiliates. All rights reserved. BRKRST-2513 Cisco Public
• End-to-End QoS Design
• IPSec QoS Design Considerations
• DMVPN QoS Design
• GETVPN QoS
• Wrap-up and Final Thoughts
QoS For IPSec VPNs AGENDA
© 2013 Cisco and/or its affiliates. All rights reserved. BRKRST-2513 Cisco Public
Group Encrypted Transport VPN Review GETVPN and DMVPN / FlexVPN are Fundamentally Different
45
DMVPN / FlexVPN GETVPN
Use Case Public Networks (Internet) Private Clouds (MPLS)
Network Style Hub-and-Spoke and Spoke-to-Spoke Any-to-Any
Routing Architecture Routing inside GRE tunnels Native IGP routing over the WAN
Encryption Style Point-to-Point encryption Group Encryption
QoS Implementation Per-Tunnel QoS managed through NHRP group membership
QoS is applied at each GETVPN Group Member since no tunnels are used
© 2013 Cisco and/or its affiliates. All rights reserved. BRKRST-2513 Cisco Public
GETVPN Building Blocks
Instead of using separate encryption keys, and a different SA pair for each routers, GDOI uses a single unified security association for all the routers
So instead of encrypting “pairs” of routers, GETVPN gives the same encryption keys to everyone in the trusted group
Thus, GETVPN easily promotes any-to-any communication
46
Group Encrypted
GM(CE Router)
GM(CE Router)
Group Key
GM(CE Router)
Head Office
Primary KS Secondary KS
MPLS Network
GM(CE Router)
Gro
up K
ey
Group KeyG
roup K
ey
© 2013 Cisco and/or its affiliates. All rights reserved. BRKRST-2513 Cisco Public
GETVPN Architecture
47
Group Encrypted
GM(CE Router)
Branch Office 2
Branch Office 1
GM(CE Router)
Group Key
Branch Office n
GM(CE Router)
Head Office
Primary KS Secondary KS
MPLS Network
GM(CE Router)
Gro
up K
ey
Group Key
Gro
up K
ey
WAN Interface: CBWFQ on Physical interface. Possibly will require a hierarchical shaper on this interface as well
LAN Interface: Implicit trust, no remarking of packets
GET VPN Control Packets are automatically marked as CS6 (GDOI and ISAKMP)
Where is QoS Applied in GETVPN?
© 2013 Cisco and/or its affiliates. All rights reserved. BRKRST-2513 Cisco Public
IP Header Preservation
GETVPN preserves the entire original IP packet header
– Includes Src, Dest IP addresses, TCP/UDP port numbers, ToS byte, and DF bit
Header Preservation makes GETVPN Ideal for Private Networks
48
IP Header Data
DataIP HeaderESP
Original IP Packet
GET VPN
GET VPN Packet Format
Original IP Header
GET VPN preserves the original IP header
© 2013 Cisco and/or its affiliates. All rights reserved. BRKRST-2513 Cisco Public
A Word of Caution on Working with Your ISP
A word of caution when working with ISPs . . .
Very will often ISPs have a different QoS models than yours:
– Many ISPs use IP Precedence only: DSCP 46 (Binary: 101110) becomes IPP 5 (Binary: 101), reemerges as DSCP 40 (Binary:
101000) on the other side!
If this is the case, it will cause DSCP havoc. You will need to remark at the GM on ingress from the ISP network
If you choose an 8-class model, does your ISP support this?
Always discuss these issues with your ISP early.
DSCP Continuity and Matching QoS Class Models
49
© 2013 Cisco and/or its affiliates. All rights reserved. BRKRST-2513 Cisco Public
GETVPN QoS Configuration Steps
Key Server Routers:
– Step 1: Ensure a DSCP trust relationship exists for the KS control traffic
KS uses UDP ports 500 (ISAKMP) and 848 (GDOI) control protocols
These protocols must be classified as “Network Control” (CS6)
– Step 2: Ensure sufficient bandwidth is available for the KS control traffic
(especially the GDOI rekeying traffic)
Group Member Routers:
– Step 1: Configure the QoS class maps
– Step 2: Configure the QoS policy maps
– Step 3: Attach policy map to physical WAN interface
QoS Needs Attention in Two Places
50
© 2013 Cisco and/or its affiliates. All rights reserved. BRKRST-2513 Cisco Public
Medium Branches: 8-Class Model Definition
51
Signaling
Transactional Data
Multimedia Conferencing
Voice
8-Class Model
Scavenger
Best Effort
Multimedia Streaming
Network Control
CS3
AF21
AF41
EF
DSCP
CS1
DF
AF31
CS6
SIP, H.323
CRM, Database, etc.
Jabber, WebEx,
TelePresense
IP Phones
Application Examples
BitTorrent, etc.
Default
Video on Demand
OAM, Routing Protocols
2% BW Guarantee
24% BW Guarantee
DSCP-Based WRED
23% BW Strict Priority
10% of BW, Strict Priority
QoS Handling
Limited to 1% of BW
25% BW Guarantee + WRED
10% BW Guarantee
DSCP-Based WRED
5% BW Guarantee
© 2013 Cisco and/or its affiliates. All rights reserved. BRKRST-2513 Cisco Public 52
ISR3925-GM(config )# policy-map 8-CLASS-QOS-GETVPN
ISR3925-GM(config-pmap)# class VOICE
ISR3925-GM(config-pmap-c)# priority percent 10
ISR3925-GM(config-pmap)# class MULTIMEDIA-CONFERENCING
ISR3925-GM(config-pmap-c)# priority 23
ISR3925-GM(config-pmap)# class NETWORK-CONTROL
ISR3925-GM(config-pmap-c)# bandwidth percent 5
ISR3925-GM(config-pmap)# class SIGNALING
ISR3925-GM(config-pmap-c)# bandwidth percent 2
ISR3925-GM(config-pmap)# class MULTIMEDIA-STREAMING
ISR3925-GM(config-pmap-c)# bandwidth percent 10
ISR3925-GM(config-pmap-c)# fair-queue
ISR3925-GM(config-pmap-c)# random-detect dscp-based
ISR3925-GM(config-pmap)# class TRANSACTIONAL-DATA
ISR3925-GM(config-pmap-c)# bandwidth percent 24
ISR3925-GM(config-pmap-c)# fair-queue
ISR3925-GM(config-pmap-c)# random-detect dscp-based
ISR3925-GM(config-pmap)# class SCAVENGER
ISR3925-GM(config-pmap-c)# bandwidth percent 1
ISR3925-GM(config-pmap)# class class-default
ISR3925-GM(config-pmap-c)# bandwidth percent 25
ISR3925-GM(config-pmap-c)# fair-queue
ISR3925-GM(config-pmap-c)# random-detect
Let’s use an 8-Class QoS model for the Group Members
Unlike DMVPN, there is no real concept of a “headend”, no VPN aggregation router, thus all GMs will use the same QoS configuration
Notice all bandwidth percentages add up to 100%
© 2013 Cisco and/or its affiliates. All rights reserved. BRKRST-2513 Cisco Public
QoS on Group Member Attach the Service Policy to the Physical Interface
53
ISR3925-GM(config)# interface GigabitEthernet0/0
ISR3925-GM(config-if)# ip address 192.168.50.2 255.255.255.0
ISR3925-GM(config-if)# crypto map MYMAP
ISR3925-GM(config-if)# service-policy output 8-CLASS-QOS-GETVPN
Unlike DMVPN, the service policy is attached to the physical interface (GETVPN is tunneless after all)
The speed mismatch will require a 2-level HQoS Policy
– Top level shaper on physical interface
– CBWFQ in child policy
© 2013 Cisco and/or its affiliates. All rights reserved. BRKRST-2513 Cisco Public
• End-to-End QoS Design
• IPSec QoS Design Considerations
• DMVPN QoS Design
• GETVPN QoS
• Wrap-up and Final Thoughts
QoS For IPSec VPNs AGENDA
© 2013 Cisco and/or its affiliates. All rights reserved. BRKRST-2513 Cisco Public
Key Takeaways
QoS in the world of IPSec is mature
Understand the 4, 8, and 12 class QoS models
Be aware of the packet header behavior in IPSec and GRE
Always use the “qos pre-classify” feature in IOS (except with GETVPN)
DMVPN is the most common topology used with external networks
– DMVPN supports per-tunnel QoS, relying heavily on HQoS
– Performance will vary per router, but generally use ASR 1K at the aggregation point
Future is moving toward FlexVPN –
– QoS features very similar to DMVPN, but still maturing
GETVPN does not rely on tunnels, thus QoS implementation is much simpler
55
© 2013 Cisco and/or its affiliates. All rights reserved. BRKRST-2513 Cisco Public
Maximize your Cisco Live experience with your
free Cisco Live 365 account. Download session
PDFs, view sessions on-demand and participate in
live activities throughout the year. Click the Enter
Cisco Live 365 button in your Cisco Live portal to
log in.
Complete Your Online Session Evaluation
Give us your feedback and you could win fabulous prizes. Winners announced daily.
Receive 20 Cisco Daily Challenge points for each session evaluation you complete.
Complete your session evaluation online now through either the mobile app or internet kiosk stations.
56