qos for ipsec vpnsd2zmdbbm9feqrf.cloudfront.net/2013/usa/pdf/brkrst-2513.pdf · site-to-site dmvpn...

QoS For IPSec VPNs BRKRST-2513

Robert Barton

Systems Engineer

CCIE #6660

CCDE #2013::6

https://www.ciscolive2013.com/content/sessionDetail.do?SESSION_ID=11250



© 2013 Cisco and/or its affiliates. All rights reserved. BRKRST-2513 Cisco Public

Presentation Source Material

End-to-End QoS Network Design

– 2nd Edition to be published later in 2013

First Edition one of best selling Cisco Press books of all time

– It was time for a 2nd edition!

Book is organized around PINs (Places in the Network), e.g. Data Center, WAN, Wireless, VPN, Campus

Content in this session primarily based on the “QoS Design for IPSec” section

3

On the Shelves Late 2013 / Early

2014


• End-to-End QoS Design

• IPSec QoS Design Considerations

• DMVPN QoS Design

• GETVPN QoS

• Wrap-up and Final Thoughts

QoS For IPSec VPNs AGENDA


Making the Case for QoS in IPSec

The Internet is full of congestion and oversubscription – does QoS really have a role?

Since many IPSec deployment models use the Internet, why bother!

– What about Site-to-Site VPN over Internet?

– Remote Access VPN from home

We can only control what we can control

– We cannot control the Internet, but we can stop from tripping over ourselves!

– IPSec is also used in private networks

Why bother do QoS in IPSec?

5


The Different IPSec Deployment Models

Four Major VPN Deployment Models

Different IPSec Models Require Different QoS Considerations

6

Traditional Site-to-Site

DMVPN FLEXVPN GETVPN Remote Access

VPN Use Case

Router-to-Router over

Internet

Large Scale over public networks

IKEv2 Large Scale over

public networks

Private Clouds (MPLS)

Remote teleworker

QoS Model Apply QoS to Static Tunnel

Endpoints

Per-Tunnel QoS

Per-Tunnel QoS

VPN QoS Without Tunnels

Limited to None


Unique Challenges Posed by IPSec

Scaling large VPNs

– Has required the development of new topologies, such as DMVPN, FlexVPN, and GETVPN

Traffic classification in the face of encryption

– How do we perform QoS classification when the packet gets encrypted?

MTU issues

– IPSec and GRE add a significant number of bytes which often causes severe QoE issues

Bandwidth Mismatch Challenges

– Headend Router oversubscription fan-out

– How do things like WAAS and voice compression codes affect QoS and QoE?

IPSec introduces many challenges not seen in the campus network

7





• GETVPN QoS




Three Common QoS Strategies

9

Transactional Data

Realtime

4-Class Model

Best Effort

Control Signaling

Transactional Data

Multimedia Conferencing

Voice

8-Class Model

Scavenger

Best Effort

Multimedia Streaming

Network Control

OAM

Realtime Interactive

Transactional Data


Voice

12-Class Model

Bulk Data

Scavenger

Best Effort


Network Control

Broadcast Video

Signaling


What QoS Tools are Used in IPSec VPNs? Not all QoS tools are used everywhere

10

QoS Tool Description

HQoS One of the primary tools used to support per-tunnel QoS

1. Shaping Used in concert with HQoS to apply artificial backpressure

2. CBWFQ After shaping, CBWFQ is used to apply your class model

AVC Can be used to manage certain applications

WRED Useful for high TCP Serialization (part of CBWFQ)

DSCP Marking Typically not used here (marking should happen at edge)

Policing Typically not used here (marking should happen at edge)


Quick Level Set: IPSec Packet Structure Transport Mode

11

Transport Mode makes a copy of the original IP header

– Has some pros and cons:

QoS gets easier, but inside networks are exposed

Original IP

Header

ESP

Header

IP

Header

TCP/UD

P Data

ESP

Trailer ESP Auth

Original IP Header

Encrypted with IPSec (ESP)

Authenticated with IPSec (ESP)


Quick Level Set: IPSec Packet Structure IPSec Tunnel Mode

12

Tunnel Mode is the default mode in IOS routers

– Original IP packet is encased in a new ESP IP packet

– ToS byte (DSCP value) is copied, but other elements of inside header are hidden

New IP

Header

ESP

Header

IP

Header

TCP/UD

P Data

ESP

Trailer ESP Auth

Original IP Header

Encrypted with IPSec (ESP)

Authenticated with IPSec (ESP)


VPN Packet Classification

Most common approach is to use IPSec Tunnel mode with GRE encapsulation

Effect of multiple encapsulations

13

IP

Header

TCP/UD

P Data Original IP Packet

Orig IP

Header

TCP/UD

P Data

Orig IP

Header

TCP/UD

P Data

GRE IP

Header GRE

GRE IP

Header GRE

ESP

Trailer

ESP

Auth

New IP

Header

ESP

Header

GRE Encapsulated

Encrypted by IPSec

ToS Byte is Copied to

GRE Header

ToS Byte is Copied to

new IP Header


VPN Packet Classification

Encapsulating the packet limits the ability to classify for QoS

By default, the ToS byte is always copied from the inner packet to the IPSec and GRE headers (this always happens)

Due to IOS order of operations, once a packet is encrypted, it is impossible to see the original packet, thus classification beyond the ToS byte is limited (e.g. classification based on IP address, protocol type, TCP/UDP port numbers)

Effect of multiple encapsulations

14

QoS Classification

Tunneling and

Encryption


IOS Pre-Classify Feature

The QoS “QoS Pre-Classify” Feature has the effect of reversing this order of operations

The router makes a “clone” of the original packet header and keeps it in memory to be used later in case more elaborate classification is required

QoS Pre-Classify Feature was Developed to Overcome this Limitation

15

QoS Classification

Tunneling and

Encryption


IOS Pre-Classify Feature (2)

Example:

– Classify incoming traffic not on DSCP, but on TCP port number (23)

– QoS Pre-Classify command instructs router to make a clone of original IP packet to use for classification

Packet Header Cloning

16


IOS Pre-Classify Feature

As a best practice, always configure QoS Pre-Classify

Minimal CPU impact – good practice to always have it on

Sample Configuration of QoS Pre-Classify

17

crypto map MYMAP 10 ipsec-isakmp

set peer 10.1.1.1

set transform-set MYSET

match address ACL

qos pre-classify

!

interface FastEthernet 0/0

ip address 10.1.1.100 crypto map MYMAP

interface Tunnel500

ip address 192.168.1.0 255.255.255.252

qos pre-classify

tunnel source 192.168.1.1

tunnel destination 192.168.2

!

interface FastEthernet 0/0

ip address 10.1.1.100


Compression Helps QoE

To improve WAN performance over a VPN, compression techniques are often used. Two key compression techniques are worth considering:

– Wide Area Application Services (WAAS)

– Voice Codec compression

When congestion occurs at one end of the VPN, WAAS can compress the data, greatly alleviating congestion issues, and improve performance.

TCP Strategy – Use WAAS

18

To protect real-time applications, QoS is still required on WAN accelerated links

WAAS leaves entire IP packet header in tact, meaning there is no impact to QoS classification


Compression Strategies Over VPN (2)

Another design consideration is what voice code to choose

– iLBC is generally the better choice over G.729

– Widely supported in Cisco IP phones

RTP Strategy - Choosing the Right Voice Codec

19


What About a VPN Remote Access Client?

In short, there is no QoS capability in the AnyConnect client itself

Internal QoS markings are copied to the AnyConnect VPN packet header so they can be handled in a PHB by routers in the path.

AnyConnect does utilize DTLS

– DTLS improves overall user experience for realtime applications

QoS on the AnyConnect Client

20


Datagram Transport Layer Security (DTLS)

The AnyConnect client supports DTLS for real-time apps (Jabber, video, etc.)

Basic problem with SSL-based TLS is that it is TCP-based

– Any application that is sensitive to packet loss, latency, or jitter (real-time apps) suffer greatly when transported over TCP

AnyConnect is smart enough to detect real-time traffic, then chop it into datagrams to mimic UDP

– A datagram model for TLS

DTLS Overview

21

Encrypted

TCP SSL

Session

Voice packet 1

Voice packet 2

Voice packet n

Encrypted

Packet (TLS)

Voice packet 1

Encrypted

Packet (TLS)

Voice packet n


Datagram Transport Layer Security (DTLS) DTLS Example

22

Encrypted

TCP Session

Data packet 1

Data packet 2

Data packet n

Encrypted

Datagram

Voice packet 1

Encrypted

Datagram

Voice packet 2

Encrypted

Datagram

Voice packet n

Non-Real

Time Data

Real

Time Data





• GETVPN QoS




DMVPN Use Cases

DMVPN is one of the most popular IPSec topologies in use today

– Utilizes multipoint GRE to pass traffic, which is encrypted by IPSec tunnel mode.

DMVPNs are used over public, untrusted networks, such as the Internet

DMVPN allows dynamic spoke-to-spoke communication using

DMVPN is simple to deploy and manage

– A new QoS feature, supported on ISR G2 & ASR 1K was developed for DMVPNs called:

DMVPN is Widely, Widely Deployed

24

Per-Tunnel QoS for DMVPN


DMVPN QoS Design

• All DMVPN routers have implicit trust of the DSCP marking of incoming packets (no remarking)

• HQoS is used at the WAN aggregation router and the remote spoke routers

• The DMVPN hub performs per-SA (per tunnel) QoS

25

DMVPN Hub Router

Spoke Spoke

Spoke

Implicit trust on LAN side (no remarking)

HQoS + CBWFQ on WAN Interface


DMVPN Building Blocks

1. Multipoint GRE (mGRE)

– One GRE tunnel interface to rule them all!

– A challenge for QoS – with a different GRE tunnel endpoint, you can apply a policy map to each GRE tunnel interface (not so with mGRE)

2. Dynamic Discovery of IPSec Tunnel Endpoints, Crypto Profiles, and QoS policies

– Everything about DMVPN was designed to be dynamic – including QoS

3. Next Hop Routing Protocol (NHRP)

– NHRP is the “brains of the operation”

3 Key Building Blocks

26


NHRP Registration Process

• A spoke uses NHRP to register itself with the DMVPN hub

• The DMVPN hub keeps an NHRP database of the spokes

• NHRP database includes information about what kind of a QoS policy is applied to each particular spoke

27

DMVPN Hub Router

Spoke

Spoke

Spoke

NHRP

DB

mGRE Interface

Serves all tunnels

Dynamic DHCP

Address

On-Demand Tunnels

Headend router

maintains NHRP DB


The Need for a Different Approach in DMVPN

In the past, each VPN tunnel had a QoS service policy attached

Additionally, a global egress QoS policy was attached to the WAN interface

This was often deployed as a two-box solution

Since mGRE uses a *single* GRE tunnel interface, this approach does not work

Why Doesn’t the traditional QoS approach stack up?

28

DMVPN Hub Router

• Need a QoS policy on each tunnel

interface (downstream)

• Plus, need a global policy on egress

interface


How Does HQoS Work?

IMPORTANT: QoS policies only ever kick in when congestion is experienced on an interface!!!

If no congestion detected by router, QoS WILL NOT kick in

A packet shaper can simulate “back pressure” telling the router that congestion has occurred

CAUTION!

– This is very taxing on the router CPU (especially ISR G2)

– Consult the spec sheets for guidelines

HQoS is the answer (part 1)

29

Parent

Policy

Child

Policy

Traffic Shaper

(shape to tunnel bandwidth – creates congestion)

QoS CBWFQ Policy

Rea

ltim

e (

33

%)

Con

trol (7

%)

X-D

ata

(35

%)

Defa

ult (

25

%)

Pare

nt S

ignals

to the C

hild


Per-Tunnel QoS for DMVPN

The hub router keeps a profile of the QoS profiles for each kind of spoke

These are called “NHRP groups”

When spokes register they announce to the hub what group they are a part of

How does the router know which QoS policy to apply to each spoke?

30

DMVPN Hub Router

DMVPN Spoke Router

Spoke sends NHRP Registration and

“Group” membership name to the hub

Oh, you’re part of “Spoke Group 1”. Okay, I’ll assign to you the QoS policy

for group 1.

Hey, I’m in NHRP spoke “Group 1”.

Make sure I get the right QoS profile for

“Group 1”

NHRP


DMVPN Design Example

A DMVPN hub with three kinds of spokes:

Let’s Consider an Example:

31

DMVPN Hub Router

Small Spoke

I’m in Spoke Group 1

Medium Spoke

Large Spoke



My configuration says NHRP Group 1 gets 1.5 Mbps,

Group 2 gets 10 Mbps, and Group 3 gets 50 Mbps

Group 1 = 1.5 Mbps

Group 2 = 10 Mbps

Group 3 = 50 Mbps


DMVPN QoS Configuration Steps Design Example

32

Spoke Group Name Bandwidth Required

at Spoke

Types of

Applications in Use

QoS Model

Group 1 (small

groups)

1.5 Mbps • Voice

• Web Applications

4-Class

Group 2 (medium

size groups)

10 Mbps • Voice

• TelePresense

• Jabber


8-Class

Group 3 (large

spokes)

50 Mbps • Voice

• TelePresense

• Jabber


• Broadcast Video

12-Class


Small Branches: 4-Class Model Definition

33

Transactional Data

Realtime

Classes

Best Effort

Control

AF21

EF

DSCP

DF

CS3

Database Apps,

Email, FTP, Backups

CRM Apps,

Broadcast Video


IP Phones,

TelePresense,

WebEx,

Jabber

Application Examples

Everything Else

OAM, Routing Protocols

35% BW Guarantee

WRED

33% of BW,

Strict Priority

QoS Handling

25% BW Guarantee

WRED

7% of BW Guarantee


DPMVN Configuration Example

Step 1: Create the Class Maps

– Defines the basic traffic classification

Step 2: Configure the “Child” Policy

– This is the CBWFQ policies

Step 3: Configure the “Parent” Policy

– This is the shaper used per spoke

Step 4: Attach the parent shaper to the mGRE tunnel interface

– This step also associates the NHRP group membership to each parent shaper

Step 5: Verify QoS is working correctly

Hub Router Configuration Steps

34


DPMVN Configuration Example Step 1: Create the Class Maps for Each Model

35

ASR1K(config)# class-map match-all 4-CLASS-MODEL

ASR1K(config-cmap)# class REALTIME

ASR1K(config-cmap)# match dscp ef

ASR1K(config-cmap)# class CONTROL

ASR1K(config-cmap)# match dscp cs3

ASR1K(config-cmap)# class TRANSACTIONAL-DATA

ASR1K(config-cmap)# match dscp af21

ASR1K(config-cmap)# class DEFAULT

Configure the required class maps

Depending on what QoS Class model you choose, this will vary

In this example, there are THREE spoke groups, thus class maps for all three need to be configured on the hub router



This policy-map is a “Child” of the parent policy map that is responsible for shaping all 4-class spokes

When the shaper creates artificial backpressure, this policy-map is invoked by the router

This policy will not be used unless the parent policy signals “congestion” to the router

Step 2: Hub Router Child Policy

36

ASR1000(config)# policy-map 4-CLASS-CHILD

ASR1000(config-pmap)# class REALTIME

ASR1000(config-pmap-c)# priority percent 33

ASR1000(config-pmap)# class CONTROL

ASR1000(config-pmap-c)# bandwidth percent 7

ASR1000(config-pmap)# class TRANSACTIONAL-DATA


ASR1000(config-pmap-c)# fair-queue

ASR1000(config-pmap)# class class-default


ASR1000(config-pmap-c)# fair-queue

ASR1000(config-pmap-c)# random-detect



4-Class Parent Policy (shapes to 1.5 Mbps)

8-Class Parent Policy (shapes to 10 Mbps)

12-Class Parent Policy (shapes to 50 Mbps)

Step 3: Configure Parent Policy – The Nested service policy calls the child policy

37

ASR1000(config)# policy-map 4-CLASS-PARENT


ASR1000(config-pmap)# shape average 1500000

ASR1000(config-pmap)# service-policy 4-CLASS-CHILD











Multiple service policies may be attached to the same mGRE interface

Step 4: Attach the Service Policy to the mGRE Interface

38

ASR1000(config)# interface Tunnel10

ASR1000(config-if)# ip address 10.1.1.254 255.255.255.0

ASR1000(config-if)# ip nhrp authentication hector

ASR1000(config-if)# ip nhrp map multicast dynamic

ASR1000(config-if)# ip nhrp map group SPOKE-1-GROUP service-policy output 4-CLASS-PARENT



ASR1000(config-if)# ip nhrp network-id 12300

ASR1000(config-if)# tunnel source GigabitEthernet0/0/0

ASR1000(config-if)# tunnel mode gre multipoint

ASR1000(config-if)# tunnel key 3210

ASR1000(config-if)# qos pre-classify

ASR1000(config-if)# tunnel protection ipsec profile MY-BIG-VPN



Useful commands to verify your config:

show ip nhrp group-map

– Useful to see what QoS policies have been applied to each DMVPN NHRP group

show policy-map multipoint

show dmvpn detail

Step 5: Verify DMVPN QoS Configuration

39

ASR1000# show ip nhrp group-map

!

Interface: Tunnel10

NHRP group: SPOKE-1-GROUP

QoS policy: 4-CLASS-PARENT

Tunnels using the QoS policy:

Tunnel destination overlay/transport address

10.1.1.30/172.17.10.1



Tunnels using the QoS policy:

Tunnel destination overlay/transport address

10.1.1.40/172.16.20.1



…


DMVPN Spoke Router Considerations DMVPN Spoke Router Requirements are Different

40

ISP Provided Router

InternetHome Router

Router is sending in

excess of 10 Mbps

Since ISP limits Bandwidth

to 10 Mbps, congestion is

encounter here causing

packet loss

Link with ISP router is 100

Mbps Full-Duplex. No

congestion encountered here.


DPMVN Spoke Configuration Example

Step 1: Create the class maps

Step 2: Define the child policy maps with CBWFQ

Step 3: Define the parent policy map a packet shaper

Step 4: Attach the policy map to the GRE interface

Step 5: Add NHRP group membership detail to GRE interface

41


Spoke Router Configuration Configure NHRP To Announce Group Membership

42

ISR1941_SPOKE_1(config)# interface tunnel10

ISR1941_SPOKE_1(config-if)# ip address 10.1.1.30 255.255.255.0

ISR1941_SPOKE_1(config-if)# ip nhrp authentication hector

ISR1941_SPOKE_1(config-if)# ip nhrp group SPOKE-1-GROUP

ISR1941_SPOKE_1(config-if)# ip nhrp map 10.1.1.254 172.25.1.254

ISR1941_SPOKE_1(config-if)# ip nhrp map multicast 172.25.1.254

ISR1941_SPOKE_1(config-if)# ip nhrp network-id 12300

ISR1941_SPOKE_1(config-if)# ip nhrp nhs 10.1.1.254

ISR1941_SPOKE_1(config-if)# ip tcp adjust-mss 1360

ISR1941_SPOKE_1(config-if)# tunnel source GigabitEthernet0/0

ISR1941_SPOKE_1(config-if)# tunnel mode gre multipoint

ISR1941_SPOKE_1(config-if)# tunnel key 3210

ISR1941_SPOKE_1(config-if)# tunnel protection ipsec profile MY-BIG-VPN


What About FlexVPN QoS?

FlexVPN follows the same per-tunnel (per-SA) QoS model as DMVPN

FlexVPN uses “virtual-template” tunnel interfaces

Use NHRP and per-tunnel QoS on the virtual-template interface

Does not support spoke-2-Spoke

Very Similar to DMVPN

43

crypto ikev2 authorization policy default

pool FlexSpokes

!

crypto ikev2 profile Flex_IKEv2

match identity remote fqdn domain cisco.com

authentication remote rsa-sig

authentication local rsa-sig

aaa authorization group cert list default default

virtual-template 1

!

crypto ipsec transform-set IKEv2 esp-gcm

mode transport

!

crypto ipsec profile default

set ikev2-profile Flex_IKEv2 interface Virtual-Template1 type tunnel

ip unnumbered Loopback100

ip nhrp network-id 2

ip nhrp redirect

ip nhrp group SPOKE-1-GROUP

tunnel protection ipsec profile default





• GETVPN QoS




Group Encrypted Transport VPN Review GETVPN and DMVPN / FlexVPN are Fundamentally Different

45

DMVPN / FlexVPN GETVPN

Use Case Public Networks (Internet) Private Clouds (MPLS)

Network Style Hub-and-Spoke and Spoke-to-Spoke Any-to-Any

Routing Architecture Routing inside GRE tunnels Native IGP routing over the WAN

Encryption Style Point-to-Point encryption Group Encryption

QoS Implementation Per-Tunnel QoS managed through NHRP group membership

QoS is applied at each GETVPN Group Member since no tunnels are used


GETVPN Building Blocks

Instead of using separate encryption keys, and a different SA pair for each routers, GDOI uses a single unified security association for all the routers

So instead of encrypting “pairs” of routers, GETVPN gives the same encryption keys to everyone in the trusted group

Thus, GETVPN easily promotes any-to-any communication

46

Group Encrypted

GM(CE Router)

GM(CE Router)

Group Key

GM(CE Router)

Head Office

Primary KS Secondary KS

MPLS Network

GM(CE Router)

Gro

up K

ey

Group KeyG

roup K

ey


GETVPN Architecture

47

Group Encrypted

GM(CE Router)

Branch Office 2

Branch Office 1

GM(CE Router)

Group Key

Branch Office n

GM(CE Router)

Head Office

Primary KS Secondary KS

MPLS Network

GM(CE Router)

Gro

up K

ey

Group Key

Gro

up K

ey

WAN Interface: CBWFQ on Physical interface. Possibly will require a hierarchical shaper on this interface as well

LAN Interface: Implicit trust, no remarking of packets

GET VPN Control Packets are automatically marked as CS6 (GDOI and ISAKMP)

Where is QoS Applied in GETVPN?


IP Header Preservation

GETVPN preserves the entire original IP packet header

– Includes Src, Dest IP addresses, TCP/UDP port numbers, ToS byte, and DF bit

Header Preservation makes GETVPN Ideal for Private Networks

48

IP Header Data

DataIP HeaderESP

Original IP Packet

GET VPN

GET VPN Packet Format

Original IP Header

GET VPN preserves the original IP header


A Word of Caution on Working with Your ISP

A word of caution when working with ISPs . . .

Very will often ISPs have a different QoS models than yours:

– Many ISPs use IP Precedence only: DSCP 46 (Binary: 101110) becomes IPP 5 (Binary: 101), reemerges as DSCP 40 (Binary:

101000) on the other side!

If this is the case, it will cause DSCP havoc. You will need to remark at the GM on ingress from the ISP network

If you choose an 8-class model, does your ISP support this?

Always discuss these issues with your ISP early.

DSCP Continuity and Matching QoS Class Models

49


GETVPN QoS Configuration Steps

Key Server Routers:

– Step 1: Ensure a DSCP trust relationship exists for the KS control traffic

KS uses UDP ports 500 (ISAKMP) and 848 (GDOI) control protocols

These protocols must be classified as “Network Control” (CS6)

– Step 2: Ensure sufficient bandwidth is available for the KS control traffic

(especially the GDOI rekeying traffic)

Group Member Routers:

– Step 1: Configure the QoS class maps

– Step 2: Configure the QoS policy maps

– Step 3: Attach policy map to physical WAN interface

QoS Needs Attention in Two Places

50


Medium Branches: 8-Class Model Definition

51

Signaling

Transactional Data


Voice

8-Class Model

Scavenger

Best Effort


Network Control

CS3

AF21

AF41

EF

DSCP

CS1

DF

AF31

CS6

SIP, H.323

CRM, Database, etc.

Jabber, WebEx,

TelePresense

IP Phones

Application Examples

BitTorrent, etc.

Default

Video on Demand

OAM, Routing Protocols

2% BW Guarantee

24% BW Guarantee

DSCP-Based WRED

23% BW Strict Priority

10% of BW, Strict Priority

QoS Handling

Limited to 1% of BW

25% BW Guarantee + WRED

10% BW Guarantee

DSCP-Based WRED

5% BW Guarantee

© 2013 Cisco and/or its affiliates. All rights reserved. BRKRST-2513 Cisco Public 52

ISR3925-GM(config )# policy-map 8-CLASS-QOS-GETVPN

ISR3925-GM(config-pmap)# class VOICE

ISR3925-GM(config-pmap-c)# priority percent 10

ISR3925-GM(config-pmap)# class MULTIMEDIA-CONFERENCING

ISR3925-GM(config-pmap-c)# priority 23

ISR3925-GM(config-pmap)# class NETWORK-CONTROL

ISR3925-GM(config-pmap-c)# bandwidth percent 5

ISR3925-GM(config-pmap)# class SIGNALING


ISR3925-GM(config-pmap)# class MULTIMEDIA-STREAMING


ISR3925-GM(config-pmap-c)# fair-queue

ISR3925-GM(config-pmap-c)# random-detect dscp-based

ISR3925-GM(config-pmap)# class TRANSACTIONAL-DATA



ISR3925-GM(config-pmap-c)# random-detect dscp-based

ISR3925-GM(config-pmap)# class SCAVENGER


ISR3925-GM(config-pmap)# class class-default



ISR3925-GM(config-pmap-c)# random-detect

Let’s use an 8-Class QoS model for the Group Members

Unlike DMVPN, there is no real concept of a “headend”, no VPN aggregation router, thus all GMs will use the same QoS configuration

Notice all bandwidth percentages add up to 100%


QoS on Group Member Attach the Service Policy to the Physical Interface

53

ISR3925-GM(config)# interface GigabitEthernet0/0

ISR3925-GM(config-if)# ip address 192.168.50.2 255.255.255.0

ISR3925-GM(config-if)# crypto map MYMAP

ISR3925-GM(config-if)# service-policy output 8-CLASS-QOS-GETVPN

Unlike DMVPN, the service policy is attached to the physical interface (GETVPN is tunneless after all)

The speed mismatch will require a 2-level HQoS Policy

– Top level shaper on physical interface

– CBWFQ in child policy





• GETVPN QoS




Key Takeaways

QoS in the world of IPSec is mature

Understand the 4, 8, and 12 class QoS models

Be aware of the packet header behavior in IPSec and GRE

Always use the “qos pre-classify” feature in IOS (except with GETVPN)

DMVPN is the most common topology used with external networks

– DMVPN supports per-tunnel QoS, relying heavily on HQoS

– Performance will vary per router, but generally use ASR 1K at the aggregation point

Future is moving toward FlexVPN –

– QoS features very similar to DMVPN, but still maturing

GETVPN does not rely on tunnels, thus QoS implementation is much simpler

55


Maximize your Cisco Live experience with your

free Cisco Live 365 account. Download session

PDFs, view sessions on-demand and participate in

live activities throughout the year. Click the Enter

Cisco Live 365 button in your Cisco Live portal to

log in.

Complete Your Online Session Evaluation

Give us your feedback and you could win fabulous prizes. Winners announced daily.

Receive 20 Cisco Daily Challenge points for each session evaluation you complete.

Complete your session evaluation online now through either the mobile app or internet kiosk stations.

56

qos for ipsec vpnsd2zmdbbm9feqrf.cloudfront.net/2013/usa/pdf/brkrst-2513.pdf · site-to-site dmvpn...

Documents