×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Policy Map for ICMP Priority over VRF GRE Tunnel

Answered Question

Overview:
We currently have a GRE VRF tunnel to a remote location.
Like this: MainOfficeRouter <----->GRETunnel<----->RemoteOfficeRouter.
The remote location has a 3Mb max DSL with 8Mb max shared in the cloud with other customers.
We use a WhutsUpGold server at our main office to monitor servers at the remote location using ping.
We backup servers at the remote location to our main office nightly.
It seems when we backup the servers every night, the backup creates so much traffic, that pings from WhutsUpGold to the remote location don't get through.
This causes WhatsUpGold to trigger an alarm and page people at home.
I'm trying to implement traffic shaping on the GRE VRF tunnel to give some priority to ICMP.
This is what I have so far:

Main Office Router Config:
interface Loopback100
ip address 10.172.192.55 255.255.255.255
!
interface Tunnel100
 description Isolated Tunnel To Remote Office
 ip vrf forwarding ISOLATEDNETWORK
 ip address 10.192.200.1 255.255.255.252
 no ip redirects
 ip mtu 1400
 ip tcp adjust-mss 1360
 tunnel source Loopback100
 tunnel destination 10.172.192.56
 service-policy output TUNNEL
 
Remote Office Router Config:
interface Loopback100
ip address 10.172.192.56 255.255.255.255
!
interface Tunnel100
 description Isolated Tunnel To Main Office
 ip vrf forwarding ISOLATEDNETWORK
 ip address 10.192.200.2 255.255.255.252
 no ip redirects
 ip mtu 1400
 ip tcp adjust-mss 1360
 tunnel source Loopback100
 tunnel destination 10.172.192.55
 service-policy output TUNNEL
 
Traffic Shaping Policy:
policy-map TUNNEL
  class class-default
   shape average 3000000 <---Should I do this or "shape peak 1500000 3000000 3000000"
   service-policy ICMPPRIORITY
policy-map ICMPPRIORITY
  class ICMPTRAFFIC
   bandwidth percent 10   <---Should I do this or "priority percent 10"
class-map match-any ICMPTRAFFIC
  match protocol icmp
I'm just curious about how my Traffic Shaping Policy looks.  Any suggestions or recommendations would be helpful.
 
Thanks,
Allen
Correct Answer by Akash Agrawal about 3 years 2 weeks ago

Hi Allen,

 

policy-map TUNNEL
  class class-default
   shape average 3000000 <--- Shape average is ok
   service-policy ICMPPRIORITY
 
policy-map ICMPPRIORITY
  class ICMPTRAFFIC
   bandwidth percent 10   <---Should I do this or "priority percent 10"
class-map match-any ICMPTRAFFIC
  match protocol icmp
 
If you expect a DOS attack of ICMP packets then you may want to limit the traffic otherwise assigning bandwidth percent 10 would be sufficient. Also assign remaining bandwidth to class-default.
 
Second thing to match icmp traffic, i would suggest to use ACL instead of match protocol icmp (NBAR) which will be more CPU extensive. Below class-map can be used
 

class-map match-nay ICMPTRAFFIC

  match access-group 101

!

access-list 101 permit icmp any any

 

 

------------ Please don't forget to rate helpful post. ----------------

 

 

-Akash

 
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Akash Agrawal Wed, 07/30/2014 - 21:14
User Badges:
  • Cisco Employee,

Hi Allen,

 

policy-map TUNNEL
  class class-default
   shape average 3000000 <--- Shape average is ok
   service-policy ICMPPRIORITY
 
policy-map ICMPPRIORITY
  class ICMPTRAFFIC
   bandwidth percent 10   <---Should I do this or "priority percent 10"
class-map match-any ICMPTRAFFIC
  match protocol icmp
 
If you expect a DOS attack of ICMP packets then you may want to limit the traffic otherwise assigning bandwidth percent 10 would be sufficient. Also assign remaining bandwidth to class-default.
 
Second thing to match icmp traffic, i would suggest to use ACL instead of match protocol icmp (NBAR) which will be more CPU extensive. Below class-map can be used
 

class-map match-nay ICMPTRAFFIC

  match access-group 101

!

access-list 101 permit icmp any any

 

 

------------ Please don't forget to rate helpful post. ----------------

 

 

-Akash

 

Actions

This Discussion

Related Content