cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
410
Views
0
Helpful
2
Replies

QoS and DMVPN

vaba
Level 1
Level 1

I have DMVPN network and no QoS.

I want implement QoS in WAN network.

I use cisco 28xx router with IOS c2800nm-advipservicesk9-mz.124-22.T.bin - on Tunnel interface no "service-policy output" command only on GigabitEthernet.

This is my configuration:

class-map match-any MANAGEMENT

match ip dscp cs6

match protocol ssh

match access-group 120

class-map match-all VOICE

match ip dscp ef

class-map match-any CALL-SETUP

match ip dscp af31

match ip dscp cs3

!

!

policy-map DMVPN_policy

description VoIPandDATA

class VOICE

priority percent 35

class CALL-SETUP

bandwidth percent 2

class MANAGEMENT

bandwidth percent 20

class class-default

fair-queue

random-detect

policy-map SHAPER

class class-default

shape average 2048000

service-policy DMVPN_policy

interface GigabitEthernet0/0

service-policy output DMVPN_policy

ip nbar protocol-discovery

interface Tunnel 11

bandwidth 2048

ip address x.x.x.x 255.255.0.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip mtu 1400

ip nbar protocol-discovery

ip tcp adjust-mss 1360

delay 1000

qos pre-classify

tunnel source GigabitEthernet0/0

tunnel mode gre multipoint

tunnel key 11

tunnel protection ipsec profile PROFILE shared

access-list 120 permit icmp any any

access-list 120 permit udp any any eq isakmp

access-list 120 permit tcp any any eq 22

access-list 120 permit tcp any eq 22 any

access-list 120 deny ip any any

Shaper SHAPER work correctly.

The question is relevant whit "class-map match-any MANAGEMENT"

When use ping (icmp) class-map MANAGEMENT and ACL 120 match it and this is fine, but when i use ssh neither - "match protocol ssh" or ACL 120 match ssh. I tested whit telnet don't work too.

When use:

#show policy-map interface gigabitEthernet 0/0

......

Class-map: MANAGEMENT (match-any)

8658 packets, 1072204 bytes

30 second offered rate 0 bps, drop rate 0 bps

Match: ip dscp cs6 (48)

8643 packets, 1069564 bytes

30 second rate 0 bps

Match: protocol ssh

0 packets, 0 bytes

30 second rate 0 bps

Match: access-group 120

15 packets, 2640 bytes

30 second rate 0 bps

Queueing

queue limit 64 packets

(queue depth/total drops/no-buffer drops) 0/0/0

(pkts output/bytes output) 8650/1356496

bandwidth 20% (20000 kbps)

........

class-map MANAGEMENT match cs6 - EIGRP, match ACL, but only icmp match:

#show access-lists

....

Extended IP access list 120

10 permit icmp any any (15 matches)

30 permit udp any any eq isakmp

40 permit tcp any any eq 22

50 permit tcp any eq 22 any

60 deny ip any any (14 matches)

....

No SSH or Telnet

Can anyone help me?

Thanks in advanced.

2 Replies 2

dominic.caron
Level 5
Level 5

Hi,

I stumble on the same thing a few month ago. Made some test, it seem's like you can match on the IP header only. (Not the tcp). Bizzare that you can have match on encrypted packet...

The best way to go in this case is to classify your packet when they enter the router using DSCP. When leaving your router, only use DSCP to match packet.

I've never used QoS pre-classify, but from its documentation, suspect Dominic is correct. I.e., only the IP header is copied.

You could mark packet upon router ingress or perhaps on tunnel egress, and then as Dominic also suggests, use DSCP ToS on physical egress.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: