Applying Qos Configurations To Remote Site Routers

Deploying IWAN Quality of Service
Applying QoS Configurations to Remote Site Routers

1. Configure per-tunnel QoS NHRP policy on remote-site routers
PROCESS
2. Configure physical interface QoS policy on remote-site routers
3. Apply QoS policy to the physical interface on remote-site routers
4. Verify QoS policy on physical interfaces of remote site router
5. Verify DMVPN per-tunnel QoS from hub routers
This process completes the remote-site QoS configuration and applies to all DMVPN spoke routers.
Procedure 1 Configure per-tunnel QoS NHRP policy on remote-site routers
This procedure configures the remote-site router to reference the QoS policy configured on the hub site routers.
Step 1: Apply the NHRP group policy to the DMVPN tunnel interface on the corresponding remote-site router.
Use the NHRP group name as defined on the hub router in Procedure 2, “Configure per tunnel QoS policies for
DMVPN hub router,” above.
interface Tunnel[value]
ip nhrp group [NHRP GROUP Policy Name]
Example: Remote-site router with dual-link

This example shows a remote-site using a 20 Mbps policy and a 10 Mbps policy.
interface Tunnel10
ip nhrp group RS-GROUP-20MBPS
interface Tunnel11
ip nhrp group RS-GROUP-10MBPS
Procedure 2 Configure physical interface QoS policy on remote-site routers
Repeat this procedure in order to support remote-site routers that have multiple WAN connections attached to
different interfaces.
With WAN interfaces using Ethernet as an access technology, the demarcation point between the enterprise
and service provider may no longer have a physical-interface bandwidth constraint. Instead, a specified amount
of access bandwidth is contracted with the service provider. To ensure the offered load to the service provider
does not exceed the contracted rate that results in the carrier discarding traffic, configure shaping on the physi-
cal interface. This shaping is accomplished with a QoS service policy. You configure a QoS service policy on the
Cisco Validated Design page 257

outside Ethernet interface, and this parent policy includes a shaper that then references a second or subordinate
(child) policy that enables queuing within the shaped rate. This is called a hierarchical Class-Based Weighted Fair
Queuing configuration. When you configure the shape average command, ensure that the value matches the
contracted bandwidth rate from your service provider.
Step 1: Create the parent policy map.
As a best practice, embed the transport number within the name of the parent policy map.
policy-map [policy-map-name]
Step 2: Configure the shaper.
class [class-name]
shape [average | peak] [bandwidth (kbps)]
Step 3: Apply the child service policy as defined in Procedure 2, “Create policy map with queuing policy” above.
service-policy WAN

This example shows a router with a 20-Mbps rate on interface GigabitEthernet0/0 for transport 1 and a 10-Mbps
rate on interface GigabitEthernet0/1 for transport 2.
policy-map POLICY-TRANSPORT-1
class class-default
shape average 20000000
service-policy WAN
policy-map POLICY-TRANSPORT-2
class class-default
shape average 10000000
service-policy WAN
Procedure 3 Apply QoS policy to the physical interface on remote-site routers
Repeat this procedure in order to support remote-site routers that have multiple WAN connections attached to
different interfaces.
To invoke shaping and queuing on a physical interface, you must apply the parent policy that you configured in the
previous procedure.
Step 1: Select the WAN interface.
interface [interface type] [number]

Step 2: Apply the WAN QoS policy.
The service policy needs to be applied in the outbound direction.
service-policy output [policy-map-name]

interface GigabitEthernet0/0
service-policy output POLICY-TRANSPORT-1
interface GigabitEthernet0/1
service-policy output POLICY-TRANSPORT-2
Procedure 4 Verify QoS policy on physical interfaces of remote site router
After all of the physical interfaces on a router are configured, you can verify each one before moving to the next
remote site.
Step 1: Verify the QoS output policy on each interface is correct by using the show policy-map interface com-
mand.
This example is truncated due to the overall length.
RS11-2921# show policy-map interface GigabitEthernet 0/0

GigabitEthernet0/0
Service-policy output: POLICY-TRANSPORT-1
Class-map: class-default (match-any)

66941984 packets, 14951533762 bytes
5 minute offered rate 83000 bps, drop rate 0000 bps
Match: any
Queueing
queue limit 64 packets
(queue depth/total drops/no-buffer drops) 0/0/0
(pkts output/bytes output) 66941987/15813338284
shape (average) cir 30000000, bc 120000, be 120000
target shape rate 30000000
Service-policy : WAN

queue stats for all priority classes:

Queueing
priority level 1
Class-map: INTERACTIVE-VIDEO (match-any)

530608 packets, 205927572 bytes
5 minute offered rate 0000 bps, drop rate 0000 bps
Match: dscp cs4 (32) af41 (34) af42 (36) af43 (38)
530608 packets, 205927572 bytes
5 minute rate 0 bps
Queueing
bandwidth remaining 30%
Exp-weight-constant: 9 (1/512)
Mean queue depth: 0 packets
dscp Transmitted Random drop Tail drop
Minimum Maximum Mark
pkts/bytes pkts/bytes pkts/bytes
thresh thresh prob
af41 530608/209102464 0/0 0/0

32 40 1/10
QoS Set
dscp af41
Packets marked 530608
Step 2: Repeat the previous step for each interface configured with QoS.

Procedure 5 Verify DMVPN per-tunnel QoS from hub routers
After the all of the DMVPN routers are configured for Per-Tunnel QoS, you can verify the configurations from the
hub router.
Step 1: Verify the Per-Tunnel QoS output policy to each remote-site is correct by using the show dmvpn detail
command.
This example is truncated due to the overall length.
VPN-MPLS-ASR1002X-1# show dmvpn detail

Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
N - NATed, L - Local, X - No Socket
T1 - Route Installed, T2 - Nexthop-override
C - CTS Capable
# Ent --> Number of NHRP entries with same NBMA peer
NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
UpDn Time --> Up or Down Time for a Tunnel
==========================================================================
Interface Tunnel10 is up/up, Addr. is 10.6.34.1, VRF ""

Tunnel Src./Dest. addr: 192.168.6.1/MGRE, Tunnel VRF "IWAN-TRANSPORT-1"
Protocol/Transport: "multi-GRE/IP", Protect "DMVPN-PROFILE-TRANSPORT-1"
Interface State Control: Disabled
nhrp event-publisher : Disabled
Type:Hub, Total NBMA Peers (v4/v6): 9
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb Target Network
----- --------------- --------------- ----- -------- ----- -----------------
1 192.168.6.5 10.6.34.11 UP 1w0d D 10.6.34.11/32
NHRP group: RS-GROUP-30MBPS
Output QoS service-policy applied: RS-GROUP-30MBPS-POLICY
1 192.168.6.9 10.6.34.12 UP 1w0d D 10.6.34.12/32
1 192.168.6.13 10.6.34.21 UP 1w0d D 10.6.34.21/32


1 192.168.6.17 10.6.34.22 UP 1w0d D 10.6.34.22/32
1 192.168.6.21 10.6.34.31 UP 1w0d D 10.6.34.31/32
1 192.168.6.25 10.6.34.32 UP 1w0d D 10.6.34.32/32
1 192.168.6.29 10.6.34.41 UP 1w0d D 10.6.34.41/32
1 192.168.6.33 10.6.34.42 UP 1w0d D 10.6.34.42/32
Step 2: Repeat the previous step for each DMVPN hub router.

Deploying IWAN Monitoring

NetFlow operates by creating a NetFlow cache entry that contains information for all active flows on a NetFlow-
enabled device. NetFlow builds its cache by processing the first packet of a flow through the standard switch-
ing path. It maintains a flow record within the NetFlow cache for all active flows. Each flow record in the NetFlow
cache contains key fields, as well as additional non-key fields, that can be used later for exporting data to a col-
lection device. Each flow record is created by identifying packets with similar flow characteristics and counting or
tracking the packets and bytes per flow.
Flexible NetFlow (FNF) allows you to customize and focus on specific network information. To define a flow, you
can use a subset or superset of the traditional seven key fields. FNF also has multiple additional fields (both key
and non-key). This permits an organization to target more specific information so that the total amount of infor-
mation and the number of flows being exported is reduced, allowing enhanced scalability and aggregation.
Configuring Flexible NetFlow for IWAN Monitoring

1. Create flexible NetFlow flow record
PROCESS
2. Create flow exporter
3. Create a flow monitor
4. Apply flow monitor to router interfaces
5. Configure the platform base features
These procedures include best practice recommendations for which key fields and non-key fields need to be
collected in order to allow for effective IWAN monitoring.
Additional details regarding the deployment of NetFlow with NBAR2 and the usage of a broad range of NetFlow
collector/analyzers are covered in the Application Monitoring Using NetFlow Technology Design Guide.
Procedure 1 Create flexible NetFlow flow record
Flexible NetFlow requires the explicit configuration of a flow record that consists of both key fields and non-key
fields. This procedure provides guidance on how to configure a user-defined flow record that includes all of the
Traditional NetFlow (TNF) fields (key and non-key) as well as additional FNF fields (key and non-key). The result-
ing flow record includes the full subset of TNF fields used in classic NetFlow deployments.
The examples in this guide are from Cisco Prime Infrastructure and LiveAction. Different NetFlow collector ap-
plications support different export version formats and you should align your flow record with the type of network
management platform used by your organization.

Step 1: Specify key fields. This determines unique flow. Be sure to include a separate match statement for each key field.
flow record [record name]
description [record description]
match [key field type] [key field value]
Table 87 Recommended FNF key fields for IWAN
Key field type Key field value

flow direction
interface input
ipv4 tos
protocol
source address
destination address
transport source port
destination port
Step 2: Specify non-key fields to be collected for each unique flow. Be sure to include a separate collect state-
ment for each non-key field.
flow record [record name]
collect [non-key field type] [non-key field value]
Table 88 Recommended FNF non-key fields for IWAN
Non-key field type Non-key field value

application name
flow sampler
routing source as
destination as
next-hop address ipv4
ipv4 source prefix
source mask
destination mask
dscp
id
transport tcp flags
interface output
counter bytes
packets
timestamp sys-uptime first
sys-uptime last

Example
flow record Record-FNF-IWAN
description Flexible NetFlow for IWAN Monitoring
match flow direction
match interface input
match ipv4 destination address
match ipv4 protocol
match ipv4 source address
match ipv4 tos
match transport destination-port
match transport source-port
collect application name
collect counter bytes
collect counter packets
collect flow sampler
collect interface output
collect ipv4 destination mask
collect ipv4 dscp
collect ipv4 id
collect ipv4 source mask
collect ipv4 source prefix
collect routing destination as
collect routing next-hop address ipv4
collect routing source as
collect timestamp sys-uptime first
collect timestamp sys-uptime last
collect transport tcp flags

Procedure 2 Create flow exporter
The NetFlow data that is stored in the cache of the network device can be more effectively analyzed when ex-
ported to an external collector.
Creating a flow exporter is only required when exporting data to an external collector. If data is analyzed only on
the network device, you can skip this procedure.
Reader Tip
Most external collectors use SNMP to retrieve the interface table from the network device. Ensure
that you have completed the relevant SNMP procedures for your platform.
Different NetFlow collector applications support different export version formats (v5, v9, IPFIX) and expect to
receive the exported data on a particular UDP or TCP port (ports 2055, 9991, 9995, 9996 are popular). The
NetFlow RFC 3954 does not specify a specific port for collectors to receive NetFlow data. In this deployment, the
collector applications used for testing use the parameters designated in the following table.
Table 89 NetFlow collector parameters
Vendor Application Version Export capability Netflow destination port

Cisco Prime Infrastructure 3.0.2 Flexible NetFlow v9 UDP 9991
LiveAction LiveAction 4.1.2 Flexible NetFlow v9 UDP 2055
Step 1: Configure a basic flow exporter by using Netflow v9.
flow exporter [exporter name]

description [exporter description]
destination [NetFlow collector IP address]
source Loopback0
transport [UDP or TCP] [port number]
export-protocol netflow
Step 2: For FNF records, export the interface table for FNF. The option interface-table command enables the
periodic sending of an options table. This provides interface names through the NetFlow export.

option interface-table
template data timeout 600

Step 3: If you are using an NBAR flow record, export the NBAR application table. The option application-table
command enables the periodic sending of an options table that allows the collector to map the NBAR application
IDs provided in the flow records to application names.

option application-table
Step 4: If you are using an NBAR flow record, export the NBAR application attributes. The option application-
attributes command causes the periodic sending of NBAR application attributes to the collector.

option application-attributes
Step 5: If you are using the Cisco ISR-G2 series routers, enable output-features. Otherwise, NetFlow traffic that
originates from a WAN remote-site router will not be encrypted or tagged using QoS.

output-features
Example: LiveAction
flow exporter Export-FNF-Monitor-1
description FNFv9 NBAR2 with LiveAction
destination 10.4.48.178
source Loopback0
output-features ! this command is not required on IOS-XE routers
transport udp 2055
Example: Prime Infrastructure

flow exporter Export-FNF-Monitor-2
description FNFv9 NBAR2 with Prime
destination 10.4.48.36
source Loopback0
output-features ! this command is not required on IOS-XE routers
transport udp 9991

Step 6: Verify the NetFlow exporter configuration using the show flow exporter command.
RS41-2921# show flow exporter Export-FNF-Monitor-2
Flow Exporter Export-FNF-Monitor-2:

Description: FNFv9 NBAR2 with Prime
Export protocol: NetFlow Version 9
Transport Configuration:
Destination IP address: 10.4.48.36
Source IP address: 10.255.241.41
Source Interface: Loopback0
Transport Protocol: UDP
Destination Port: 9991
Source Port: 64254
DSCP: 0x0
TTL: 255
Output Features: Used
Options Configuration:
interface-table (timeout 600 seconds)
application-table (timeout 600 seconds)
application-attributes (timeout 600 seconds)
Procedure 3 Create a flow monitor
The network device must be configured to monitor the flows through the device on a per-interface basis. The
flow monitor must include a flow record and optionally one or more flow exporters if data is to be collected and
analyzed. After the flow monitor is created, it is applied to device interfaces. The flow monitor stores flow in-
formation in a cache, and the timer values for this cache are modified within the flow monitor configuration. It is
recommended that you set the timeout active timer to 60 seconds, which exports flow data on existing long-lived
flows.
Step 1: Create the flow monitor, and then set the cache timers.
flow monitor [monitor name]

description [monitor description]
cache timeout active 60
cache timeout inactive 10

Step 2: Associate the flow record to the flow monitor. You can use either a custom or a built-in flow record.

record [record name]
Step 3: If you are using an external NetFlow collector, associate the exporters to the flow monitor. If you are us-
ing multiple exporters, add additional lines.

exporter [exporter name]
Example: Prime Infrastructure and LiveAction

flow monitor Monitor-FNF-IWAN
description IWAN Traffic Analysis
record Record-FNF-IWAN
exporter Export-FNF-Monitor-1
exporter Export-FNF-Monitor-2
cache timeout active 60
cache timeout inactive 10
Step 4: Verify the flow monitor configuration by using the show flow monitor command.
RS41-2921#show flow monitor

Flow Monitor Monitor-FNF-IWAN:
Description: IWAN Traffic Analysis
Flow Record: Record-FNF-IWAN
Flow Exporter: Export-FNF-Monitor-1
Export-FNF-Monitor-2
Cache:
Type: normal
Status: not allocated
Size: 4096 entries/0 bytes
Inactive Timeout: 10 secs
Active Timeout: 60 secs
Update Timeout: 1800 secs
Synchronized Timeout: 600 secs
Status: allocated
Size: 4096 entries/376856 bytes
Inactive Timeout: 15 secs
Active Timeout: 60 secs
Update Timeout: 1800 secs

Procedure 4 Apply flow monitor to router interfaces
A best practice for NetFlow in an IWAN deployment is to monitor all inbound and outbound traffic on the DMVPN
tunnel interfaces.
Step 1: Apply the flow monitor to the tunnel interface(s).
interface [name]
ip flow monitor [monitor name] input
ip flow monitor [monitor name] output
Example: Single-router dual-link remote site

interface Tunnel10
ip flow monitor Monitor-FNF-IWAN input
ip flow monitor Monitor-FNF-IWAN output
interface Tunnel11
Step 2: Verify the proper interfaces are configured for NetFlow monitoring using the show flow interface com-
mand.
RS41-2921# show flow interface

Interface Tunnel10
FNF: monitor: Monitor-FNF-IWAN
direction: Input
traffic(ip): on
direction: Output
traffic(ip): on
Interface Tunnel11
direction: Input
traffic(ip): on
direction: Output
traffic(ip): on

Step 3: At dual-router sites with a distribution layer, also apply the flow monitor to the interfaces that connect to
the distribution layer switch. This ensures that you capture all possible traffic flows.
Example: First router of a dual-router dual-link remote site

interface Port-channel1.50
Example: Second router of a dual-router dual-link remote site

interface Port-channel2.54
Step 4: Verify the dscp used in the network by displaying the NetFlow cache on the WAN aggregation routers.
Use the show flow monitor command.
show flow monitor Monitor-FNF-IWAN cache format table
The Cisco Prime example below shows the site-to-site topology for RS12, which is a dual router IWAN hy-
brid model remote site. The remote site graphic shows the logical separation of the MC and BR functions, even
though they are physically in the same router.
Figure 37 Cisco Prime: Site to site topology

Appendix A: Product List

WAN AGGREGATION
Place In Network Product Description Part Number SW Version Feature Set
WAN-aggregation Aggregation Services 1002X Router ASR1002X-5G-VPNK9 IOS-XE 03.16.01a.S Advanced
Router Enterprise
Aggregation Services 1001X Router ASR1001X-5G-VPN IOS XE 03.16.01a.S Advanced
Enterprise
Cisco ISR 4451-X Security Bundle ISR4451-X-SEC/K9 IOS XE 03.16.01a.S securityk9
with SEC License
WAN REMOTE SITE

Place In Network Product Desccription Part Number SW Version Feature Set
Modular WAN Cisco ISR 4451 AX Bundle with APP ISR4451-X-AX/K9 IOS-XE 03.16.01a.S securityk9,
Remote-site Router and SEC License appxk9
Cisco ISR 4431 AX Bundle with APP ISR4431-AX/K9 IOS XE 03.16.01a.S securityk9,
and SEC License appxk9
Cisco ISR 3945 AX Bundle with APP C3945-AX/K9 15.5(3)M1 securityk9,
and SEC License datak9, uck9
Unified Communications Paper PAK for SL-39-UC-K9
Cisco 3900 Series
Unified Communications Paper PAK for SL-29-UC-K9
Cisco 2900 Series
and SEC License datak9

INTERNET EDGE
Firewall Cisco ASA 5545-X ASA5545-K9 ASA 9.1(6)
Cisco ASA 5525-X ASA5525-K9 ASA 9.1(6)
Cisco ASA 5512-X Security Plus license ASA5512-SEC-PL
Firewall Management ASDM 7.5(2)
INTERNET EDGE LAN

DMZ Switch Cisco Catalyst 2960-X Series 24 10/100/1000 PoE WS-C2960X-24PS 15.2(3)E1 LAN Base
and 2 SFP+ Uplink
Cisco Catalyst 2960-X FlexStack-Plus Hot-Swap- C2960X-STACK
pable Stacking Module
LAN ACCESS LAYER

Modular Access Cisco Catalyst 4500E Series 4507R+E 7-slot Chas- WS-C4507R+E 3.7.1E(15.2.3E1) IP Base
Layer Switch sis with 48Gbps per slot
Cisco Catalyst 4500E Supervisor Engine 8-E, Uni- WS-X45-SUP8-E 3.7.1E(15.2.3E1) IP Base
fied Access, 928Gbps
Cisco Catalyst 4500E 12-port 10GbE SFP+ Fiber WS-X4712-SFP+E
Module
Cisco Catalyst 4500E 48-Port 802.3at PoE+ WS-X4748-RJ45V+E
10/100/1000 (RJ-45)
Cisco Catalyst 4500E Series 4507R+E 7-slot Chas- WS-C4507R+E 3.7.1E(15.2.3E1) IP Base
sis with 48Gbps per slot
Cisco Catalyst 4500E Supervisor Engine 7L-E, WS-X45-SUP7L-E 3.7.1E(15.2.3E1) IP Base
520Gbps
Cisco Catalyst 4500E 48 Ethernet 10/100/1000 WS-X4748-UPOE+E
(RJ45) PoE+,UPoE ports
Cisco Catalyst 4500E 48 Ethernet 10/100/1000 WS-X4648-
(RJ45) PoE+ ports RJ45V+E


Stackable Access Cisco Catalyst 3850 Series Stackable 48 Ethernet WS-C3850-48F 3.7.1E(15.2.3E1) IP Base
Layer Switch 10/100/1000 PoE+ ports
Cisco Catalyst 3850 Series Stackable 24 Ethernet WS-C3850-24P 3.7.1E(15.2.3E1) IP Base
10/100/1000 PoE+ Ports
Cisco Catalyst 3850 Series 2 x 10GE Network C3850-NM-2-10G
Module
Module
Cisco Catalyst 3650 Series 24 Ethernet WS-C3650-24PD 3.7.1E(15.2.3E1) IP Base
10/100/1000 PoE+ and 2x10GE or 4x1GE Uplink
Cisco Catalyst 3650 Series 24 Ethernet WS-C3650-24PS 3.7.1E(15.2.3E1) IP Base
10/100/1000 PoE+ and 4x1GE Uplink
Cisco Catalyst 3650 Series Stack Module C3650-STACK
Cisco Catalyst 2960-X Series 24 10/100/1000 WS-C2960X-24PD 15.2(3)E1 LAN Base
Ethernet and 2 SFP+ Uplink
Standalone Access Cisco Catalyst 3650 Series 24 Ethernet WS-C3650-24PS 3.7.1E(15.2.3E1) IP Base
Layer Switch 10/100/1000 PoE+ and 4x1GE Uplink
LAN DISTRIBUTION LAYER

Modular Distribution Cisco Catalyst 6500 VSS Supervisor 2T with 2 VS-S2T-10G 15.2(1)SY1 IP Services
Layer Virtual Switch ports 10GbE and PFC4
Pair
Cisco Catalyst 6800 Series 6807-XL 7-Slot Modu- C6807-XL 15.2(1)SY1 IP Services
lar Chassis
Cisco Catalyst 6500 4-port 40GbE/16-port 10GbE WS-X6904-40G-2T
Fiber Module w/DFC4
Cisco Catalyst 6500 4-port 10GbE SFP+ adapter CVR-CFP-4SFP10G
for WX-X6904-40G module
Cisco Catalyst 6500 CEF720 48 port WS-X6748-GE-TX
10/100/1000mb Ethernet
Cisco Catalyst 6500 Distributed Forwarding Card 4 WS-F6K-DFC4-A
Cisco Catalyst 6500 Series 6506-E 6-Slot Chassis WS-C6506-E 15.2(1)SY1 IP services
Cisco Catalyst 6500 VSS Supervisor 2T with 2 VS-S2T-10G 15.2(1)SY1 IP services
ports 10GbE and PFC4
Cisco Catalyst 6500 4-port 40GbE/16-port 10GbE WS-X6904-40G-2T
Fiber Module w/DFC4
Cisco Catalyst 6500 4-port 10GbE SFP+ adapter CVR-CFP-4SFP10G
for WX-X6904-40G module
Cisco Catalyst 6500 48-port GigE Mod (SFP) WS-X6748-SFP
Cisco Catalyst 6500 24-port GigE Mod (SFP) WS-X6724-SFP

Place in Network Product Description Part Number SW Version Feature Set

Extensible Fixed Cisco Catalyst 6800 Series 6880-X Extensible C6880-X-LE 15.2(1)SY1 IP Services
Distribution Layer Fixed Aggregation Switch (Standard Tables)
Virtual Switch Pair
Cisco Catalyst 6800 Series 6880-X Multi Rate Port C6880-X-LE-
Card (Standard Tables) 16P10G
Modular Distribution Cisco Catalyst 4500E Series 4507R+E 7-slot Chas- WS-C4507R+E 3.7.1E(15.2.3E1) Enterprise
Layer Virtual Switch sis with 48Gbps per slot Services
Pair
Cisco Catalyst 4500E Supervisor Engine 7-E, WS-X45-SUP7-E 3.7.1E(15.2.3E1) Enterprise
848Gbps Services
Cisco Catalyst 4500E 12-port 10GbE SFP+ Fiber WS-X4712-SFP+E
Module
Cisco Catalyst 4500E 48-Port 802.3at PoE+ WS-X4748-RJ45V+E
10/100/1000 (RJ-45)
Fixed Distribution Cisco Catalyst 4500-X Series 32 Port 10GbE IP
Layer Virtual Switch Base Front-to-Back Cooling WS-C4500X-32SFP+
Pair 3.5.3E(15.2.1E3) Enterprise Services
Stackable Cisco Catalyst 3850 Series Stackable Switch with WS-C3850-12S 3.7.1E(15.2.3E1) IP Services
Distribution Layer 12 SFP Ethernet
Switch
Module
Module

Appendix B: Technical Feature Supplement
Appendix B: Technical Feature Supplement

FRONT DOOR VRF FOR DMVPN
Building an IPsec tunnel requires reachability between the crypto routers. When you use the Internet, routers use
a default route to contact their peers.
Figure 38 IPsec tunnel

WAN Distribution
Default
Inside
DMVPN Hub Router Internet Edge
Default
VPN-DMZ
Default
Outside
Internet
t
ul
fa
De
DMVPN Spoke Router
2034F
Default Route
If you need to extend the internal network and the same default routing options that are available to internal users,
you must advertise a default route to the VPN hub router. For details, see section A in the following figure.
Figure 39 IPsec tunnel before/after default route injection

A B
WAN WAN
Distribution Distribution
Default Default
EIG
EIG
RP
RP
De
De
fa
fa
Inside
ul
Inside
ul
t
DMVPN Internet Edge DMVPN Internet Edge

Default
Hub Router Default Hub Router
VPN-DMZ VPN-DMZ
Default Default
Outside Outside
Internet Internet
lt lt
fau fau
DMVPN De DMVPN De
Spoke Spoke
Router Router
2035F
2035

Applying Qos Configurations To Remote Site Routers

Uploaded by

Copyright:

Available Formats

Applying Qos Configurations To Remote Site Routers

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Applying Qos Configurations To Remote Site Routers

Uploaded by

Copyright:

Available Formats

Deploying IWAN Quality of Service

Applying QoS Configurations to Remote Site Routers

2. Configure physical interface QoS policy on remote-site routers

3. Apply QoS policy to the physical interface on remote-site routers

4. Verify QoS policy on physical interfaces of remote site router

5. Verify DMVPN per-tunnel QoS from hub routers

Procedure 1 Configure per-tunnel QoS NHRP policy on remote-site routers

Example: Remote-site router with dual-link

Procedure 2 Configure physical interface QoS policy on remote-site routers

Cisco Validated Design page 257

Step 1: Create the parent policy map.

Step 2: Configure the shaper.

Example: Remote-site router with dual-link

Procedure 3 Apply QoS policy to the physical interface on remote-site routers

Step 1: Select the WAN interface.

interface [interface type] [number]

Cisco Validated Design page 258

Step 2: Apply the WAN QoS policy.

The service policy needs to be applied in the outbound direction.

service-policy output [policy-map-name]

Example: Remote-site router with dual-link

Procedure 4 Verify QoS policy on physical interfaces of remote site router

This example is truncated due to the overall length.

RS11-2921# show policy-map interface GigabitEthernet 0/0

Service-policy output: POLICY-TRANSPORT-1

Class-map: class-default (match-any)

Cisco Validated Design page 259

queue stats for all priority classes:

Class-map: INTERACTIVE-VIDEO (match-any)

af41 530608/209102464 0/0 0/0

Cisco Validated Design page 260

Procedure 5 Verify DMVPN per-tunnel QoS from hub routers

This example is truncated due to the overall length.

VPN-MPLS-ASR1002X-1# show dmvpn detail

Interface Tunnel10 is up/up, Addr. is 10.6.34.1, VRF ""

Cisco Validated Design page 261

NHRP group: RS-GROUP-30MBPS

Cisco Validated Design page 262

Deploying IWAN Monitoring

Configuring Flexible NetFlow for IWAN Monitoring

2. Create flow exporter

3. Create a flow monitor

4. Apply flow monitor to router interfaces

5. Configure the platform base features

Procedure 1 Create flexible NetFlow flow record

Cisco Validated Design page 263

Table 87 Recommended FNF key fields for IWAN

Key field type Key field value

Table 88 Recommended FNF non-key fields for IWAN

Non-key field type Non-key field value

Cisco Validated Design page 264

Cisco Validated Design page 265

Procedure 2 Create flow exporter

Table 89 NetFlow collector parameters

Vendor Application Version Export capability Netflow destination port

Step 1: Configure a basic flow exporter by using Netflow v9.

flow exporter [exporter name]

flow exporter [exporter name]

Cisco Validated Design page 266