Product Bulletin No. 3219
Last Updated: August, 2006
SUPPORTED RELEASES AND PLATFORMS
• For Hubs: Cisco IOS Software Release 12.4 (9 )T and later, For Spokes: Release 12.4 (9)T. For 831 Spokes: Release 12.3 (11) T10
• Cisco 7200 Series Routers and 7301 Routers
• Cisco 800, 1700, 1800, 2600XM, 2800, 3700, 3800 Series Routers
ISSUE DESCRIPTION
Cisco IOS Software Dynamic Multipoint VPN (DMVPN) Hub Support by Quality of Service (QoS) Class is supported on the Cisco 7200, 7301, 800, 1700, 1800, 2600XM, 2800, 3700, 3800 Routers.
BACKGROUND
Cisco IOS Software DMVPN was first introduced in Cisco IOS Software Release 12.2(13)T. It allows users to better scale large and small IP security (IPsec) VPNs by combining Generic Routing Encapsulation (GRE) tunnels, IPsec encryption, and Next Hop Resolution Protocol (NHRP).
DMVPN hub support by QoS class is supported to provide
• Priority to time-sensitive applications by pre-classifying packets based on the original packet header
• On 7200 platforms, Low Latency Queuing (LLQ) before encryption when the encryption engine is congested
• Protection for critical control traffic before and after encryption
In a typical DMVPN integration with QoS support, access control lists are used to match the source and destination IP addresses to distinguish one remote site from another, the customers can use Qos-group as a match criteria in the QoS policy to distinguish one remote site from another. This is done by setting Qos-group in the ISAKMP-Profile, and this is used as a match criteria destined to remote sites. In the configuration below different Qos groups are used to match traffic destined to REMOTE-1 and REMOTE-2.
SAMPLE CONFIGURATION
class-map match-all REMOTE-1
match qos-group 1
class-map match-all REMOTE-2
match qos-group 2
class-map match-all VOICE
match ip dscp ef
!
policy-map CHILD-REMOTE-1
class VOICE
priority 256
class class-default
fair-queue
policy-map CHILD-REMOTE-2
class VOICE
priority 512
class class-default
fair-queue
policy-map PARENT
class REMOTE-1
shape average 1000000
service-policy CHILD-REMOTE-1
class REMOTE-2
shape average 2000000
service-policy CHILD-REMOTE-2
!
Crypto ISKAMP profile SPOKE1
qos-group 1
Crypto ISAKMP profile SPOKE2
qos-group 2
Interface fastethernet 0/1
Service-policy output PARENT
SOLUTION
For the latest platform support, please refer to the Cisco Feature Navigator at http://www.cisco.com/go/fn.
QUESTIONS OR CONCERNS
Please contact dmvpn-qos-field-note@cisco.com with any questions or concerns.