Help with Cisco DMVPN configs

[snzero]

Hi,

I am in the process of configuring a DMVPN between 3 x Cisco 1841's. I have never previously done this so I am not 100% that what I have configured will work. My config's are below. My main questions are:

1. Do the config's below look like they will work?

2. Ideally I would like to put an ACL on the External interface. However, I am not sure what ports or protocols I need to allow through for the DMVPN to work correctly (if any at all). Also, do I need to put an ACL on the Tunnel interface?

3. At the SPOKE end I would like to configure QOS to prioritize the VPN traffic. I am concerned that if users are downloading large files over the internet that the users that access data over the VPN tunnel will slow down so I would like a way of guaranteeing bandwidth for the VPN. I believe that QOS is the way to do this but I have never done this before so would like a few pointers.

-----------------------------------------------------

Here is the HUB config:

!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname hq
!
boot-start-marker
boot system flash c1841-advipservicesk9-mz.124-17.bin
boot-end-marker
!
logging buffered 52000 debugging
!
no aaa new-model
ip cef
!
!
!
ip domain name domain.com
!
!
crypto pki trustpoint TP-self-signed-3122676952
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3122676952
revocation-check none
rsakeypair TP-self-signed-3122676952
!
!
crypto pki certificate chain TP-self-signed-3122676952
certificate self-signed 01
3082024E 308201B7 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33313232 36373639 3532301E 170D3038 30353132 31393334
32325A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 31323236
37363935 3230819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100BDB9 3E42673A DF17FDC5 D536AD7F 5218AE46 5C25ACD3 9861C183 ED2A7A49
A9FB63A5 09A657C7 85AF8B8F 75EE6117 5B29DAAB 8342E31B 0AC360BC 500EF20E
C71FF5CD 345C76F0 60CADF06 AB7D8371 4C447147 F5F698F9 969918C6 2A9389A1
73B87CF0 D021FCEC E44F4AB7 7675C59F F45E8548 B34C70CA 4E0EF4E5 89EB7FF3
FC330203 010001A3 76307430 0F060355 1D130101 FF040530 030101FF 30210603
551D1104 1A301882 16796F75 726E616D 652E7061 726B616D 646F6D2E 636F6D30
1F060355 1D230418 30168014 B1A7EE1B B6ABBA71 7D013AA9 D3100591 1C03FA14
301D0603 551D0E04 160414B1 A7EE1BB6 ABBA717D 013AA9D3 1005911C 03FA1430
0D06092A 864886F7 0D010104 05000381 810046CC 42C02981 3C0C597A 3880A249
D8958940 1D679B3C 0DDC46C0 E1E1E11E CF195DE6 40CD9448 2B888564 7E0889A1
83B741CE 967997C6 8A864F46 EF80BAC0 0936D4D1 FE55B2A3 04DF52D2 3A240456
4D39BB84 3895286C 2E0568E6 ED2E9AFC 18740F02 0E90FA14 D8D4FC85 701D13EC
2D491F9B AC0E89AD 8C6F0249 D2578B59 16CD
quit
username admin privilege 15 secret 5 $1$7Kr5$cC6pTLWjL98pU0Oeemrk42
!
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key 12345678 address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set SET1 esp-des esp-md5-hmac
!
crypto ipsec profile SDM_Profile1
set transform-set SET1
!
!
!
interface Tunnel0
bandwidth 1000
ip address 192.168.250.254 255.255.255.0
no ip redirects
ip mtu 1400
no ip next-hop-self eigrp 1
ip nhrp authentication DMVPN_NW
ip nhrp map multicast dynamic
ip nhrp network-id 100000
ip nhrp holdtime 360
ip tcp adjust-mss 1360
no ip split-horizon eigrp 1
delay 1000
tunnel source FastEthernet0/1
tunnel mode gre multipoint
tunnel key 100000
tunnel protection ipsec profile SDM_Profile1
!
interface FastEthernet0/0
description Internal
ip address 192.168.27.3 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1
description External
ip address 62.xxx.xxx.xxx 255.255.255.248
ip nat outside
ip virtual-reassembly
shutdown
duplex auto
speed auto
!
router eigrp 1
network 192.168.27.0
network 192.168.250.0
no auto-summary
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 62.xxx.xxx.xxx permanent
!
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 100 interface FastEthernet0/1 overload
!
!
access-list 100 permit ip 192.168.27.0 0.0.0.255 any
!
!
!
!
control-plane
!
!
!
line con 0
login local
line aux 0
line vty 0 4
privilege level 15
login local
transport input telnet
line vty 5 15
privilege level 15
login local
transport input telnet
!
scheduler allocate 20000 1000
end
----------------------------------------------------

Here is the SPOKE config:
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname branch1
!
boot-start-marker
boot-end-marker
!
logging buffered 52000 debugging
!
no aaa new-model
ip cef
!
!
!
!
ip domain name domain.com
!
!
crypto pki trustpoint TP-self-signed-3159821177
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3159821177
revocation-check none
rsakeypair TP-self-signed-3159821177
!
!
crypto pki certificate chain TP-self-signed-3159821177
certificate self-signed 01
3082024F 308201B8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33313539 38323131 3737301E 170D3038 30353134 31393435
32325A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 31353938
32313137 3730819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100DB37 B39DAC6D 3B001EBA 226E519A 71FB1EF6 EE2C4A8C 658BDAAF C656F91D
91D1EFF0 2D6CCE8D 00B04DB2 C564ECBF 207E6AFA 13C0415E CDE101FF 1B1191F5
1815DD96 AF6923D8 B6A27EE8 726538C0 45613CCB 0902BCB3 CD589AE5 49A2F7D2
A5EE7BD5 2C127789 D30BAC81 2210E5CD C88729AD 8B8B2B48 292CD1BC 37D4E52F
DE7D0203 010001A3 77307530 0F060355 1D130101 FF040530 030101FF 30220603
551D1104 1B301982 17796F75 726E616D 652E796F 7572646F 6D61696E 2E636F6D
301F0603 551D2304 18301680 14D70215 737489DA 7BABAC77 B4664145 D46E0C52
EE301D06 03551D0E 04160414 D7021573 7489DA7B ABAC77B4 664145D4 6E0C52EE
300D0609 2A864886 F70D0101 04050003 8181001D 4189F95C DB9D5D87 3AB3D18C
EDF4A1A6 8D0D699A EB82D9ED 7704FC85 AE23594B 72E20121 5246E1C3 CC0E9AB1
F639E760 4B0408D5 08F3CE55 9B1DD4A7 55F1B767 123ADFD7 A5F3A49C 05F02095
998AFC4C 9B4AC8D4 76C5B535 AD24FEF3 C813E568 BAD1C06E 78FDE4B5 8FB59DC7
72CE1812 F5F91286 7A445177 C22573A3 79F030
quit
username admin privilege 15 secret 5 $1$bmKy$MfqixXUNdxcB.iwTAj1Tp0
!
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key 12345678 address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set SET1 esp-des esp-md5-hmac
!
crypto ipsec profile SDM_Profile1
set transform-set SET1
!
!
!
interface Tunnel0
bandwidth 1000
ip address 192.168.250.1 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication DMVPN_NW
ip nhrp map 192.168.250.254 62.xxx.xxx.xxx
ip nhrp map multicast 62.xxx.xxx.xxx
ip nhrp network-id 100000
ip nhrp holdtime 360
ip nhrp nhs 192.168.250.254
ip tcp adjust-mss 1360
delay 1000
tunnel source FastEthernet0/1
tunnel mode gre multipoint
tunnel key 100000
tunnel protection ipsec profile SDM_Profile1
!
interface FastEthernet0/0
description Internal
ip address 192.168.26.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1
description External$ETH-WAN$
ip address 62.xxx.xxx.xxx 255.255.255.240
ip nat outside
ip virtual-reassembly
shutdown
duplex auto
speed auto
!
router eigrp 1
network 192.168.26.0
network 192.168.250.0
no auto-summary
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 62.xxx.xxx.xxx permanent
!
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 100 interface FastEthernet0/1 overload
ip nat inside source static tcp 192.168.26.7 21 interface FastEthernet0/1 21
ip nat inside source static tcp 192.168.26.7 5081 interface FastEthernet0/1 5081
ip nat inside source static tcp 192.168.26.7 5080 interface FastEthernet0/1 5080
!
access-list 100 permit ip 192.168.26.0 0.0.0.255 any
!
!
!
!
control-plane
!
!
!
line con 0
login local
line aux 0
line vty 0 4
privilege level 15
login local
transport input telnet ssh
line vty 5 15
privilege level 15
login local
transport input telnet ssh
!
scheduler allocate 20000 1000
end

Any help will be greatly appreciated.

 

[gm85]

1. The DMVPN config looks pretty good; however as you are using NAT; things need to be done slightly differently (on both the hub and spoke routers) in order for it to work.

First, Add "ip nat inside" to your tunnel interfaces.

Next, a Route-Map needs to be used for nat translations.

In your current config, you are using the commands for nat translation:

ip nat inside source list 100 interface FastEthernet0/1 overload

access-list 100 permit ip 192.168.27.0 0.0.0.255 any

replace this with:

access-list 100 deny ip 192.168.27.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 100 permit ip 192.168.27.0 0.0.0.255 any

route-map dmvpnnat permit 10
match ip address 100

ip nat inside source route-map dmvpnnat interface FastEthernet0/1 overload

(of course this is an example of the hub... the spoke is configured with the same, but with the source addresses related to the router the ACL is being configured on.)

2. I wish I could help you out regarding the specific protocols for DMVPN, however, if you apply an ACL to the tunnel interface, it only applies to data being transferred over the DMVPN. As long as you permit DMVPN (IPSEC) traffic on the external interface, encrypted traffic will flow freely through the DMVPN to the destination network (if an ACL is not applied to the tunnel).
I'm pretty sure that standard IPSEC VPN can be configured on an ACL using:

access-list 110 permit udp any any eq 500
access-list 110 permit udp any any eq 4500
access-list 110 permit 50 any any
access-list 110 permit 51 any any
access-list 110 deny ip any any


3. QoS is the best way to accomplish this. There are two methods that could accomplish this: priortizing VPN traffic (externallY), or prioritzing the protocols that pass through the VPN. I prefer the second method. If you want to priortize the protocols that pass through the VPN (in regards to the entire external interface), you need to add the command "qos pre-classify" to the tunnel interface. That way, the router will take into consideration what is traveling over the VPN and not just the VPN packets iteself.

If you need help with this, just respond back.

 

[snzero]

Hi,

Thanks for the reply. I think I now have the VPN set up all done.

I am really interested in QOS. The reason for the VPN is for the SPOKE offices to connect to a Terminal Server (TCP 3389) and a POP3 server (TCP 110) on the HUB end.

I would ideally like to prioritize these types of traffic or alternatively just prioritize ANY traffic ovet the VPN.

I have been looking at this article:

http://www.cisco.com/en/US/docs/ios/12_2t/12_2t2/feature/guide/ftqosvpn.html#wp1019733

It just seems to say that all is need is to add the "qos pre-classify" command to the tunnel interface. Surely there is more to it than that?

 

[gm85]

Correct.... As the data becomes encrypted before reaching the external interface, the external interface will not know what is inside the VPN packets.

The Qos Pre-Classify command allows the router to pass QoS information about the packet to the external interface, so that the external interface will know how to handle it.

In other words, suppose you have 5 streams of traffic:
Http Traffic (To Internet)
POP3 Traffic (Through VPN)
FTP Traffic (To Internet)
RDP Traffic (Through VPN).

Without the Qos Pre-Classify command, the external interface will only see
Http Traffic
Encrypted VPN Traffic
FTP Traffic
Encrypted VPN Traffic

The Qos Pre-Classify allows the external interface to be informed of the information, in order to make QoS Decisions.
Http Traffic
Encrypted VPN Traffic (Carrying POP3)
FTP Traffic
Encrypted VPN Traffic (Carrying RDP).

However, this only allows the router to identify traffic and a QoS Policy will need to be created. There are a couple of ways to do this. What is the external interface attached to? Cable / LAN-E? Also, what is the speed of the connection?

 

[snzero]

Hi,

Sorry it has took me so long to reply. Thanks again for the advice.

The external interface is a 2mb leased line (ethernet).

 

[gm85]

As you are utilzing an ethernet connection for your external connection, we have to configure the router to shape/police traffic down to 2mbps before it is sent out the interface.

This is because although your network connection is 2mbps, the router will attempt to transmit at 10 or 100mbps (since it's ethernet) and fills up the interface queue on your WAN equipment (As it can only send out data at 2mbps).

First, apply "qos pre-classify" to your tunnel interface.

Next, add the command "bandwidth 2000" (or 2048 if it's supposed 2MB) to the FastEthernet0/1 interface. This command doesn't slow down the link; however it allows services, such as QoS to be configured with the correct rates.

Then, add the following to your config:

access-list 111 permit tcp any any eq 3389
access-list 111 permit tcp any any eq 110

class-map match-any RoutingProtocols
match dscp cs6
class-map match-any RDPPOP3
match access-group 111
!
!
policy-map TrafficQueues
class RDPPOP3
priority percent 50
police cir 1000000
conform-action transmit
exceed-action drop
class RoutingProtocols
bandwidth percent 2
class class-default
fair-queue
random-detect
police cir 960000
conform-action transmit
exceed-action drop
policy-map TrafficShaping
class class-default
shape average 2000000
service-policy TrafficQueues


This queuing works the following way:
-First of all, it shapes traffic to 2000kbps, then it sorts the traffic into queues.
-Next, it provides priority to RDP and POP3 (determined by access-list 111) and allocates 1000kbps (50% of 2000kbps) for that traffic. I should note that "priority" command isn't really associated with this type of traffic as it is not considered time-sensitive (VoIP is, however). "priority" can be replaced with "bandwidth" if you'd prefer to assign it to a standard queue.
-Next, it provides 40kbps (2% of 2000kbps) to ensure that eigrp traffic can pass through the network.
-Finally, all other data can use 960kbps of the link. However, if the interface gets congested, it will use WRED to drop packets to clear up the link.

Now to enable this QoS setup, apply "service-policy output TrafficShaping" to your FastEthernet0/1 interface.

You can use "show policy-map int FastEthernet0/1" to determine if you need to adjust bandwidth settings (it will tell you how many packets conformed / exceeded each of the queues).

If you decide to change the bandwidth settings, don't forget to change the bandwidth / priority (stated as a percentage of 2000kbps), as well as the police command (stated in bps). Don't forget to also change the class-default bandwidth, to be a remainder of the available bandwidth, after the bandwidth from the queues is subtracted.

Finally if the link is 2048kbps (instead of 2000kbps), change the class-default (under TrafficShaping) to 2048000

 

[snzero]

Hi,

Thanks for this. Just a couple more questions if I may. What is the best way to tell if the link is 2000kbps or 2048kbps?

Also, just to make sure I have got this clear in my head, if I apply the QOS settings you have given me and there is a day when there isnt much use of the pop3/rdp services will the regular internet users still only get 960kbps or will they get the full 2mbps?

Thanks again for all your help.

 

[gm85]

It most likely is 2048kbps. A good idea would be to run a speed test using a site, such as speedtest.net or dslreports.com to determine the speeds you are receiving (make sure to do it when no other traffic is running) as QoS works best when it is configured with actual data figures, rather then advertized data figures (if you have a 8mb line, but can only achieve 7.25mbps, you need to adjust your settings to reflect the 7.25mbps).

For your second point: yes. QoS works by reserving bandwidth for the pop3 / rdp policy. So even if you have no data transmitted, the most you could transmit is 960kbps.

The bandwidth for pop3 / rdp was just a guess. If you find that everthing is running smoothly, you can run the "show policy-map int FastEthernet0/1" which will give you a 5-minute rate of the data being transmitted over that line. You may find out that you only need 400-500kbps.

One last thing: I made a mistake to that qos policy.
Remove the
police cir 1000000
conform-action transmit
exceed-action drop
from the RDPPOP3 class. By removing it, it will guarantee that RDP & POP3 always have 50% (1000kbps) of the bandwidth; however if you have excessive amounts of POP3 and RDP traffic being transmitted, it can go above 1000kbps of bandwidth of there is enough bandwidth available from the class-default class. (if your 2mb line is free, you don't want RDP-POP3 to only be able to consume 50% of it; you'd like it to use as much bandwidth that's free)