Thursday, 2 August 2012

RIP over GRE Tunnel with QoS Configuration

In this configuration I have 4 routers R1, R2, R3 and R4. R2 and R3 run External BGP. There is also a GRE tunnel running between R2 and R3 over which we run RIP. R1 and R4 also run RIP. QoS configuration is applied to the tunnel interface via a service policy which shapes the traffic based on which access list it matches. 
This configuration was made on GNS3 with 2691 routers running C2691-ADVENTERPRISEK9-M. 
Irrelevant parts of the config below have been omitted for brevity.


=~=~=~=~=~=~=~=~=~=~=~= R1=~=~=~=~=~=~=~=~=~=~=~=
hostname R1
!
! Two loopback interfaces to allow us to differentiate the traffic for the class-maps
interface Loopback0
 ip address 1.1.1.1 255.255.255.255
!
interface Loopback1
 ip address 11.11.11.11 255.255.255.255
!
interface FastEthernet0/0
 ip address 192.168.1.1 255.255.255.0
 speed 100
 full-duplex
!
interface FastEthernet0/1
 ip address 192.168.0.1 255.255.255.0
 duplex auto
 speed auto
!
! We run RIP to learn routes from R2
router rip
 version 2
 network 1.0.0.0
 network 11.0.0.0
 network 192.168.0.0
 network 192.168.1.0
 no auto-summary
!

=~=~=~=~=~=~=~=~=~=~=~= R2=~=~=~=~=~=~=~=~=~=~=~=
hostname R2
We create two class-maps which match named access lists
class-map match-all CMAP_MATCH11
 match access-group name MATCH11
class-map match-all CMAP_MATCH1
 match access-group name MATCH1
!
We have a policy-map which assigns 8K and 512K to each respective class-map.
! The overall method of the policy maps says, if you match ACL MATCH1 then you 
! will be allocated 8K of bandwidth, if you match ACL MATCH11 then you will get 
! 512K of bandwidth
policy-map TUNNEL
 class CMAP_MATCH1
  shape average 8000
 class CMAP_MATCH11
  shape average 512000
 class class-default
!
interface Loopback0
 ip address 2.2.2.2 255.255.255.255
We have a tunnel interface with a service policy applied
interface Tunnel0
 ip address 10.0.0.1 255.255.255.0
 tunnel source Loopback0
 tunnel destination 3.3.3.3
 service-policy output TUNNEL
!
interface FastEthernet0/0
 ip address 192.168.1.254 255.255.255.0
 speed 100
 full-duplex
!
interface FastEthernet0/1
 ip address 192.168.2.1 255.255.255.0
 speed 100
 full-duplex
We run RIP over the LAN and tunnel interfaces only
router rip
 version 2
 passive-interface default
 no passive-interface FastEthernet0/0
 no passive-interface Tunnel0
 network 10.0.0.0
 network 192.168.1.0
 no auto-summary
! BGP to R3 to carry the tunnel
router bgp 1
 no synchronization
 bgp log-neighbor-changes
 redistribute connected
 neighbor 192.168.2.254 remote-as 2
 neighbor 192.168.2.254 next-hop-self
 no auto-summary
!
! ACLs to match the source and destination loopbacks
ip access-list extended MATCH1
 permit ip host 1.1.1.1 host 4.4.4.4
ip access-list extended MATCH11
 permit ip host 11.11.11.11 host 44.44.44.44
!
!
=~=~=~=~=~=~=~=~=~=~=~= R3 =~=~=~=~=~=~=~=~=~=~=~=
hostname R3
!
!
! Class-map, policy-map and ACLs are basically the reverse of R2
class-map match-all CMAP_MATCH44
 match access-group name MATCH44
class-map match-all CMAP_MATCH4
 match access-group name MATCH4
class-map match-all MyClass
!
!
policy-map TUNNEL
 class CMAP_MATCH4
  shape average 8000
 class CMAP_MATCH44
  shape average 512000
 class class-default
!
interface Loopback0
 ip address 3.3.3.3 255.255.255.255
!
interface Tunnel0
 ip address 10.0.0.2 255.255.255.0
 tunnel source Loopback0
 tunnel destination 2.2.2.2
 service-policy output TUNNEL
!
interface FastEthernet0/0
 ip address 192.168.2.254 255.255.255.0
 speed 100
 full-duplex
!
interface FastEthernet0/1
 ip address 192.168.3.1 255.255.255.0
 speed 100
 full-duplex
!
router rip
 version 2
 passive-interface default
 no passive-interface FastEthernet0/1
 no passive-interface Loopback0
 no passive-interface Tunnel0
 network 10.0.0.0
 network 192.168.3.0
 no auto-summary
!
router bgp 2
 no synchronization
 bgp log-neighbor-changes
 redistribute connected
 neighbor 192.168.2.1 remote-as 1
 neighbor 192.168.2.1 next-hop-self
 no auto-summary
!
ip access-list extended MATCH4
 permit ip host 4.4.4.4 host 1.1.1.1
ip access-list extended MATCH44
 permit ip host 44.44.44.44 host 11.11.11.11
!

=~=~=~=~=~=~=~=~=~=~=~= R4 =~=~=~=~=~=~=~=~=~=~=~=
hostname R4
Again, R4 is basically a mirror of R1
interface Loopback0
 ip address 4.4.4.4 255.255.255.255
!
interface Loopback1
 ip address 44.44.44.44 255.255.255.255
!
interface FastEthernet0/0
 ip address 192.168.3.254 255.255.255.0
 speed 100
 full-duplex
!
interface FastEthernet0/1
 ip address 192.168.4.1 255.255.255.0
 speed 100
 full-duplex
!
router eigrp 1
 network 0.0.0.0
 no auto-summary
!
router rip
 version 2
 network 44.0.0.0
 network 0.0.0.0
 no auto-summary
!

=~=~=~=~=~=~=~=~=~=~=~= Verification~=~=~=~=~=~=~=~=~=~=~=
A ping from R1 lo0 to R4 lo0 goes via the tunnel interface
R1#traceroute 4.4.4.4 source 1.1.1.1

Type escape sequence to abort.
Tracing the route to 4.4.4.4

  1 192.168.1.254 48 msec 24 msec 16 msec
  2 10.0.0.2 44 msec 44 msec 28 msec
  3 192.168.3.254 96 msec *  68 msec

An extended ping with a larger packet size - note the average RTT is 482ms
R1#ping 4.4.4.4 source 1.1.1.1 size 500 rep 50

Type escape sequence to abort.
Sending 50, 500-byte ICMP Echos to 4.4.4.4, timeout is 2 seconds:
Packet sent with a source address of 1.1.1.1
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Success rate is 100 percent (50/50), round-trip min/avg/max = 40/482/1008 ms

An extended ping but this time we specify the other loopbacks as source and destination so we hit the QoS policy with a higher bandwidth - note the much better average RTT of 58ms
R1#ping 44.44.44.44 so 11.11.11.11 size 500 rep 50

Type escape sequence to abort.
Sending 50, 500-byte ICMP Echos to 44.44.44.44, timeout is 2 seconds:
Packet sent with a source address of 11.11.11.11
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Success rate is 100 percent (50/50), round-trip min/avg/max = 20/58/92 ms

On R2 if we issue the policy map interface command we see the following. Note how we see delayed packets on the CMAP_MATCH1 class and none on the CMAP_MATCH11 class.
R2#sh policy-map interface
 Tunnel0

  Service-policy output: TUNNEL

    Class-map: CMAP_MATCH1 (match-all)
      361 packets, 184332 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: access-group name MATCH1
      Traffic Shaping
           Target/Average   Byte   Sustain   Excess    Interval  Increment
             Rate           Limit  bits/int  bits/int  (ms)      (bytes)
             8000/8000      2000   8000      8000      1000      1000

        Adapt  Queue     Packets   Bytes     Packets   Bytes     Shaping
        Active Depth                         Delayed   Delayed   Active
        -      0         361       175776    174       87000     no

    Class-map: CMAP_MATCH11 (match-all)
      460 packets, 239040 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: access-group name MATCH11
      Traffic Shaping
           Target/Average   Byte   Sustain   Excess    Interval  Increment
             Rate           Limit  bits/int  bits/int  (ms)      (bytes)
          5120000/5120000   32000  128000    128000    25        16000

        Adapt  Queue     Packets   Bytes     Packets   Bytes     Shaping
        Active Depth                         Delayed   Delayed   Active
        -      0         460       228000    0         0         no

    Class-map: class-default (match-any)
      139 packets, 15568 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: any