qos_classn_xe
Inbound Policy Marking for dVTI
Downloads: This chapterpdf (PDF - 148.0KB) | Feedback

Inbound Policy Marking for dVTI

Table Of Contents

Inbound Policy Marking for dVTI

Finding Feature Information

Contents

Prerequisites for Inbound Policy Marking for dVTI

Restrictions for Inbound Policy Marking for dVTI

Information About Inbound Policy Marking for dVTI

Inbound Policy Marking

Dynamic Virtual Tunnel Interfaces Overview

Security Associations and dVTI

How to Use Inbound Policy Marking for dVTI

Creating a Policy Map

Attaching a Policy Map to a dVTI

Configuration Example for Inbound Policy Marking for dVTI

Example: Configuring Inbound Policy Marking

Additional References

Related Documents

Standards

MIBs

RFCs

Technical Assistance

Feature Information for Using Inbound Policy Marking for dVTI


Inbound Policy Marking for dVTI


First Published: November 17, 2010
Last Updated: November 17, 2010

This document provides conceptual information and tasks for using the Inbound Policy Marking for Dynamic Virtual Tunnel Interface feature, which allows you to attach a policy map to a dVTI so that marking instructions are applied to inbound packets.

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest feature information and caveats, see the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the "Feature Information for Using Inbound Policy Marking for dVTI" section.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.

Contents

Prerequisites for Inbound Policy Marking for dVTI

Restrictions for Inbound Policy Marking for dVTI

Information About Inbound Policy Marking for dVTI

How to Use Inbound Policy Marking for dVTI

Configuration Example for Inbound Policy Marking for dVTI

Additional References

Feature Information for Using Inbound Policy Marking for dVTI

Prerequisites for Inbound Policy Marking for dVTI

Policy map

Restrictions for Inbound Policy Marking for dVTI

The following are not supported:

Policing

Network Based Application Recognition (NBAR)-based classification

Queuing

Outbound policy marking

Only input QoS policy is supported. Only the marking feature is supported on the input policy. Other QoS configurations may not be blocked but will not be supported.

Information About Inbound Policy Marking for dVTI

Inbound Policy Marking

Dynamic Virtual Tunnel Interfaces Overview

Security Associations and dVTI

Inbound Policy Marking

Marking is the setting of QoS information related to a packet. For the Inbound Policy Marking for dVTI feature, you can attach a policy map to a dVTI so that marking instructions are applied to inbound packets.

Dynamic Virtual Tunnel Interfaces Overview

DVTIs can provide highly secure and scalable connectivity for remote-access VPNs. The dVTI technology replaces dynamic crypto maps and the dynamic hub-and-spoke method for establishing tunnels.

DVTIs can be used for both the server and remote configuration. The tunnels provide an on-demand separate virtual access interface for each VPN session. The configuration of the virtual access interfaces is cloned from a virtual template configuration, which includes the IPsec configuration and any Cisco IOS XE software feature configured on the virtual template interface, such as QoS, NetFlow, or ACLs.

DVTIs function like any other real interface so that you can apply QoS, firewall, other security services as soon as the tunnel is active. QoS features can be used to improve the performance of various applications across the network. Any combination of QoS features offered in Cisco IOS XE software can be used to support voice, video, or data applications.

DVTIs provide efficiency in the use of IP addresses and provide secure connectivity. DVTIs allow dynamically downloadable per-group and per-user policies to be configured on a RADIUS server. The per-group or per-user definition can be created using extended authentication (Xauth) User or Unity group, or it can be derived from a certificate. DVTIs are standards based, so interoperability in a multiple-vendor environment is supported. IPsec dVTIs allow you to create highly secure connectivity for remote access VPNs and can be combined with Cisco Architecture for Voice, Video, and Integrated Data (AVVID) to deliver converged voice, video, and data over IP networks. The dVTI simplifies VPN routing and forwarding (VRF)-aware IPsec deployment. The VRF is configured on the interface.

A dVTI requires minimal configuration on the router. A single virtual template can be configured and cloned.

The dVTI creates an interface for IPsec sessions and uses the virtual template infrastructure for dynamic instantiation and management of dynamic IPsec VTIs. The virtual template infrastructure is extended to create dynamic virtual-access tunnel interfaces. DVTIs are used in hub-and-spoke configurations. A single dVTI can support several static VTIs.

Security Associations and dVTI

Security Associations (SAs) are security policy instances and keying material applied to a data flow. IPSec SAs are unidirectional and unique in each security protocol. You need multi SAs for a protected data pipe, one per direction per protocol. The Inbound Policy Marking for dVTI feature uses multi SAs. It enables multiple specific-to-specific SAs to link to one dVTI tunnel.

How to Use Inbound Policy Marking for dVTI

To use the Inbound Policy Marking for dVTI feature, first create a policy map. After creating the policy map, attach it to an interface.

Creating a Policy Map (Required)

Attaching a Policy Map to a dVTI (Required)

Creating a Policy Map

Create a policy map to attach to a dVTI so that marking instructions are applied to inbound packets.

SUMMARY STEPS

1. enable

2. configure terminal

3. policy-map policy-map-name

4. class {class-name | class-default}

5. set ip dscp ip-dscp-value

6. end

DETAILED STEPS

 
Command or Action
Purpose

Step 1 

enable

Example:

Router> enable

Enables privileged EXEC mode.

Enter your password if prompted.

Step 2 

configure terminal

Example:

Router# configure terminal

Enters global configuration mode.

Step 3 

policy-map policy-map-name

Example:

Router(config)# policy-map p-map

Enters QoS policy-map configuration mode and creates a policy map that can be attached to one or more interfaces to specify a service policy,

Step 4 

class {class-name | class-default}

Example:

Router(config-pmap)# class class-default

Specifies the default class so that you can configure or modify its policy.

Step 5 

set ip dscp ip-dscp-value

Example:

Router(config-pmap-c)# set ip dscp af21

Marks a packet by setting the IP differentiated services code point (DSCP) value in the type of service (ToS) byte.

Step 6 

end
Example:
Router(config-pmap-c)# end

Returns to privileged EXEC mode.

Attaching a Policy Map to a dVTI

After creating the policy map, attach it to a dVTI so that marking instructions are applied to inbound packets.

SUMMARY STEPS

1. enable

2. configure terminal

3. interface virtual-template number

4. policy-map [type {control | service}] policy-map-name

5. end

DETAILED STEPS

 
Command or Action
Purpose

Step 1 

enable

Example:

Router> enable

Enables privileged EXEC mode.

Enter your password if prompted.

Step 2 

configure terminal

Example:

Router# configure terminal

Enters global configuration mode.

Step 3 

interface virtual-template number 
Example:

Router(config)# interface virtual-template 1 type tunnel

Creates a virtual template interface that can be configured and applied dynamically in creating virtual access interfaces.

Step 4 

policy-map [type {control | service}] 
policy-map-name
Example:
Router(config)# policy-map input policy1

Enters QoS policy-map configuration mode and attaches this policy map to the interface.

Step 5 

end
Example:
Router(config-pmap-c)# end

Returns to privileged EXEC mode.

Configuration Example for Inbound Policy Marking for dVTI

Example: Configuring Inbound Policy Marking

Example: Configuring Inbound Policy Marking

This example shows how to configure inbound policy marking:

ip vrf Customer1
 rd 5713:5001
 route-target both 5713:5001
 
interface loopback 1001
  description the unnumbered loopback inside Customer1 VRF
  ip vrf forwarding Customer1
   ip address 10.12.08.01 255.255.255.255
   
policy-map PM
   class class-default
   set ip dscp af21

crypto keyring KR1  
  pre-shared-key address 0.0.0.0 0.0.0.0 key SomeKeyCust1
crypto isakmp profile Customer1
  match identity address 0.0.0.0 0.0.0.0
  local-address Gi0/0/0
  keyring KR1
  virtual-template 1  
   
crypto ipsec transform-set TS esp-aes 256 esp-sha-hmac
crypto ipsec profile IpsecProfile
  set transform-set TS
interface Virtual-Template 1 type tunnel
   ip vrf forwarding Customer1     
   ip unnumbered loopback1001   
   ip mtu 1500
   ip tcp adjust-mss 1300
   service-policy input PM 
   tunnel mode ipsec ipv4
   tunnel protection ipsec profile IpsecProfile

Additional References

Related Documents

Related Topic
Document Title

Cisco IOS commands

Cisco IOS Master Commands List, All Releases

QoS commands

Cisco IOS QoS Command Reference


Standards

Standard
Title

No new or modified standards are supported by this feature, and support for existing standards has not been modified by this feature.


MIBs

MIB
MIBs Link

No new or modified MIBs are supported by this feature, and support for existing MIBs has not been modified by this feature.

To locate and download MIBs for selected platforms, Cisco IOS XE software releases, and feature sets, use Cisco MIB Locator found at the following URL:

http://www.cisco.com/go/mibs


RFCs

RFC
Title

No RFCs were created or modified to support this feature.


Technical Assistance

Description
Link

The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password.

http://www.cisco.com/cisco/web/support/index.html


Feature Information for Using Inbound Policy Marking for dVTI

Table 1 lists the features in this module.

Use Cisco Feature Navigator to find information about platform support and software image support. Cisco Feature Navigator enables you to determine which Cisco IOS XE Software images support a specific software release, feature set, or platform. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.


Note Table 1 lists only the Cisco IOS XE Software release that introduced support for a given feature in a given Cisco IOS XE Software release train. Unless noted otherwise, subsequent releases of that Cisco IOS XE Software release train also support that feature.


Table 1 Feature Information for Inbound Policy Marking for dVTI 

Feature Name
Releases
Feature Information

Inbound Policy Marking for dVTI

Cisco IOS XE Release 3.2S

The Inbound Policy Marking for dVTI feature allows you to attach a policy map to a dVTI so that marking instructions are applied to inbound packets.

In Cisco IOS XE Release 3.2S, support was added for the Cisco ASR 10000.

The following sections provide information about this feature:

How to Use Inbound Policy Marking for dVTI

Configuration Example for Inbound Policy Marking for dVTI