The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
This document provides conceptual information and tasks for using the Inbound Policy Marking for Dynamic Virtual Tunnel Interface feature, which allows you to attach a policy map to a dVTI so that marking instructions are applied to inbound packets.
Your software release may not support all the features documented in this module. For the latest feature information and caveats, see the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the "Feature Information for Using Inbound Policy Marking for dVTI" section.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
•Prerequisites for Inbound Policy Marking for dVTI
•Restrictions for Inbound Policy Marking for dVTI
•Information About Inbound Policy Marking for dVTI
•How to Use Inbound Policy Marking for dVTI
•Configuration Example for Inbound Policy Marking for dVTI
•Feature Information for Using Inbound Policy Marking for dVTI
•Policy map
The following are not supported:
•Policing
•Network Based Application Recognition (NBAR)-based classification
•Queuing
•Outbound policy marking
Only input QoS policy is supported. Only the marking feature is supported on the input policy. Other QoS configurations may not be blocked but will not be supported.
•Dynamic Virtual Tunnel Interfaces Overview
•Security Associations and dVTI
Marking is the setting of QoS information related to a packet. For the Inbound Policy Marking for dVTI feature, you can attach a policy map to a dVTI so that marking instructions are applied to inbound packets.
DVTIs can provide highly secure and scalable connectivity for remote-access VPNs. The dVTI technology replaces dynamic crypto maps and the dynamic hub-and-spoke method for establishing tunnels.
DVTIs can be used for both the server and remote configuration. The tunnels provide an on-demand separate virtual access interface for each VPN session. The configuration of the virtual access interfaces is cloned from a virtual template configuration, which includes the IPsec configuration and any Cisco IOS XE software feature configured on the virtual template interface, such as QoS, NetFlow, or ACLs.
DVTIs function like any other real interface so that you can apply QoS, firewall, other security services as soon as the tunnel is active. QoS features can be used to improve the performance of various applications across the network. Any combination of QoS features offered in Cisco IOS XE software can be used to support voice, video, or data applications.
DVTIs provide efficiency in the use of IP addresses and provide secure connectivity. DVTIs allow dynamically downloadable per-group and per-user policies to be configured on a RADIUS server. The per-group or per-user definition can be created using extended authentication (Xauth) User or Unity group, or it can be derived from a certificate. DVTIs are standards based, so interoperability in a multiple-vendor environment is supported. IPsec dVTIs allow you to create highly secure connectivity for remote access VPNs and can be combined with Cisco Architecture for Voice, Video, and Integrated Data (AVVID) to deliver converged voice, video, and data over IP networks. The dVTI simplifies VPN routing and forwarding (VRF)-aware IPsec deployment. The VRF is configured on the interface.
A dVTI requires minimal configuration on the router. A single virtual template can be configured and cloned.
The dVTI creates an interface for IPsec sessions and uses the virtual template infrastructure for dynamic instantiation and management of dynamic IPsec VTIs. The virtual template infrastructure is extended to create dynamic virtual-access tunnel interfaces. DVTIs are used in hub-and-spoke configurations. A single dVTI can support several static VTIs.
Security Associations (SAs) are security policy instances and keying material applied to a data flow. IPSec SAs are unidirectional and unique in each security protocol. You need multi SAs for a protected data pipe, one per direction per protocol. The Inbound Policy Marking for dVTI feature uses multi SAs. It enables multiple specific-to-specific SAs to link to one dVTI tunnel.
To use the Inbound Policy Marking for dVTI feature, first create a policy map. After creating the policy map, attach it to an interface.
•Creating a Policy Map (Required)
•Attaching a Policy Map to a dVTI (Required)
Create a policy map to attach to a dVTI so that marking instructions are applied to inbound packets.
1. enable
2. configure terminal
3. policy-map policy-map-name
4. class {class-name | class-default}
5. set ip dscp ip-dscp-value
6. end
After creating the policy map, attach it to a dVTI so that marking instructions are applied to inbound packets.
1. enable
2. configure terminal
3. interface virtual-template number
4. policy-map [type {control | service}] policy-map-name
5. end
•Example: Configuring Inbound Policy Marking
This example shows how to configure inbound policy marking:
ip vrf Customer1
rd 5713:5001
route-target both 5713:5001
interface loopback 1001
description the unnumbered loopback inside Customer1 VRF
ip vrf forwarding Customer1
ip address 10.12.08.01 255.255.255.255
policy-map PM
class class-default
set ip dscp af21
crypto keyring KR1
pre-shared-key address 0.0.0.0 0.0.0.0 key SomeKeyCust1
crypto isakmp profile Customer1
match identity address 0.0.0.0 0.0.0.0
local-address Gi0/0/0
keyring KR1
virtual-template 1
crypto ipsec transform-set TS esp-aes 256 esp-sha-hmac
crypto ipsec profile IpsecProfile
set transform-set TS
interface Virtual-Template 1 type tunnel
ip vrf forwarding Customer1
ip unnumbered loopback1001
ip mtu 1500
ip tcp adjust-mss 1300
service-policy input PM
tunnel mode ipsec ipv4
tunnel protection ipsec profile IpsecProfile
|
|
---|---|
Cisco IOS commands |
|
QoS commands |
|
|
---|---|
No new or modified standards are supported by this feature, and support for existing standards has not been modified by this feature. |
— |
|
|
---|---|
No RFCs were created or modified to support this feature. |
— |
Table 1 lists the features in this module.
Use Cisco Feature Navigator to find information about platform support and software image support. Cisco Feature Navigator enables you to determine which Cisco IOS XE Software images support a specific software release, feature set, or platform. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
Note Table 1 lists only the Cisco IOS XE Software release that introduced support for a given feature in a given Cisco IOS XE Software release train. Unless noted otherwise, subsequent releases of that Cisco IOS XE Software release train also support that feature.
|
|
|
---|---|---|
Inbound Policy Marking for dVTI |
Cisco IOS XE Release 3.2S |
The Inbound Policy Marking for dVTI feature allows you to attach a policy map to a dVTI so that marking instructions are applied to inbound packets. In Cisco IOS XE Release 3.2S, support was added for the Cisco ASR 10000. The following sections provide information about this feature: •How to Use Inbound Policy Marking for dVTI |