Cisco SD-WAN 027 - Service VPN1 QoS Policing and Shaping via CLI, Local Data Policy and Templates

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
how's it going everybody in this video we're going to wrap up our localized data policies with some basic qos i say basic link is the fact that some of the more advanced qos policies that i've tried to create and make happen for some reason don't they're just not working the way that they're the way that i've been shown they're supposed to work so i'm not going to give up on them but what i'm going to do is i don't want to slow my progress down i can always circle back and you know add the videos in later but for right now because of the fact that i am studying for a certification and because i am trying to get to this video series i don't want to let a problem with that affect my forward progress so for those of you that are also studying for a certification and you're getting hung up on a particular thing don't let that slow your progress down you know like just go through it understand what it's trying to do right because at the end of the day most of the certification exams today or more do you understand how xyz works and if you were to look at this do you understand what it's trying to tell you if you can check those boxes then you know you're in good shape whether or not you can actually demonstrate it a proof of concept it do a youtube video on it is really not the the win at the end of the day so the things that i have not been able to get to work i am putting a note next to them say okay i understand what's happening i understand the goal of the particular feature capability but for whatever reason on the lab that i have built it is not working i will circle back and try it later maybe i need to spend more time on it or whatever but um so yeah don't let that type of stuff slow you down so with that being said we're going to take a look at a couple of different uh features and capabilities in terms of some basic pleasing and some basic shaping so the idea is we're gonna we're not gonna do anything in a heavy duty we're not gonna go and create a localized data policy with scheduling or classification or any of those advanced features we're gonna simply create a couple of policing capabilities which can will give you immediate results and things like that because i am i don't know whether or not the actual virtual machines that we're running with here will actually support the data plane classification and then we'll actually apply the tail dropping or the bandwidth reservations that i put into play so i'm not going to dive into this up right now we'll take a look at that so for example if you're looking at the the title of the video i always put a number so that you know when to do them incrementally you know zero zero one zero zero two zero zero three et cetera so when you get down this far if you see a missing video it's not that i haven't created it right it's just i'm leaving a space for a video to get inserted at a later point in time so and because the fact that we're going to be circling back taking a look at this i will look at the centralized data policy for doing things at the um the v manage to be smart and push it down to do global policing uh that'll be coming in the centralized videos which will be actually the very beginning of the next set of uh policies we take a look at because that's when we really get into meet and taters of how sd wan actually works and that's my really bad attempt at a southern accent so with that being said i'm gonna go and walk you guys through a couple of different variations as to what we're trying to accomplish here the main goal is to police now what does policing actually do well for those of you that have ever had the um how i'm 100 pro law enforcement pro uh first responder so you're in polar berk by a cop right or you've been driving down going too fast along a road and a cop pulls you over now they're policing you right they're pulling you over and say hey rob you're going a little bit too fast he's posted speed limits 55 i had you going 70. you're going too quickly sometimes they're cool and they give you a warning other times you know what you if you were legit not doing something you were supposed to be doing and you got a ticket well then you know what you the person you have to blame is well you because you were behind the wheel it was the space between your ears was the determining factor as to why you were going the fastest as you were going so yes i have gotten a speeding ticket before you learned your lesson you move forward um but policing is the same idea whenever a particular traffic type exceeds a particular posted speed limit or bandwidth reservation or bandwidth capability guess what the device has the ability of slowing that traffic down policing will drop traffic where shaping will slow it down so what when would you use shaping and why would you use shaping well the reason why you would do shaping is let's look at it from the perspective of actual internet connectivity and actual mpls connectivity so in the real world not every device or every term every circuit you're going to get terminated on your equipment is going to be one for one to your internet interface speed so if you have gigabit interface speeds right you may not be getting gigabit internet you might only get 100 meg but if your interface is able to send at gigabit but you are only signing up for 100 meg that means you've got 900 other mags that you can play with that aren't actually going to get used so the provider is going to be like slow you down then i they're probably not going to do that a lot i mean i have some pretty pretty fast internet here at home and i can pretty consistently download well above my upper threshold limit that they tell me that i pay for but you know at the end of the day i i might get an extra 30 or no 30 another 15 15 above my actual posted speed which is i'm okay with that but that might be their upper threshold i might i might hit that and that's what they're that's what the provider's upper limit is out of the gate so that's their burst capability right so for example if you're paying for 100 meg internet and they let you burst above that a certain percentage let's say five percent so if it's a hundred mag take five percent of 100 meg that's going to be what five megabits right so you might actually be able download 105 megabits per second right as long as there's no uh contention on the interface at the time you might get all 105 megabits per second but if there's contention and other particular customers are trying to also download a full line rate well guess what you might get slowed down a little bit the idea is if you are in a situation where you're not paying for gigabit internet or gigabit mpls circuit connectivity but your interface that you're connecting to is capable of sending and receiving that quickly you're going to want to slow them down we'll talk about how that comes into play as we're going forward so shaping is always going to take effect outbound so it's an outbound application and you can't do anything to modify that policing is going to be an inbound or an outbound configuration option for you and we'll take a look at exactly how that comes into play when we get to the policing aspect of it i'm going to show you how to do it via the cli in a couple different ways it's really really simple there's a few ways to do it and we're going to walk through those steps on vh1 and then we're going to switch over to uh v edge 5 to do this demonstration simply for the fact that it makes sense to do it on vh5 because well vh5 connects to an mpls provider right so we might only be getting five megabit connectivity from our mpl service provider but rob this is 2020. wouldn't we get gigabit no no you might not there's a lot of providers i know that if you want a gigabit internet connectivity you're going to be paying out the wazoo to get gigabit internet or gigabit mpls service so a lot of times you're using your sla enabled capability so mpls you might only be getting 15 20 megs you might get 50 makes but oftentimes you're not going to get full line rate so with that being said let's go ahead and take a look at actually how this works and get this party started okay so the very first thing that we're going to play with is going to be the policer and the police for capability when we go to set this up we're going to police inbound on gig zero slash three here on v edge one so the trumpet that comes in from ios 5 or ios 6 that goes out to the internet will be policed specifically speaking if we look at the show ip route vpn one we're going to see that we have a nat entry in the routing table which means we are going to use connectivity out to the internet so if we go to router 5 and i ping 1.2.3.4 and i come up here and i do a repeat of 100 and a size of 1500 and i send that ping right we're completely uninhibited pinks right everything works out of the gate but if i go over to v edge one and i go to global config i go underneath the policy capability underneath here i have the policer option so i'm going to choose policer and i need to go ahead and give it a name so i already have one created but i'm going to go ahead and i'm going to choose one that's a little bit different so i'm going to go i'm going to go ahead and say i'll grab this name real quick i'll delete it just to show you how that would work pretty simple stuff let me go ahead and commit that real quick and then i'm going to come in here policer and then give it a name it's going to say police underscore 8 kilobytes per second oops supposed to be eight kilobits per second and then underneath here i'm going to say that the the rate that which i'm going to allow the traffic to leave at is the minimum which is going to be 8 000 kilo per second right so that's 8 that's 8 k the exceed if something does happen what happens to it well it's going to be dropped not drip drop i'm going to drip it out now i do have the exceed option if i wanted to set the exceed i could say you know what what happens if you you exceed it i'm going to drop this one as well if we do a show config we can see that now we do have the burst option which right now i don't have configured if i type in burst i could say okay what are you going to allow for bursting i'm going to say well in this case here i'm not actually going to allow bursting okay so i'm going to just leave that as itself i'm going to commit that config and oh burst is not configured okay so i have no choice burst we'll say 1500 15 000 because that's the minimum that we can use if we type in burst 15 is the lowest we can use i'm going to do a show config and then i'm going to go ahead and commit there we go so you have to do it so now the next thing i have to go do is i have to go underneath the interface that i want to apply this to i'm going to type in vpn one interface ge03 and i'm going to basically tell it right here i get to specify the policer police are here call the name of the policer 8 kilobits per second and then i need to specify the direction i'm going to apply the police are in if i set it to be inbound it's going to be it's going to be looking for any traffic coming in on gigabit 0 3 in order to slow that traffic down i'm going to do that do a quick show config there's the command i'm going to go ahead and i'm going to apply that config okay now it's been applied if i go back to ios 5 and if i come over here and do a show interface detail for ge 0 3 and i do a pipe include rx dash policer dash drops go ahead and so i'm already dropping traffic so let's go ahead and come back over here to router 5 hit the up arrow and you're going to start seeing the traffic is going to get blocked so what's happening is by sending a 1 500 byte ping instead of the normal 100 byte one right here by sending it 1500 that increases my my bits per second rate so that's what allows me to demonstrate this like this i'm going to go ahead and ctrl shift 6 to stop it now if i was to just do this and do a repeat of say 100 it's really not going to have any effect at least not for initially but if you put a much larger size you're basically increasing your data payload which basically makes you it makes it easier to see that the policing is working the way that it's effective that's if you assign the policer to the interface that's option one let's take a look at option two for policer which is where we create an acl and then we associate the policer to the acl let's go and take a look at that real quick so that variation is pretty interesting as well it takes a little bit of configuration because we have to create an access list and a bunch of other stuff so let's go ahead and on vh3 let's go i'm sorry bh1 i'm gonna if i come up here and do the the output we can see that the policer is taking effect and it's blocking traffic so now i'm going to go back to global config i'm going to go to vpn1 once i have an interface ge03 and i'm gonna type in no policer ak in i'm gonna remove that right i'm gonna go ahead and commit that config i am going to exit out a couple times and i'm gonna go to policy and underneath here i've already got the policer created right i need to create an access list so access list and i'm going to call this icmp underscore acl and underneath here i'm going to give it sequence one i'm going to match on underneath here i'm going to match on protocol protocol 1 which is icmp the action i'm going to specify here the action will be accept but i'm also going to come underneath here i'm going to say the policer will be policer eight kilobits per second i'm also going to specify a counter count count i'm gonna just call it the icmp counter okay now that i have that in play if i do a quick show config there's my syntax right so i'm gonna exit out one more time i'm going to type in the default action well i have to go one more time default action will be to be accept let me go ahead and exit out one more level do a show config so we can see the entire configuration so i'm saying policy i'm going to go underneath here and create an access list called icmpacl i'm creating the first sequence it's going to match on protocol 1 or icmp so i'm doing a protocol based match basically no different than me saying permit icmp from any source to any destination but then i want you to go ahead and associate a counter to it and then also police it down to eight kilobits per second but a lot of the initial 15 000 bit burst that goes along with that any other traffic is just going to be push forward we're not going to have to worry about anything i'm going to go ahead i'm going to exit out of that and then i have to go to vpn 1 interface and i'm going to vpn one interface ge03 and i'm going to specify that access list and i'm going to call icmp acl and i'm going to apply that inbound right because i want to slow this down for traffic coming inbound on the in on the in on the inside interface so let's go ahead and just do a quick show config on that as well so we can see that syntax so that we have that so i'm going to exit out a couple levels and do a show config so this is the entire pre uh preview of the config we have our policy that creates the acl with the attributes that we've defined and then we've applied the acl inbound on the inside interface okay i'm going to go and i'm going to commit that config and then i'm going to go over here to ios 5 and remember this one before i'm going to go ahead and hit that again right so we're going to hold not a whole lot of anything right but if we increase our size to be 1500 and hit the enter then we get that it's a little bit of a different output right so and if we go back to ios or b edge one and we do the let's go to the this guy right here we can see we're dropping more packets right so that's that's the point right we're able to validate that the policer is working the way that it's defined and all that good stuff the last one i want to show you real quick is going to be the shaper now again the shaper is going to control your output to the provider so this is going to be a connection i'm going to do this on vh5 because the only connection it has is to the provider and i'm going to slow this down to be eight kilobits per second the shaper i'll do i'll do 10k or whatever the minimum is i actually haven't uh validated that config but let's go over to uh since vh5 is a and i'll do the policer there as well so i'll please inbound at the same rate and i'll set the shaper to it so whatever the uh i'll make the i'll make the policers rate match the shapers rate so that whatever the rate the the the committed rate so the allowed rate will match the shapers rate so that those two will core coincide so we won't have any problems with ineffective drops and things like that we won't be dropping traffic for the sake of just dropping traffic to show that the the data is working okay so from vmanage we're gonna log in here real quick and of course i get this pesky little i should refresh it every time what i'm gonna do is i'm gonna come over here to the policies tab and the way that this works is you have to do a couple things so [Music] when you when you come over here to policies i'm going to look at localized policy and you have to create a an acl that's going to match on the traffic so we'll do a couple of simple policers right since i come over here i have the the list i'm going to create a policer i'm not going to create an acl based policer so i come in here i have the icmp police are already created right what i'm going to do is i'm going to take that policer and i'm going to associate the icmp pleaser to the interface level so i'm going to come over here to templates i'm going to go on the mpls device i'm going to edit this and then on the feature template i'm going to scoot this over and organize them to be mpls only on the ge01 interface right here which is my only interface outbound i'm going to edit this this is heading towards the provider so underneath here i'm going to have the shaper right i'm going to come in here i'm going to put this in global and then it doesn't really give you a specific value so if you were to like for example come over here on the cli and go to vpn 0 interface ge 0 1 and then do the shaping rate right it doesn't tell you the value to put in here there's no minimum but you can put whatever value you need so i'm going to go ahead and put in here 8 000 which is what the policer is set to and i'm going to go ahead and i'm going to update that and i'm going to click on next we're going to look at a quick config diff so you can see the before and the after give that a couple seconds to pull up look at the config diff if we look down here we'll see that the shaping rate is 8 000. i'm going to go ahead and configure devices and i'm going to push that to give that a couple seconds to there we go and i'm going to pause while this is being pushed all right so i was able to push those details down so we should now have a shaper if we look at vh5 and let me go ahead and log in real quick we're going to go to admin and then admin as you can see i was doing some testing if we look at the show run vpn 0 interface ge 0 1 we should now have a shaper set at 8 000 bits per second now if we go to router 14 here behind ios 5 or vh5 and i do a show ip route right we have a bunch of ospf routes in here so i'm going to go ahead and ping 1.2.3.4 and after it goes out and comes online but if i do a repeat of that repeat 100 right it goes out all day long it's a happy camper even if i put a size value on that to be 1500 it's still going to send it now you can see the shaper comes into play and slows it down because it's sending way too much data right so the shaper does eventually kick in now if we come over here and we look at the on vh5 there's really no data that helps us understand what's going on so if we were to do a show interface detail for ge 0 1 and we look through this we're eventually going to find the shaper right the shapers right here we're shaping down to 8 000 bits but when we look at the output right we're going to see how many packets were received drops no drops transmit drops nothing so it is working but there's really no way for you to understand whether or not why it's being dropped other than the fact that the police are kicking into play and it's only allowing eight kilos per second so in order to maybe potentially test this a little bit more let's go in and on here we're going to go back to our templates on mpls only i'm going to edit i'm sorry not on this one on the feature we're going to find mpls only we're going to come down to ge 0 2 on here which is the inbound interface i'm going to come over going to adjust this guy and edit it and what i'm going to do is on the acl qos for the the policer the ingress police here i'm going to come over here to global and turn this on and unfortunately there's no way to really push this so i need to in order for this to work i can't just associate an acl that doesn't exist so we come over here into a show run policy you're going to see that oh there is a policer here so fortunately for me i had already sent it i did this ahead of time so and i'll show you what how i had to do that but what i'll do is i will associate this policer here and you can ignore this telnet name or the the access name is just a name so in this case here the i'm calling the icmp policer from the acl so i'll apply the acl of telnet acl it it's just a name it absolutely has nothing to do with icmp itself so i'll apply this acl you know what let me go let me show you how to fix that because if any good instructor would fix things like that so in order to fix those details we come over here to policies we come let me go ahead and jump out of the way go to localized policy we have the telnet acl policy right i'm going to come over here to custom options and then access control lists and what i'm going to do instead of the acl policy i'll come in here and edit it and i'll come in and this is matching on this guy and if we expand this out just a little bit you'll see the icmp policer let me call this the icmp acl i'm going to copy and paste that right here and save acl policy and activate it that's going to be a local policy and then it's going to push that down so i'm going to click on next i'm going to look at the configuration diff to make sure that's going to line up give that a couple seconds to do its thing so we look at the config diff it's just changing the name from telnet acl to icmpacl the sequence1 all that stuff is the same right the configuration that we typed in on vh1 is the same logic you know sequence one actually you know what let me go create this from scratch okay let's do it that way so we're going to come over here to policies localize policy and so what we want to do is take a look at how to actually create the policer and associate that to the interface and the template and all that episode because now we actually have to push that down to the v edge in order for the edge to learn it so what i'm going to go do is underneath here i'm going to go down to policies and i need to create a policy in order for this to work so i already have something going in the works this is something that i'm testing out right now that i won't be showing you but if i want to add a policy i can go in here and create the policy and the nice thing about the wizard is it is a step-by-step walkthrough so the policer is already created if i click right here you'll see that i have icmp policer where we can see the exceed has dropped the rate is 8 000 bits per second the burst is 15 000 and so on and so forth so if i was to come in here and edit this you know you just populate these fields you name it and then you know the values that you want to associate to i'm going to go ahead and cancel that i'm going to click on next now i'm not going to associate this to a qos model or anything like that right now because these are things that i'm not too interested in setting up at the moment i'm not going to associate this to an access list either because i'm not trying to associate it to an acl to match on something i'm trying to just give it a policy so i'm going to click to the policy overview where we get to this point and here i'm just going to type in the icmp underscore policy and copy and paste that into here and click on save policy something very very simple give that a couple seconds to policy is empty let's create a now that we have the policer created and we're just going to be leveraging the same police or that something else is leveraging we have to go to the access list and underneath the access list we actually can go ahead now and create the acl because you have to associate the you can't just associate a a list to a policy you have to call either qos policy or rot policy or an acl so i'm going to go ahead and simply come in here and say in ipv4 acl and i'm just going to type in here the icmp underscore acl copy and paste that in over here i'm going to add a sequence a sequence rule and then in the match i'm not going to specify anything in the match right in this way here to match anything and the actions i'm going to accept it but i'm going to put in here a policer i'm going to call the police serve icmp policer i'm also going to throw in a counter i'm going to just call this the icmp counter something simple like that save match and continue and save acl policy now i'm going to click on next to policy overview and it's the icmp policy i'm going to go and click preview we can see that we created the i've actually got to go back to um there and set the default action to be accept so i'm going to click back back back to the acl policy come in click on it and go to edit and then on default action adjust this guy real quick to be accept save match and continue save acl policy next next and then preview one more time make sure everything looks good which it does save policy okay now that i've created the policy now i need to push the policy down to the edge so i'm going to come down here to templates i'm going to choose the mpls only device template i'm going to say edit then i go down to additional templates and right now i don't have any policies pushed i'm going to come down here to the icmp policy and i'm going to select update and what that will do is that will push that policy down to the the edge so it's going to take a couple seconds for that to work and i will pause until that's done all right so if we do a show run policy here we should see the policy show up which we do which is what we want to see now i have to take that at this access list icmpacl and i have to apply it to the port so in this case here i'm going to come back over here to templates i'm going to go to feature templates i'm going to squeeze this over organize them by name and i'm going to grab the vpny g02 template i'm going to come over here and i'm going to edit this guy come down to acl qos and then for the ingress acl i'm going to just change this to be global turn it on and then i'm going to paste in the acl's name i'm going to click on update click on next and look at the config diff real quick so in the config diff we're going to come down here to this guy and we'll see that icmp acl is applied inbound so i'm going to go and click on configure devices and it's going to push that config down to the edge five and so after a few moments or so we should get a push down to vh5 that usually takes a couple of moments to push and get down there if we were to do a show run interface sorry vpn 1 interface ge02 now the acl has been applied if we come back over here it's successfully applied and then we're in good shape so if we do a show run vpn 0 interface ge we have the shaper so the shaper and the acl line up right our a our bitrate is 8k for the policer our shape rate is ak here so what i'm going to do is come back over here to ios 14 and i'm going to ping 1.2.3.4 okay the ping works that way let's repeat it 100 times everything looks good there nothing really to report back on now if i increase the size to be 1500 we can see that it bugs out and doesn't work the way we want it to now the shaper doesn't really give us any feedback but if we look at the bh vh5 we do a show interpret show yeah interface detail for ge02 pipe include drop we're going to get quite a few drops but the one that i want to pay attention to right here is the pleaser drops right because that means that it's working the way that it's expected to if i come back over here to this guy let's say i put in 500 right so it takes longer for the policer to kick in and if we look back at vh5 and hit the up arrow we're going to see 435 drops so on and so forth so at the end of the day it is working the way that we wanted to we just have to take into consideration those details so just remember if you're creating a localized data policy for anything that's going to affect data going through the device so data plane traffic you can create it in the same manner you would a centralized policy the only difference is you have to actually push the config from vmanage down to the edge and then you have to associate it somehow whether it's an acl or to an interface or whatever the case might be to a bgp peering for a route policy those things do matter so with that being said that's basically what this video was intended to show you with some basic policing and stuff like that i will be testing other capabilities but for right now that's all i'm doing for qos until next time guys thanks so much for stopping by and i'll catch you guys in the next video
Info
Channel: Rob Riker's Tech Channel
Views: 1,404
Rating: undefined out of 5
Keywords: cisco, sd-wan, sd, wan, qos, quality of service, policing, shaping, cli, tempalte, policy, local
Id: o9bR_1G-5JY
Channel Id: undefined
Length: 34min 25sec (2065 seconds)
Published: Wed Oct 14 2020
Related Videos
Cisco SD-WAN 007 - Templates Overview, Single vEdge Sites Setup and Deployment
Rob Riker's Tech Channel
5.4K
CCNA Training - Quality of Service (QoS)
KishSquared
2.9K
Cisco SD-WAN 030 - Service VPN1 Hub and Spoke Overview and Setup
Rob Riker's Tech Channel
1.3K
Real World Networking - What is it like to be a REAL NETWORK ENGINEER
Rob Riker's Tech Channel
3.6K
Cisco SD-WAN 002 - Overview of how SD-WAN Operates!
Rob Riker's Tech Channel
14K
Cisco SD-WAN 033 - Service VPN1 Application Aware Routing
Rob Riker's Tech Channel
1.8K
Cisco SD-WAN 031 - Service VPN1 VPN Segmentation Overview and Deployment
Rob Riker's Tech Channel
1.7K
Kubernetes Tutorial for Beginners [FULL COURSE in 4 Hours]
TechWorld with Nana
2.6M
Cisco SD-WAN 032 - VPN Segmentation with VPN Membership Policies
Rob Riker's Tech Channel
1.1K
Cisco SD WAN 001 - Welcome To Next Gen Networking!
Rob Riker's Tech Channel
108K
Cisco SDWAN - Per Tunnel QoS
Narayan Subramanian
3.1K
How To Speak by Patrick Winston
MIT OpenCourseWare
5.1M
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.