Per-VPN QoS
Restriction for Per-VPN QoS
Information About Per-VPN QoS
- Benefits of Per-VPN QoS
Configure Per-VPN QoS
Configure Per-VPN QoS Using CLI
Verify Per-VPN QoS Configuration
Monitor Per-VPN QoS Using CLI

Per-VPN QoS

Table 1. Feature History
Feature Name	Release Information	Description
Per-VPN QoS	Cisco IOS XE Release 17.6.1a Cisco vManage Release 20.6.1	When a Cisco IOS XE Catalyst SD-WAN device receives traffic belonging to different VPNs from the branch network, you can configure a QoS policy to limit the bandwidth that can be used by the traffic belonging to each VPN or each group of VPNs.

Restriction for Per-VPN QoS

Before you apply Per-VPN QoS, you must upgrade Cisco SD-WAN Controller software to Cisco SD-WAN Release 20.6.1 or a later release, and Cisco SD-WAN Manager to Cisco vManage Release 20.6.1 or a later release.
VPN-QoS policy must be applied to a WAN interface and affects outbound traffic on the specific WAN interface to which it is applied.
While applying a VPN-QoS policy to a WAN interface, you must configure a shaping rate for the interface.
For each VPN or group of VPNs that you wish to include in a VPN-QoS policy, you must define a QoS map to allocate resources to the various queues.
The sum of the minimum bandwidths allocated to each VPN or each group of VPNs must be less than shaping rate configured for the WAN interface.

After you apply a VPN-QoS policy, during congestion, IPSec-encapsulated packets may be forwarded out of sequence. To prevent valid out-of-sequence packets being dropped on the remote side, you must enable IPSec extended anti-replay window on both the source and remote Cisco IOS XE Catalyst SD-WAN devices.
You can include a maximum of 100 VPN lists in a VPN-QoS policy map.
Cisco SD-WAN Manager QoS monitoring does not support the monitoring of the VPN-QoS policy.
You cannot configure Per-VPN QoS together with Per-Tunnel QoS.

Information About Per-VPN QoS

A Cisco IOS XE Catalyst SD-WAN device receives traffic from a branch network and routes the traffic to a remote branch through the SD-WAN overlay network. The link from the WAN interface of the Cisco IOS XE Catalyst SD-WAN device has limited bandwidth. To achieve a desired QoS for traffic belonging to different applications, you must control how the limited bandwidth is used. When the traffic from the branch network belongs to different VPNs, you may need to restrict the bandwidth that can be used by traffic belonging to different VPNs and categorize the traffic belonging to each VPN into various priority classes through a QoS policy.

You can configure the following aspects to achieve a specific QoS for each VPN or each group of VPNs:

Classes: Create forwarding classes and associate them with specific interface queues (queue 0 to queue 7). To differentiate traffic from different applications, you can assign traffic from each application or application group to a specific forwarding class.
VPN Lists: Define a VPN list consisting of a VPN or two or more VPNs that must be treated alike
QoS Maps: Define parameters such as the bandwidth and buffer percentage, and the scheduling and packet-drop schemes for each queue.
VPN QoS Map: Associate a QoS map with each VPN list and define the minimum and maximum bandwidth that must be used by traffic belonging to the VPNs in the VPN list.
WAN Interface: Associate the VPN QoS Map with the Cisco VPN Interface Ethernet template for the WAN interface. Use the same template to specify a shaping rate for the interface.

When you complete these configurations, a three-level hierarchical QoS model is applied to the branch traffic comprising the following scheduling and shaping considerations:

packet scheduling based on forwarding classes and bandwidth distribution among interface queues
packet scheduling and bandwidth distribution among VPNs or VPN groups
shaping of the WAN interface bandwidth

Extended Anti-Replay Window

The IPSec session between two WAN edge devices is common for all VPNs. The packets from each of the eight interface queues are encapsulated using a different sequence name space (SNS). When you apply QoS policy per VPN, packets are prioritized based on their forwarding class and associated interface queue, and the bandwidth available for the VPN to which the packets belong. As a result, during a congestion, the IPSec encapsulated packets may be forwarded out of sequence and be dropped by the remote WAN edge device. To avoid valid out of sequence packets being dropped, you can configure an extended anti-replay window on both the source and remote Cisco IOS XE Catalyst SD-WAN device.

When you enable extended anti-replay and configure an extended anti-replay window, the source WAN edge router adds a time stamp to each packet in the IPSec ESP HDR 99. On receiving a packet, if the packet sequence number is lower than the lowest sequence number in the sequence window, the remote router examines the time stamp.

If the time stamp is within the configured window or exceeds the highest time stamp in the window, the packet is accepted.
If the time stamp is lower than the lowest time stamp in the configured window, the packet is dropped.

Note

Duplicate packets with sequence numbers beyond the IPSec anti-replay sequence window but within extended anti-replay window cannot be detected and may be forwarded towards the branch.

Benefits of Per-VPN QoS

Bandwidth consumption and traffic throughput can be controlled based on the VPN to which the traffic belongs.
A greedy VPN cannot use outbound bandwidth beyond the allocated limit and does not starve other VPNs.
Different classes of service can be configured for each VPN on a single WAN interface.

Configure Per-VPN QoS

Create Forwarding Classes

When you create a forwarding class, you map it to a queue. By associating traffic from different applications with different classes, you can ensure that the packets enter different queues. Using the QoS map, you can configure the outbound bandwidth, buffer and other properties for each queue to prioritize among the traffic streams served by these queues and achieve the desired QoS.

From the Cisco SD-WAN Manager menu, choose Configuration > Policies.
Click Localized Policy.
Click Add Policy.
From the list types on the left, click Class Map.
Click New Class List.
1. Enter a unique name for the forwarding class.
2. Choose a queue to which to map the forwarding class.
3. Click Save.
Repeat Step 5 and the substeps to create more forwarding classes.

Create VPN Lists

A VPN list consists of one or more VPNs that need to be treated alike. To apply a specific QoS policy to traffic from a VPN or a group of similar VPNs, the QoS policy is linked to the corresponding VPN list.

From the Cisco SD-WAN Manager menu, choose Configuration > Policies.
Click Localized Policy.
Click Add Policy.
From the list types on the left, click VPN.
Click New VPN List.
1. Enter a unique name for the VPN list.
2. Enter the IDs of the VPNs to be included in the list.
3. Click Add.
Repeat Step 5 and the substeps to create more VPN lists.

Create QoS Maps

Use QoS maps to distribute resources such as bandwidth and buffer among forwarding classes. Create as many QoS maps as required to apply different QoS policies to the different VPN lists.

From the Cisco SD-WAN Manager menu, choose Configuration > Policies.
Click Localized Policy.
Click Add Policy.
Click Next.
Click Add QoS Map and click Create New.
Enter a unique name for the QoS map.
Enter a description for the QoS map.
Click Add Queue.
1. Choose a queue to add to the map.
2. Choose the bandwidth percentage to allocate to the queue.
3. Choose the buffer percentage to allocate to the queue.
4. Packets exceeding the bandwidth or buffer percentage are dropped. Choose whether the packets are dropped randomly (Random Early) or from the end of the queue (Tail).
5. Click Save Queue.
Repeat Step 8 and the substeps to add as more queues.
Click Save Policy.

Create VPN QoS Map

Use a VPN QoS Map to associate QoS policies with target VPN lists.

Note

Before you proceed with the following steps, configure the required QoS Maps and VPN lists.

From the Cisco SD-WAN Manager menu, choose Configuration > Policies.
Click Localized Policy.
Click Add Policy and click Next.
Create or import QoS maps and click Next.
Click VPN QoS Map.
Click Add VPN Policy and click Create New.
Enter a unique name and a description for the VPN QoS map.
For the default VPN, click the Edit icon.
1. (Optional) Enter the maximum bandwidth for traffic belonging to the default VPN.
2. Choose a QoS Map to apply a QoS policy to the default VPN.
3. Click Save VPN.
Click Add VPN.
1. Choose a VPN list.
2. Enter the minimum bandwidth for traffic belonging to the VPNs.
3. (Optional) Enter the maximum bandwidth for traffic belonging to the VPNs.
4. Choose a QoS Map to apply a QoS policy to the VPNs.
5. Click Save VPN.
Repeat Step 9 and the substeps to add more VPN lists.
Click Save Policy.
Apply the localized policy to the relevant device template.

Configure Extended Anti-Replay Window

Configure extended anti-replay window on both the source and remote Cisco IOS XE Catalyst SD-WAN devices.

From the Cisco SD-WAN Manager menu, choose Configuration > Templates.

Click Feature Templates.

Note

In Cisco vManage Release 20.7.x and earlier releases, Feature Templates is called Feature.

In the list of templates, locate the Cisco Security template for the Cisco IOS XE Catalyst SD-WAN device.
Click ... for the template and choose Edit.
Choose Basic Configuration.
To enable Extended Anti Replay, click On.

(Optional) Enter Extended Anti-Replay Window duration.

Default duration: 256 ms

Range: 10 ms to 2048 ms

Note

Choose an appropriate duration based on the configured queue limits and the traffic profile.

Click Update.

Attach VPN QoS Map to WAN Interface

To apply the QoS policy per VPN, attach the VPN QoS map to the Cisco VPN Interface Ethernet template for the WAN interface.

Note

Before you proceed with the following steps, apply the localized policy in which the VPN-QoS Map is defined to the relevant device template.

From the Cisco SD-WAN Manager menu, choose Configuration > Templates.

Click Feature Templates.

Note

In Cisco vManage Release 20.7.x and earlier releases, Feature Templates is called Feature.

In the list of templates, locate the Cisco VPN Interface Ethernet template for the WAN interface.
Click ... adjacent to the template and choose Edit.
Choose ACL/QoS.
For Shaping Rate (kbps), choose the configuration type as Global and enter a shaping rate value.
For VPN QoS Map, choose the configuration type as Global and enter the name of the VPN QoS map.
Click Update.

Configure Per-VPN QoS Using CLI

Example: Configure Per-VPN QoS

This section provides example command sequences to configure QoS for a VPN or a group of VPNs using a CLI template.

Configure class maps for VPN groups.

class-map match-any VPN_GROUP_100
 match packet-tag 1 100 65535
class-map match-any VPN_GROUP_101
 match packet-tag 1 101 65535
 match packet-tag 1 102 65535
class-map match-any VPN_GROUP_103
 match packet-tag 1 103 65535
 match packet-tag 1 104 65534
class-map match-any VPN_GROUP_106
 match packet-tag 1 106 65534
 match packet-tag 1 108 65534

Configure QoS policy map.

policy-map qos_policy_4class_10Mbps
 class Queue0
  priority level 1 2000
 class Queue1
  bandwidth remaining ratio 30
  random-detect precedence-based
 class class-default
  bandwidth remaining ratio 25
 class Queue3
  bandwidth remaining ratio 25

Configure VPN QoS policy map.

policy-map VPN-QoS1_200Mbps
 class VPN_GROUP_100
  bandwidth remaining ratio 50
  service-policy qos_policy_4class_10Mbps
  shape average 20000000
 class VPN_GROUP_101
  bandwidth remaining ratio 100
  service-policy qos_policy_8class_20Mbps
 class VPN_GROUP_103
  bandwidth remaining ratio 150
  service-policy qos_policy_4class_30Mbps
  shape average 50000000
 class VPN_GROUP_106
  bandwidth remaining ratio 200
  service-policy qos_policy_8class_40Mbps
  shape average 100000000
 class class-default
  bandwidth remaining ratio 500
  service-policy qos_policy_8class_100Mbps

Configure extended anti-replay window.

security
 ipsec
  extended-ar-window 256

Attach VPN QoS policy map to WAN Ethernet interface.

policy-map shape_GigabitEthernet0/0/1
 class class-default
  service-policy VPN-QoS1_200Mbps
  shape average 200000000
!
interface GigabitEthernet0/0/1
 service-policy output shape_GigabitEthernet0/0/1

Configure VPN packet tag.

sdwan
 vpn packet-tag 1
!

Note

Per-VPN QoS uses the vpn packet-tag command to classify the VPN ID. Use this command only while configuring per-VPN QoS using the CLI. The command is automatically pushed when you configure per-VPN QoS through Cisco SD-WAN Manager.

Here's the complete configuration example:

class-map match-any VPN_GROUP_100
 match packet-tag 1 100 65535
class-map match-any VPN_GROUP_101
 match packet-tag 1 101 65535
 match packet-tag 1 102 65535
class-map match-any VPN_GROUP_103
 match packet-tag 1 103 65535
 match packet-tag 1 104 65534
class-map match-any VPN_GROUP_106
 match packet-tag 1 106 65534
 match packet-tag 1 108 65534 
!
policy-map qos_policy_4class
 class Queue0
  police rate percent 20       
  priority level 1
 class Queue1
  bandwidth remaining ratio 30
  random-detect precedence-based
 class class-default
  bandwidth remaining ratio 25
 class Queue3
  bandwidth remaining ratio 25
!
policy-map qos_policy_4class_10Mbps
 class Queue0
  priority level 1 2000
 class Queue1
  bandwidth remaining ratio 30
  random-detect precedence-based
 class class-default
  bandwidth remaining ratio 25
 class Queue3
  bandwidth remaining ratio 25
!
policy-map qos_policy_4class_30Mbps
 class Queue0
  priority level 1 6000
 class Queue1
  bandwidth remaining ratio 30
  random-detect precedence-based
 class class-default
  bandwidth remaining ratio 25
 class Queue3
  bandwidth remaining ratio 25
!
policy-map qos_policy_8class
 class Queue0
  police rate percent 20
  priority level 1
 class Queue1
  bandwidth remaining ratio 10
  random-detect precedence-based
 class class-default
  bandwidth remaining ratio 15
 class Queue3
  bandwidth remaining ratio 10
  random-detect precedence-based
 class Queue4
  bandwidth remaining ratio 15
 class Queue5
  bandwidth remaining ratio 10
 class Queue6
  bandwidth remaining ratio 15
  random-detect precedence-based
 class Queue7
  bandwidth remaining ratio 5
!
policy-map qos_policy_8class_100Mbps
 class Queue0
  priority level 1 20000
 class Queue1
  bandwidth remaining ratio 10
  random-detect precedence-based
 class class-default
  bandwidth remaining ratio 15
 class Queue3
  bandwidth remaining ratio 10
  random-detect precedence-based
 class Queue4
  bandwidth remaining ratio 15
 class Queue5
  bandwidth remaining ratio 10
 class Queue6
  bandwidth remaining ratio 15
  random-detect precedence-based
 class Queue7
  bandwidth remaining ratio 5
!
policy-map qos_policy_8class_20Mbps
 class Queue0
  priority level 1 4000
 class Queue1
  bandwidth remaining ratio 10
  random-detect precedence-based
 class class-default
  bandwidth remaining ratio 15
 class Queue3
  bandwidth remaining ratio 10
  random-detect precedence-based
 class Queue4
  bandwidth remaining ratio 15
 class Queue5
  bandwidth remaining ratio 10
 class Queue6
  bandwidth remaining ratio 15
  random-detect precedence-based
 class Queue7
  bandwidth remaining ratio 5
!
policy-map qos_policy_8class_40Mbps
 class Queue0
  priority level 1 8000
 class Queue1
  bandwidth remaining ratio 10
  random-detect precedence-based
 class class-default
  bandwidth remaining ratio 15
 class Queue3
  bandwidth remaining ratio 10
  random-detect precedence-based
 class Queue4
  bandwidth remaining ratio 15
 class Queue5
  bandwidth remaining ratio 10
 class Queue6
  bandwidth remaining ratio 15
  random-detect precedence-based
 class Queue7
  bandwidth remaining ratio 5
!
policy-map VPN-QoS1_200Mbps
 class VPN_GROUP_100
  bandwidth remaining ratio 50
  service-policy qos_policy_4class_10Mbps
  shape average 20000000
 class VPN_GROUP_101
  bandwidth remaining ratio 100
  service-policy qos_policy_8class_20Mbps
 class VPN_GROUP_103
  bandwidth remaining ratio 150
  service-policy qos_policy_4class_30Mbps
  shape average 50000000
 class VPN_GROUP_106
  bandwidth remaining ratio 200
  service-policy qos_policy_8class_40Mbps
  shape average 100000000
 class class-default
  bandwidth remaining ratio 500
  service-policy qos_policy_8class_100Mbps
!
sdwan
 vpn packet-tag 1
!
policy-map shape_GigabitEthernet0/0/1
 class class-default
  service-policy VPN-QoS1_200Mbps
  shape average 200000000
!
interface GigabitEthernet0/0/1
 service-policy output shape_GigabitEthernet0/0/1
!
security
 ipsec
  rekey              86400
  replay-window      512
  integrity-type     esp ip-udp-esp
  extended-ar-window 256
 !
!

Verify Per-VPN QoS Configuration

Verify VPN Group Configuration

The following is a sample output from the execution of the show sdwan running-config command with the keyword class-map on a Cisco IOS XE Catalyst SD-WAN device:

Device#show sdwan running-config class-map 
.
.
.
class-map match-any VPN_GROUP_100
 match packet-tag 1 100 65535
!
class-map match-any VPN_GROUP_101
 match packet-tag 1 101 65535
 match packet-tag 1 102 65535
!
class-map match-any VPN_GROUP_103
 match packet-tag 1 103 65535
 match packet-tag 1 104 65534
!
class-map match-any VPN_GROUP_106
 match packet-tag 1 106 65534
 match packet-tag 1 108 65534
!
.
.
.

Verify QoS Policy, VPN QoS Policy, and WAN Ethernet Interface Shaping Configuration

The following is a sample output from the execution of the show sdwan running-config command with the keyword policy-map on a Cisco IOS XE Catalyst SD-WAN device:

Device#show sdwan running-config policy-map
policy-map VPN-QoS1_200Mbps
 class VPN_GROUP_100
  bandwidth remaining ratio 50
  service-policy qos_policy_4class_10Mbps
  shape average 20000000
 !
 class VPN_GROUP_101
  bandwidth remaining ratio 100
  service-policy qos_policy_8class_20Mbps
 !
 class VPN_GROUP_103
  bandwidth remaining ratio 150
  service-policy qos_policy_4class_30Mbps
  shape average 50000000
 !
 class VPN_GROUP_106
  bandwidth remaining ratio 200
  service-policy qos_policy_8class_40Mbps
  shape average 100000000
 !
 class class-default
  bandwidth remaining ratio 500
  service-policy qos_policy_8class_100Mbps
 !        
!
.
.
.
policy-map qos_policy_4class_10Mbps
 class Queue0
  priority level 1 2000
 !
 class Queue1
  bandwidth remaining ratio 30
  random-detect precedence-based
 !
 class class-default
  bandwidth remaining ratio 25
 !
 class Queue3
  bandwidth remaining ratio 25
 !
!
.
.
.
policy-map shape_GigabitEthernet0/0/1
 class class-default
  service-policy VPN-QoS1_200Mbps
  shape average 200000000
 !
!

Verify Extended Anti-Replay Window Configuration

The following is a sample output from the execution of the show sdwan running-config command with the keyword security on a Cisco IOS XE Catalyst SD-WAN device:

Device#show sdwan running-config security
security
 ipsec
  rekey              86400
  replay-window      512
  integrity-type     esp ip-udp-esp
  extended-ar-window 256
 !
!

Verify VPN Packet Tag Configuration

The following is a sample output from the execution of the show sdwan running-config command with the keyword sdwan on a Cisco IOS XE SD-WAN device:

Device#show sdwan running-config sdwan   
sdwan
 .
 .
 .
 vpn packet-tag 1
 .
 .
 .
 !
!

Monitor Per-VPN QoS Using CLI

Monitor Per-VPN QoS on WAN Ethernet Interface

The following is a sample output from the execution of the show policy-map interface GigabitEthernet command on a Cisco IOS XE Catalyst SD-WAN device:

Device# show policy-map interface GigabitEthernet0/0/1 
 GigabitEthernet0/0/1 

  Service-policy output: shape_GigabitEthernet0/0/1

    Class-map: class-default (match-any)  
      211055879 packets, 148615306000 bytes
      30 second offered rate 509063000 bps, drop rate 309050000 bps
      Match: any 
      Queueing
      queue limit 833 packets
      (queue depth/total drops/no-buffer drops) 0/132320694/0
      (pkts output/bytes output) 78735064/58389530406
      shape (average) cir 200000000, bc 800000, be 800000
      target shape rate 200000000

      Service-policy : VPN-QoS1_200Mbps

        Class-map: VPN_GROUP_100 (match-any)  
          11408118 packets, 6454975577 bytes
          30 second offered rate 22112000 bps, drop rate 12108000 bps
          Match: packet-tag  1 100 65535
          Queueing
          queue limit 83 packets
          (queue depth/total drops/no-buffer drops) 0/6246212/0
          (pkts output/bytes output) 5161897/2919614491
          bandwidth remaining ratio 50 
          shape (average) cir 20000000, bc 80000, be 80000
          target shape rate 20000000

          Service-policy : qos_policy_4class_10Mbps

            queue stats for all priority classes:
              Queueing
              priority level 1
              queue limit 512 packets
              (queue depth/total drops/no-buffer drops) 0/0/0
              (pkts output/bytes output) 5056/842485

            Class-map: Queue0 (match-any)  
              5056 packets, 842485 bytes
              30 second offered rate 2000 bps, drop rate 0000 bps
              Match: qos-group 0
              Priority: 2000 kbps, burst bytes 50000, b/w exceed drops: 0
              
              Priority Level: 1 

            Class-map: Queue1 (match-any)  
              0 packets, 0 bytes
              30 second offered rate 0000 bps, drop rate 0000 bps
              Match: qos-group 1
              Queueing
              queue limit 83 packets
              (queue depth/total drops/no-buffer drops) 0/0/0
              (pkts output/bytes output) 0/0
              bandwidth remaining ratio 30 
                Exp-weight-constant: 4 (1/16)
                Mean queue depth: 0 packets
                class       Transmitted         Random drop      Tail drop          Minimum        Maximum     Mark
                        pkts/bytes            pkts/bytes       pkts/bytes          thresh         thresh     prob
                
                0               0/0               0/0              0/0                 20            41  1/10
                1               0/0               0/0              0/0                 22            41  1/10
                2               0/0               0/0              0/0                 25            41  1/10
                3               0/0               0/0              0/0                 27            41  1/10
                4               0/0               0/0              0/0                 30            41  1/10
                5               0/0               0/0              0/0                 32            41  1/10
                6               0/0               0/0              0/0                 35            41  1/10
                7               0/0               0/0              0/0                 37            41  1/10

            Class-map: Queue3 (match-any)  
              0 packets, 0 bytes
              30 second offered rate 0000 bps, drop rate 0000 bps
              Match: qos-group 3
              Queueing
              queue limit 83 packets
              (queue depth/total drops/no-buffer drops) 0/0/0
              (pkts output/bytes output) 0/0
              bandwidth remaining ratio 25 

            Class-map: class-default (match-any)  
              11403053 packets, 6454127998 bytes
              30 second offered rate 22108000 bps, drop rate 12113000 bps
              Match: any 
              Queueing
              queue limit 83 packets
              (queue depth/total drops/no-buffer drops) 83/6246212/0
              (pkts output/bytes output) 5156841/2918772006
              bandwidth remaining ratio 25 

        Class-map: VPN_GROUP_101 (match-any)  
          28507656 packets, 16135333296 bytes
          30 second offered rate 55272000 bps, drop rate 35296000 bps
          Match: packet-tag  1 101 65535
          Match: packet-tag  1 102 65535
          Queueing
          queue limit 833 packets
          (queue depth/total drops/no-buffer drops) 0/18192317/0
          (pkts output/bytes output) 10315322/5838472252
          bandwidth remaining ratio 100 

          Service-policy : qos_policy_8class_20Mbps

            queue stats for all priority classes:
              Queueing
              priority level 1
              queue limit 512 packets
              (queue depth/total drops/no-buffer drops) 0/0/0
              (pkts output/bytes output) 0/0

            Class-map: Queue0 (match-any)  
              0 packets, 0 bytes
              30 second offered rate 0000 bps, drop rate 0000 bps
              Match: qos-group 0
              Priority: 4000 kbps, burst bytes 100000, b/w exceed drops: 0
              
              Priority Level: 1 

            Class-map: Queue1 (match-any)  
              0 packets, 0 bytes
              30 second offered rate 0000 bps, drop rate 0000 bps
              Match: qos-group 1
              Queueing
              queue limit 833 packets
              (queue depth/total drops/no-buffer drops) 0/0/0
              (pkts output/bytes output) 0/0
              bandwidth remaining ratio 10 
                Exp-weight-constant: 4 (1/16)
                Mean queue depth: 0 packets
                class       Transmitted         Random drop      Tail drop          Minimum        Maximum     Mark
                        pkts/bytes            pkts/bytes       pkts/bytes          thresh         thresh     prob
                
                0               0/0               0/0              0/0                208           416  1/10
                1               0/0               0/0              0/0                234           416  1/10
                2               0/0               0/0              0/0                260           416  1/10
                3               0/0               0/0              0/0                286           416  1/10
                4               0/0               0/0              0/0                312           416  1/10
                5               0/0               0/0              0/0                338           416  1/10
                6               0/0               0/0              0/0                364           416  1/10
                7               0/0               0/0              0/0                390           416  1/10

            Class-map: Queue3 (match-any)  
              0 packets, 0 bytes
              30 second offered rate 0000 bps, drop rate 0000 bps
              Match: qos-group 3
              Queueing
              queue limit 833 packets
              (queue depth/total drops/no-buffer drops) 0/0/0
              (pkts output/bytes output) 0/0
              bandwidth remaining ratio 10 
                Exp-weight-constant: 4 (1/16)
                Mean queue depth: 0 packets
                class       Transmitted         Random drop      Tail drop          Minimum        Maximum     Mark
                        pkts/bytes            pkts/bytes       pkts/bytes          thresh         thresh     prob
                
                0               0/0               0/0              0/0                208           416  1/10
                1               0/0               0/0              0/0                234           416  1/10
                2               0/0               0/0              0/0                260           416  1/10
                3               0/0               0/0              0/0                286           416  1/10
                4               0/0               0/0              0/0                312           416  1/10
                5               0/0               0/0              0/0                338           416  1/10
                6               0/0               0/0              0/0                364           416  1/10
                7               0/0               0/0              0/0                390           416  1/10

            Class-map: Queue4 (match-any)  
              0 packets, 0 bytes
              30 second offered rate 0000 bps, drop rate 0000 bps
              Match: qos-group 4
              Queueing
              queue limit 833 packets
              (queue depth/total drops/no-buffer drops) 0/0/0
              (pkts output/bytes output) 0/0
              bandwidth remaining ratio 15 

            Class-map: Queue5 (match-any)  
              0 packets, 0 bytes
              30 second offered rate 0000 bps, drop rate 0000 bps
              Match: qos-group 5
              Queueing
              queue limit 833 packets
              (queue depth/total drops/no-buffer drops) 0/0/0
              (pkts output/bytes output) 0/0
              bandwidth remaining ratio 10 

            Class-map: Queue6 (match-any)  
              0 packets, 0 bytes
              30 second offered rate 0000 bps, drop rate 0000 bps
              Match: qos-group 6
              Queueing
              queue limit 833 packets
              (queue depth/total drops/no-buffer drops) 0/0/0
              (pkts output/bytes output) 0/0
              bandwidth remaining ratio 15 
                Exp-weight-constant: 4 (1/16)
                Mean queue depth: 0 packets
                class       Transmitted         Random drop      Tail drop          Minimum        Maximum     Mark
                        pkts/bytes            pkts/bytes       pkts/bytes          thresh         thresh     prob
                
                0               0/0               0/0              0/0                208           416  1/10
                1               0/0               0/0              0/0                234           416  1/10
                2               0/0               0/0              0/0                260           416  1/10
                3               0/0               0/0              0/0                286           416  1/10
                4               0/0               0/0              0/0                312           416  1/10
                5               0/0               0/0              0/0                338           416  1/10
                6               0/0               0/0              0/0                364           416  1/10
                7               0/0               0/0              0/0                390           416  1/10

            Class-map: Queue7 (match-any)  
              0 packets, 0 bytes
              30 second offered rate 0000 bps, drop rate 0000 bps
              Match: qos-group 7
              Queueing
              queue limit 833 packets
              (queue depth/total drops/no-buffer drops) 0/0/0
              (pkts output/bytes output) 0/0
              bandwidth remaining ratio 5 

            Class-map: class-default (match-any)  
              28507639 packets, 16135323674 bytes
              30 second offered rate 55272000 bps, drop rate 35266000 bps
              Match: any 
              Queueing
              queue limit 833 packets
              (queue depth/total drops/no-buffer drops) 832/18192317/0
              (pkts output/bytes output) 10315322/5838472252
              bandwidth remaining ratio 15 

        Class-map: VPN_GROUP_103 (match-any)  
          57015313 packets, 32270667158 bytes
          30 second offered rate 110545000 bps, drop rate 80571000 bps
          Match: packet-tag  1 103 65535
          Match: packet-tag  1 104 65534
          Queueing
          queue limit 208 packets
          (queue depth/total drops/no-buffer drops) 0/41550294/0
          (pkts output/bytes output) 15464994/8753186604
          bandwidth remaining ratio 150 
          shape (average) cir 50000000, bc 200000, be 200000
          target shape rate 50000000

          Service-policy : qos_policy_4class_30Mbps

            queue stats for all priority classes:
              Queueing
              priority level 1
              queue limit 512 packets
              (queue depth/total drops/no-buffer drops) 0/0/0
              (pkts output/bytes output) 0/0

            Class-map: Queue0 (match-any)  
              0 packets, 0 bytes
              30 second offered rate 0000 bps, drop rate 0000 bps
              Match: qos-group 0
              Priority: 6000 kbps, burst bytes 150000, b/w exceed drops: 0
              
              Priority Level: 1 

            Class-map: Queue1 (match-any)  
              0 packets, 0 bytes
              30 second offered rate 0000 bps, drop rate 0000 bps
              Match: qos-group 1
              Queueing
              queue limit 208 packets
              (queue depth/total drops/no-buffer drops) 0/0/0
              (pkts output/bytes output) 0/0
              bandwidth remaining ratio 30 
                Exp-weight-constant: 4 (1/16)
                Mean queue depth: 0 packets
                class       Transmitted         Random drop      Tail drop          Minimum        Maximum     Mark
                        pkts/bytes            pkts/bytes       pkts/bytes          thresh         thresh     prob
                
                0               0/0               0/0              0/0                 52           104  1/10
                1               0/0               0/0              0/0                 58           104  1/10
                2               0/0               0/0              0/0                 65           104  1/10
                3               0/0               0/0              0/0                 71           104  1/10
                4               0/0               0/0              0/0                 78           104  1/10
                5               0/0               0/0              0/0                 84           104  1/10
                6               0/0               0/0              0/0                 91           104  1/10
                7               0/0               0/0              0/0                 97           104  1/10

            Class-map: Queue3 (match-any)  
              0 packets, 0 bytes
              30 second offered rate 0000 bps, drop rate 0000 bps
              Match: qos-group 3
              Queueing
              queue limit 208 packets
              (queue depth/total drops/no-buffer drops) 0/0/0
              (pkts output/bytes output) 0/0
              bandwidth remaining ratio 25 

            Class-map: class-default (match-any)  
              57015288 packets, 32270653008 bytes
              30 second offered rate 110544000 bps, drop rate 80551000 bps
              Match: any 
              Queueing
              queue limit 208 packets
              (queue depth/total drops/no-buffer drops) 207/41550294/0
              (pkts output/bytes output) 15464994/8753186604
              bandwidth remaining ratio 25 

        Class-map: VPN_GROUP_106 (match-any)  
          57015315 packets, 32270668290 bytes
          30 second offered rate 110545000 bps, drop rate 70593000 bps
          Match: packet-tag  1 106 65534
          Match: packet-tag  1 108 65534
          Queueing
          queue limit 416 packets
          (queue depth/total drops/no-buffer drops) 0/36386201/0
          (pkts output/bytes output) 20629094/11676067204
          bandwidth remaining ratio 200 
          shape (average) cir 100000000, bc 400000, be 400000
          target shape rate 100000000

          Service-policy : qos_policy_8class_40Mbps

            queue stats for all priority classes:
              Queueing
              priority level 1
              queue limit 512 packets
              (queue depth/total drops/no-buffer drops) 0/0/0
              (pkts output/bytes output) 0/0

            Class-map: Queue0 (match-any)  
              0 packets, 0 bytes
              30 second offered rate 0000 bps, drop rate 0000 bps
              Match: qos-group 0
              Priority: 8000 kbps, burst bytes 200000, b/w exceed drops: 0
              
              Priority Level: 1 

            Class-map: Queue1 (match-any)  
              0 packets, 0 bytes
              30 second offered rate 0000 bps, drop rate 0000 bps
              Match: qos-group 1
              Queueing
              queue limit 416 packets
              (queue depth/total drops/no-buffer drops) 0/0/0
              (pkts output/bytes output) 0/0
              bandwidth remaining ratio 10 
                Exp-weight-constant: 4 (1/16)
                Mean queue depth: 0 packets
                class       Transmitted         Random drop      Tail drop          Minimum        Maximum     Mark
                        pkts/bytes            pkts/bytes       pkts/bytes          thresh         thresh     prob
                
                0               0/0               0/0              0/0                104           208  1/10
                1               0/0               0/0              0/0                117           208  1/10
                2               0/0               0/0              0/0                130           208  1/10
                3               0/0               0/0              0/0                143           208  1/10
                4               0/0               0/0              0/0                156           208  1/10
                5               0/0               0/0              0/0                169           208  1/10
                6               0/0               0/0              0/0                182           208  1/10
                7               0/0               0/0              0/0                195           208  1/10

            Class-map: Queue3 (match-any)  
              0 packets, 0 bytes
              30 second offered rate 0000 bps, drop rate 0000 bps
              Match: qos-group 3
              Queueing
              queue limit 416 packets
              (queue depth/total drops/no-buffer drops) 0/0/0
              (pkts output/bytes output) 0/0
              bandwidth remaining ratio 10 
                Exp-weight-constant: 4 (1/16)
                Mean queue depth: 0 packets
                class       Transmitted         Random drop      Tail drop          Minimum        Maximum     Mark
                        pkts/bytes            pkts/bytes       pkts/bytes          thresh         thresh     prob
                
                0               0/0               0/0              0/0                104           208  1/10
                1               0/0               0/0              0/0                117           208  1/10
                2               0/0               0/0              0/0                130           208  1/10
                3               0/0               0/0              0/0                143           208  1/10
                4               0/0               0/0              0/0                156           208  1/10
                5               0/0               0/0              0/0                169           208  1/10
                6               0/0               0/0              0/0                182           208  1/10
                7               0/0               0/0              0/0                195           208  1/10

            Class-map: Queue4 (match-any)  
              0 packets, 0 bytes
              30 second offered rate 0000 bps, drop rate 0000 bps
              Match: qos-group 4
              Queueing
              queue limit 416 packets
              (queue depth/total drops/no-buffer drops) 0/0/0
              (pkts output/bytes output) 0/0
              bandwidth remaining ratio 15 

            Class-map: Queue5 (match-any)  
              0 packets, 0 bytes
              30 second offered rate 0000 bps, drop rate 0000 bps
              Match: qos-group 5
              Queueing
              queue limit 416 packets
              (queue depth/total drops/no-buffer drops) 0/0/0
              (pkts output/bytes output) 0/0
              bandwidth remaining ratio 10 

            Class-map: Queue6 (match-any)  
              0 packets, 0 bytes
              30 second offered rate 0000 bps, drop rate 0000 bps
              Match: qos-group 6
              Queueing
              queue limit 416 packets
              (queue depth/total drops/no-buffer drops) 0/0/0
              (pkts output/bytes output) 0/0
              bandwidth remaining ratio 15 
                Exp-weight-constant: 4 (1/16)
                Mean queue depth: 0 packets
                class       Transmitted         Random drop      Tail drop          Minimum        Maximum     Mark
                        pkts/bytes            pkts/bytes       pkts/bytes          thresh         thresh     prob
                
                0               0/0               0/0              0/0                104           208  1/10
                1               0/0               0/0              0/0                117           208  1/10
                2               0/0               0/0              0/0                130           208  1/10
                3               0/0               0/0              0/0                143           208  1/10
                4               0/0               0/0              0/0                156           208  1/10
                5               0/0               0/0              0/0                169           208  1/10
                6               0/0               0/0              0/0                182           208  1/10
                7               0/0               0/0              0/0                195           208  1/10

            Class-map: Queue7 (match-any)  
              0 packets, 0 bytes
              30 second offered rate 0000 bps, drop rate 0000 bps
              Match: qos-group 7
              Queueing
              queue limit 416 packets
              (queue depth/total drops/no-buffer drops) 0/0/0
              (pkts output/bytes output) 0/0
              bandwidth remaining ratio 5 

            Class-map: class-default (match-any)  
              57015295 packets, 32270656970 bytes
              30 second offered rate 110544000 bps, drop rate 70575000 bps
              Match: any 
              Queueing
              queue limit 416 packets
              (queue depth/total drops/no-buffer drops) 415/36386201/0
              (pkts output/bytes output) 20629094/11676067204
              bandwidth remaining ratio 15 

        Class-map: class-default (match-any)  
          57109439 packets, 61483635051 bytes
          30 second offered rate 210589000 bps, drop rate 110479000 bps
          Match: any 
          Queueing
          queue limit 833 packets
          (queue depth/total drops/no-buffer drops) 0/29945670/0
          (pkts output/bytes output) 27163757/29202189855
          bandwidth remaining ratio 500 

          Service-policy : qos_policy_8class_100Mbps

            queue stats for all priority classes:
              Queueing
              priority level 1
              queue limit 512 packets
              (queue depth/total drops/no-buffer drops) 0/0/0
              (pkts output/bytes output) 94100/21122793

            Class-map: Queue0 (match-any)  
              94100 packets, 21122793 bytes
              30 second offered rate 46000 bps, drop rate 0000 bps
              Match: qos-group 0
              Priority: 20000 kbps, burst bytes 500000, b/w exceed drops: 0
              
              Priority Level: 1 

            Class-map: Queue1 (match-any)  
              0 packets, 0 bytes
              30 second offered rate 0000 bps, drop rate 0000 bps
              Match: qos-group 1
              Queueing
              queue limit 833 packets
              (queue depth/total drops/no-buffer drops) 0/0/0
              (pkts output/bytes output) 0/0
              bandwidth remaining ratio 10 
                Exp-weight-constant: 4 (1/16)
                Mean queue depth: 0 packets
                class       Transmitted         Random drop      Tail drop          Minimum        Maximum     Mark
                        pkts/bytes            pkts/bytes       pkts/bytes          thresh         thresh     prob
                
                0               0/0               0/0              0/0                208           416  1/10
                1               0/0               0/0              0/0                234           416  1/10
                2               0/0               0/0              0/0                260           416  1/10
                3               0/0               0/0              0/0                286           416  1/10
                4               0/0               0/0              0/0                312           416  1/10
                5               0/0               0/0              0/0                338           416  1/10
                6               0/0               0/0              0/0                364           416  1/10
                7               0/0               0/0              0/0                390           416  1/10

            Class-map: Queue3 (match-any)  
              0 packets, 0 bytes
              30 second offered rate 0000 bps, drop rate 0000 bps
              Match: qos-group 3
              Queueing
              queue limit 833 packets
              (queue depth/total drops/no-buffer drops) 0/0/0
              (pkts output/bytes output) 0/0
              bandwidth remaining ratio 10 
                Exp-weight-constant: 4 (1/16)
                Mean queue depth: 0 packets
                class       Transmitted         Random drop      Tail drop          Minimum        Maximum     Mark
                        pkts/bytes            pkts/bytes       pkts/bytes          thresh         thresh     prob
                
                0               0/0               0/0              0/0                208           416  1/10
                1               0/0               0/0              0/0                234           416  1/10
                2               0/0               0/0              0/0                260           416  1/10
                3               0/0               0/0              0/0                286           416  1/10
                4               0/0               0/0              0/0                312           416  1/10
                5               0/0               0/0              0/0                338           416  1/10
                6               0/0               0/0              0/0                364           416  1/10
                7               0/0               0/0              0/0                390           416  1/10

            Class-map: Queue4 (match-any)  
              0 packets, 0 bytes
              30 second offered rate 0000 bps, drop rate 0000 bps
              Match: qos-group 4
              Queueing
              queue limit 833 packets
              (queue depth/total drops/no-buffer drops) 0/0/0
              (pkts output/bytes output) 0/0
              bandwidth remaining ratio 15 

            Class-map: Queue5 (match-any)  
              0 packets, 0 bytes
              30 second offered rate 0000 bps, drop rate 0000 bps
              Match: qos-group 5
              Queueing
              queue limit 833 packets
              (queue depth/total drops/no-buffer drops) 0/0/0
              (pkts output/bytes output) 0/0
              bandwidth remaining ratio 10 

            Class-map: Queue6 (match-any)  
              0 packets, 0 bytes
              30 second offered rate 0000 bps, drop rate 0000 bps
              Match: qos-group 6
              Queueing
              queue limit 833 packets
              (queue depth/total drops/no-buffer drops) 0/0/0
              (pkts output/bytes output) 0/0
              bandwidth remaining ratio 15 
                Exp-weight-constant: 4 (1/16)
                Mean queue depth: 0 packets
                class       Transmitted         Random drop      Tail drop          Minimum        Maximum     Mark
                        pkts/bytes            pkts/bytes       pkts/bytes          thresh         thresh     prob
                
                0               0/0               0/0              0/0                208           416  1/10
                1               0/0               0/0              0/0                234           416  1/10
                2               0/0               0/0              0/0                260           416  1/10
                3               0/0               0/0              0/0                286           416  1/10
                4               0/0               0/0              0/0                312           416  1/10
                5               0/0               0/0              0/0                338           416  1/10
                6               0/0               0/0              0/0                364           416  1/10
                7               0/0               0/0              0/0                390           416  1/10

            Class-map: Queue7 (match-any)  
              0 packets, 0 bytes
              30 second offered rate 0000 bps, drop rate 0000 bps
              Match: qos-group 7
              Queueing
              queue limit 833 packets
              (queue depth/total drops/no-buffer drops) 0/0/0
              (pkts output/bytes output) 0/0
              bandwidth remaining ratio 5 

            Class-map: class-default (match-any)  
              57015327 packets, 61462499322 bytes
              30 second offered rate 210542000 bps, drop rate 110548000 bps
              Match: any 
              Queueing
              queue limit 833 packets
              (queue depth/total drops/no-buffer drops) 832/29945670/0
              (pkts output/bytes output) 27069657/29181067062
              bandwidth remaining ratio 15 
Device#

Monitor Extended Anti-Replay Feature for Local and Remote TLOCs

The following is a sample output from the execution of the show sdwan omp tlocs command on a Cisco IOS XE Catalyst SD-WAN device:

Device#show sdwan omp tlocs
.
.
.
---------------------------------------------------
tloc entries for 10.6.0.1
                 mpls
                 ipsec
---------------------------------------------------
            RECEIVED FROM:                   
peer            10.8.3.3
status          C,I,R
loss-reason     not set
lost-to-peer    not set
lost-to-path-id not set
    Attributes:
     attribute-type    installed
     encap-key         not set
     encap-proto       0
     encap-spi         258
     encap-auth        sha1-hmac,ah-sha1-hmac
     encap-encrypt     aes256
     public-ip         176.16.60.2
     public-port       12346
     private-ip        176.16.60.2
     private-port      12346
     public-ip         176:16:60:0:250:56ff:fea5:580a
     public-port       12346
     private-ip        176:16:60:0:250:56ff:fea5:580a
     private-port      12346
     bfd-status        up
     domain-id         not set
     site-id           600
     overlay-id        not set
     preference        1000
     tag               not set
     stale             not set
     weight            1
     version           3
    gen-id             0x8000022f
     carrier           default
     restrict          1
     on-demand          1
     groups            [ 0 ]
     bandwidth         0
     bandwidth-dmin    0
     bandwidth-down    0
     bandwidth-dmax    0
     adapt-qos-period  0
     adapt-qos-up      0
     qos-group         default-group
     border             not set
     extended-ipsec-anti-replay  1
     unknown-attr-len  not set
            RECEIVED FROM:                   
peer            10.8.4.4
status          C,R
loss-reason     not set
lost-to-peer    not set
lost-to-path-id not set
    Attributes:
     attribute-type    installed
     encap-key         not set
     encap-proto       0
     encap-spi         258
     encap-auth        sha1-hmac,ah-sha1-hmac
     encap-encrypt     aes256
     public-ip         176.16.60.2
     public-port       12346
     private-ip        176.16.60.2
     private-port      12346
     public-ip         176:16:60:0:250:56ff:fea5:580a
     public-port       12346
     private-ip        176:16:60:0:250:56ff:fea5:580a
     private-port      12346
     bfd-status        up
     domain-id         not set
     site-id           600
     overlay-id        not set
     preference        1000
     tag               not set
     stale             not set
     weight            1
     version           3
    gen-id             0x8000022f
     carrier           default
     restrict          1
     on-demand          1
     groups            [ 0 ]
     bandwidth         0
     bandwidth-dmin    0
     bandwidth-down    0
     bandwidth-dmax    0
     adapt-qos-period  0
     adapt-qos-up      0
     qos-group         default-group
     border             not set
     extended-ipsec-anti-replay  1
     unknown-attr-len  not set
.
.
.
Device#

Cisco Catalyst SD-WAN Forwarding and QoS Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x

Bias-Free Language

Book Title

Cisco Catalyst SD-WAN Forwarding and QoS Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x

Chapter Title

Per-VPN QoS

Results

Chapter: Per-VPN QoS

Per-VPN QoS

Restriction for Per-VPN QoS

Information About Per-VPN QoS

Extended Anti-Replay Window

Benefits of Per-VPN QoS

Configure Per-VPN QoS

Create Forwarding Classes

Create VPN Lists

Create QoS Maps

Create VPN QoS Map

Configure Extended Anti-Replay Window

Attach VPN QoS Map to WAN Interface

Configure Per-VPN QoS Using CLI

Example: Configure Per-VPN QoS

Verify Per-VPN QoS Configuration

Verify VPN Group Configuration

Verify QoS Policy, VPN QoS Policy, and WAN Ethernet Interface Shaping Configuration

Verify Extended Anti-Replay Window Configuration

Verify VPN Packet Tag Configuration

Monitor Per-VPN QoS Using CLI

Monitor Per-VPN QoS on WAN Ethernet Interface

Monitor Extended Anti-Replay Feature for Local and Remote TLOCs

Was this Document Helpful?

Contact Cisco