cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
366
Views
0
Helpful
2
Replies

Confusion with qos over vpn

luthierone
Level 1
Level 1

Hi,

In an effort to better understand cisco qos configuration, I am doing a test on my router. Right now, all I want to do is match some traffic and give it dedicated bandwidth over my vpn and actually see that it is working. It doesn't seem to be working so far. Maybe someone can spot a problem in my config. Traffic I want to match:

access-list 105 permit ip 192.168.50.0 0.0.0.255 192.168.32.0 0.0.1.255

Policy stuff:

class-map match-all test

description test class to see whats going on

match access-group 105

!

!

policy-map policy1

class test

priority 96

class class-default

fair-queue

My outbound internet if:

interface Serial1/0

ip address x.x.x.x 255.255.255.252

serial restart-delay 0

no cdp enable

service-policy output policy1

my vpn config:

interface Tunnel0

description VPN to Tempe

ip address 10.10.50.1 255.255.255.0

qos pre-classify

keepalive 300 3

tunnel source Serial1/0

tunnel destination x.x.x.x

tunnel mode ipsec ipv4

tunnel protection ipsec profile pro-meramont

Traffic is coming into the router on this if:

interface FastEthernet2/0

ip address 192.168.50.2 255.255.255.0

duplex auto

speed auto

no cdp enable

I understand I need that qos pre-classify command to perform the policy routing over the tunnel, but I don't see it happening:

Meramont#sh crypto eng qos

crypto engine name: Multi-VPN Using Virtual Private Network (VPN) Module3/8

crypto engine type: hardware

slot: 3

queuing: enabled

visible bandwidth: 2000 kbps

llq size: 0

default queue size/max: 0/64

interface table size: 32

Serial1/0 (5), iftype 1, ctable size 16, input filter: access-group 105

class test (1/9), match access-group 105

bandwidth 96 kbps, max token 19200

IN match pkt/byte 0/0, police drop 0

OUT match pkt/byte 0/0, police drop 0

class default, match pkt/byte 115051/80548845, qdrop 11

crypto engine bandwidth: total 2000 kbps, allocated 96 kbps

I don't know maybe I'm not supposed to see it happening in here. But I am definately getting hits on my access-list:

sh access-list 105

Extended IP access list 105

10 permit ip 192.168.50.0 0.0.0.255 192.168.32.0 0.0.1.255 (424 matches)

I don't really know of any good debug commands to see if the qos is happening, and I am a little confused as to where the packet matching happens. Any help would be appreciated.

thanks

2 Replies 2

Hi,

The configuration looks fine.

You are doing LLQ. Any queueing, including LLQ, only works when there's congestion and that's the reason why you aren't seeing any packets being prioritized.

You might want to generate more traffic to cause congestion and check whether queueing kicks in.

HTH

Sundar

Thanks, that makes sense.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco