07-05-2007 02:37 AM - edited 03-03-2019 05:44 PM
Hi,
E2(branch)E0-----(VPN tunnel)-----E0/0(HeadOffice)E0/1
i wanted to prioritize the mail server (residing at head office)192.168.0.35
so i setup a Low latency Priority que (percentage based) at the branch's router cisco837. i found the method at Cisco's sample documents...
can anyone check and tell me if i did it wrong or right... and any way to tell is this que really working .?
cause one of my concern is that the policy is implimented at the WAN facing interface (e0) for outbound traffic. the policy states that the class "oracle" is given 50% and the rest is set to fair-que.
the Class "oracle" specifies an ACL stating that a traffic from any source to the destination host 192.168.0.35 should be matched ..
now the traffice from the branch's LAN (192.168.2.0/24 network) to the head office' network (192.168.0.0/24 and 172.16.0.0/24) is encapsulated in a VPN tunnel made with a preshard key method.
the peer address is the head offic's loopback address.
will this interface ever be able to prioritize the traffic or is the packet (destined for 192.168.0.35) already encrypted for the VPN tunnel. and router never identifies this traffic to fall under the class "oracle"
below is the running Config of my branch's router
bkup#sh run
version 12.4
service password-encryption
hostname bkup
username admin privilege 15 secret 5 $1
!
########################################
class-map match-all oracle
match access-group 110
!
policy-map ocs_policy
class oracle
priority percent 50
class class-default
fair-queue
########################################
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key abcd address 192.168.9.24
crypto isakmp keepalive 10
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set vpntest esp-3des esp-md5-hmac
!
crypto map vpntest local-address Loopback0
crypto map vpntest 10 ipsec-isakmp
set peer 192.168.9.24
set transform-set vpntest
match address 102
!
interface Loopback0
ip address 192.168.8.25 255.255.255.255
!
interface Ethernet0
ip address 192.168.9.15 255.255.255.248
ip nbar protocol-discovery
ip route-cache flow
no cdp enable
crypto map vpntest
########################################
service-policy output orcale_policy
########################################
hold-queue 100 out
!
interface Ethernet2
ip address 192.168.2.254 255.255.255.0
ip nbar protocol-discovery
ip route-cache flow
hold-queue 100 out
!
interface ATM0
no ip address
ip nbar protocol-discovery
ip route-cache flow
no atm ilmi-keepalive
dsl operating-mode auto
pvc 0/35
pppoe-client dial-pool-number 1
!
!
interface FastEthernet1
duplex auto
speed auto
!
interface FastEthernet4
duplex auto
speed auto
!
interface Dialer1
ip address negotiated
encapsulation ppp
load-interval 30
dialer pool 1
ppp pap sent-username dslbkup password xxx
crypto map vpntest
!
router ospf 10
router-id 192.168.9.15
log-adjacency-changes
network 192.168.8.25 0.0.0.0 area 12
network 192.168.9.15 0.0.0.7 area 12
!
ip route 0.0.0.0 0.0.0.0 20.16.8.25
ip route 0.0.0.0 0.0.0.0 Dialer1 50 name backup
ip route 192.168.9.15 255.255.255.248 192.168.9.15
!
ip http server
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000
ip flow-export source Ethernet2
ip flow-export version 5
ip flow-export destination 192.168.2.22 9996
!
!
access-list 102 permit ip 192.168.2.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 102 permit ip 192.168.2.0 0.0.0.255 172.16.0.0 0.0.15.255
access-list 110 permit ip any host 192.168.0.35
access-list 110 permit ip any host 192.168.0.34
bkup#
07-05-2007 03:23 AM
Hi,
It's not suggested to use LLQ for SMTP. LLQ is better queue for real-time traffic such us voice,video,visio,telnet and ssh.
Any way, I always classify traffic in input interface so service policy marking on incoming interface and do another policy for outgoing interface. (One service-policy for classify and marking, and another service-policy for scheduling)
Also, please put dscp values when you classify even when you are in point-to-point
It will facilitate you when your network mode change. In this case don't forget to add "qos pre-classify" command on crypto-map.
Also, for tcp applications (except real-time applications) don't use LLQ, indeed use "bandwidth command"
07-05-2007 04:37 AM
ok ..
im new at QOs so i would really like to know what i should or should not be doing,,,
u said use it for real time application.. we dont user voice or video on our networks,but aside form smtp connection there are very critical tcp applications (like centeralized Orcale database and applications) located at the head office and branch users use them via web based forms..
what is DSCP ?? please can you clearify ?
so should i change the interface for applying the service policy ? apply it on the LAN interface for all incomming traffic thats destined for the 192.168.0.35 or any other business critical server?
u said dont use LLQ instead use bandwidth command ?? do u mean to say that i shouldnt use priority percentage and user priority bandwidth instead ??
appreciate your help on this :-) thanks,
07-06-2007 12:40 AM
ok i made the following changes..
i took out the priority percentage 50 command from the policy-map > class name
and i inserted bandwidth percent 50
next i entered the pre-classify command in the crypto map
cryptomap vpntest 10 ipsec-isakmp
qos pre-classify
so my CBWFQ now looks like this ..
#############################################
class-map match-all oracle
match access-group 110
!
!
policy-map orcale_policy
class oracle
bandwidth percent 50
class class-default
fair-queue
!
!
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key hello address 192.168.93.254
crypto isakmp keepalive 10
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set vpntest esp-3des esp-md5-hmac
!
crypto map vpntest local-address Loopback0
crypto map vpntest 10 ipsec-isakmp
set peer 192.168.93.254
set transform-set vpntest
match address 102
qos pre-classify
interface Ethernet0
ip address 192.168.97.156 255.255.255.248
ip nbar protocol-discovery
ip route-cache flow
no cdp enable
crypto map vpntest
service-policy output orcale_policy
hold-queue 100 out
#############################################
the output i get for policy map is ...
HYD-bkup#sh policy-map orcale_policy
Policy Map orcale_policy
Class oracle
Bandwidth 50 (%) Max Threshold 64 (packets)
Class class-default
Flow based Fair Queueing
Bandwidth 0 (kbps) Max Threshold 64 (packets)
HYD-bkup#sh policy-map int
HYD-bkup#sh policy-map interface e0
Ethernet0
Service-policy output: orcale_policy
Class-map: oracle (match-all)
773 packets, 196481 bytes
5 minute offered rate 2000 bps, drop rate 0 bps
Match: access-group 110
Queueing
Output Queue: Conversation 265
Bandwidth 50 (%)
Bandwidth 5000 (kbps) Max Threshold 64 (packets)
(pkts matched/bytes matched) 0/0
(depth/total drops/no-buffer drops) 0/0/0
Class-map: class-default (match-any)
95216 packets, 17869627 bytes
5 minute offered rate 24000 bps, drop rate 0 bps
Match: any
Queueing
Flow Based Fair Queueing
Maximum Number of Hashed Queues 256
(total queued/total drops/no-buffer drops) 0/0/0
HYD-bkup#
i still dont get why am i not getting any 5 minutes offered rate
07-06-2007 01:20 AM
Hi,
Maybe there is a misunderstanding as to what the counters mean in "show policy-map interface". A detailed explanation of all counters can be found in "Understanding Packet Counters in show policy-map interface Output"
http://www.cisco.com/en/US/tech/tk543/tk760/technologies_tech_note09186a0080108e2d.shtml
In brief: the counter does not increase, if you have no congestion and the packets are CEF switched. Basically it counts the amount of packets in the L3 queueing system matching the specific class. No congestion means no packets in L3 queueing system, thus (pkts matched/bytes matched) 0/0 and thus the bandwidth might be not what you expect to see. A second explanation can be that there simply was not that much traffic, as you are averaging since the last "clear counters". So if you f.e. would fully use the bandwidth during two hours a day and not use it the rest of the day, the 24 hour average would show less that 10%.
Hope this helps!
Regards, Martin
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide