03-18-2008 08:30 AM - edited 02-21-2020 01:56 AM
I have an DSL router connected to a central site via a GRE tunnel. The tunnel is encrypted by IPSEC and works fine.
- cisco 836 IOS version c836-k9o3s8y6-mz.123-2.XA6.bin
- DSL 7550kbps/864kbps
- ipsec encrypted gre tunnel
- ipsec tunnel mode
I'm trying to implement QoS. The configuration is rather straight forward.
- class-maps for voip and citrix
- policy-map - child and parent; with LLQ and CBWFQ; class based shaping
- qos pre-classify to classify packets prior to encryption
- crypto commands to prevent fragmentation after encryption
- expanded anti replay window
- output service-policy on tunnel interface
Two things don't work however.
- 'shape average' command for policy-map. I can enter it but it doesn't show up in the configuration and no error message appears.
- 'service-policy output parent' command on interface tunnel0. I can enter it but it doesn't show up in the configuration. Sometimes it says ' CBWFQ : Hierarchy supported only if shaping is configured in this class'. That's obvious because the 'shape average 400000' won't stick. Funny thing however is that i do not get the error message when i enter the 'shape average' command in the policy-map first. But still they both won't show up.
And the net result is that there is no active policy on the interface:
dsl-router#sh policy-map
Policy Map parent
Class class-default
service-policy child
Policy Map child
Class voip
Strict Priority
Bandwidth 30 (%)
Class citrix
Bandwidth 500 (kbps) Max Threshold 64 (packets)
Class class-default
Flow based Fair Queueing
Bandwidth 0 (kbps) Max Threshold 64 (packets)
set dscp default
Also tried other IOS versions. Same result. Anyone got a clue what's going wrong here?
---------------------config example---------------------
crypto isakmp policy 1
authentication pre-share
!
crypto isakmp key xxx address 192.xxx.yyy.10
crypto ipsec transform-set VPN-SITE-TRANS esp-3des esp-sha-hmac
crypto ipsec security-association replay window-size 1024
crypto df-bit set
crypto ipsec fragmentation before-encryption
!
crypto map VPN-SITE 1 ipsec-isakmp
set peer 192.xxx.yyy.10
set transform-set VPN-SITE-TRANS
match address VPN-TO-CENTRAL
!
class-map match-any voip
match ip dscp ef
class-map match-any citrix
match access-group name citrix_ports
!
policy-map child
class voip
priority percent 30 ! LLQ
class citrix
bandwidth 500 ! CBWFQ
class class-default
fair-queue
set dscp default
policy-map parent
class class-default
shape average 400000 ! shape traffic to 400 kbps
service-policy child
!
interface Tunnel0
description GRE tunnel
ip address 137.aaa.bbb.2 255.255.255.252
qos pre-classify
service-policy output parent
keepalive 10 3
tunnel source BVI1
tunnel destination 192.xxx.yyy.10
crypto map VPN-SITE
!
interface Ethernet0
description LAN
ip address 10.19.245.254 255.255.255.0
ip helper-address 10.11.12.13
ip tcp adjust-mss 1432
no ip mroute-cache
!
interface ATM0
no ip address
no ip mroute-cache
no atm ilmi-keepalive
pvc 0/35
encapsulation aal5snap
!
dsl operating-mode auto
!
interface BVI1
description towards outside dsl
mac-address 0000.00c2.5911
ip address dhcp
no ip redirects
qos pre-classify
crypto map VPN-SITE
!
router eigrp 20
passive-interface BRI0
passive-interface Ethernet0
network 10.0.0.0
network 137.aaa.bbb.ccc
no auto-summary
!
ip access-list extended citrix_ports
permit tcp any any eq 1494
permit udp any any eq 1494
permit tcp any any eq 1604
permit udp any any eq 1604
permit tcp any any eq 2598
permit udp any any eq 2598
deny ip any any
!
ip access-list extended VPN-TO-CENTRAL
permit gre any host 192.xxx.yyy.10
!
end
03-23-2008 07:16 PM
Don't know the exact fix, but some suggestions:
The parent policy is shaping at 400 Kbps but the child has a (Citrix) class with 500 Kbps?
CBWFQ is sensitive to interface bandwidth, you might try defining a bandwidth on the tunnel to a virtual 1 Mbps or so. (BTW: sometimes CBWFQ will place errors in the log not seen at the command line.)
You might also consider using the policy on the outbound physical interface. Amend the parent to only apply to the tunnel traffic and use DSCP markings, copied to the encrypted packet's header, for VoIP and Citrix traffic.
PS:
You might also consider, if available, using NBAR to match Citrix.
03-24-2008 10:01 AM
You might also want to review: http://www.cisco.com/en/US/tech/tk543/tk757/technologies_tech_note09186a00800b3d15.shtml#t3
03-26-2008 04:27 AM
Hi,
Have you tried to attach your parent policy to the physical interface and not to the tunnel?
interface Tunnel0
description GRE tunnel
ip address 137.aaa.bbb.2 255.255.255.252
qos pre-classify
keepalive 10 3
tunnel source BVI1
tunnel destination 192.xxx.yyy.10
crypto map VPN-SITE
!
interface BVI1
description towards outside dsl
mac-address 0000.00c2.5911
ip address dhcp
service-policy output parent
no ip redirects
qos pre-classify
crypto map VPN-SITE
Hope this helps! Please use the rating system.
Regards, Martin
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: