How to prioritize VPN traffic in Cisco router

Unanswered Question
Aug 12th, 2008
User Badges:


One of the customer has put one request.Customer wants to Priortize his VPN Traffic in router,topology is like this

Internet RTR === Checkpoint==Cstmr LAN

customer is using IPSEC in check point.Is it possible to priortize the vpn traffic in Router (Cisco 1800 Sers)...pls share the input also the command to do the same

thanks in Advance


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (1 ratings)
Collin Clark Tue, 08/12/2008 - 05:44
User Badges:
  • Purple, 4500 points or more

What's the point of prioritizing the traffic in the router when it loses all priority beyond that (on the internet)? It's possible to do, but doesn't make much sense. Find out what the real problem the customer is experiencing and address that.

Hope that helps.

CSCO10758684 Tue, 08/12/2008 - 05:53
User Badges:


Thanks for the update ..Customer is using site to site tunneling (destination hosted in Germeny) ...concern here is outgoing and incomming vpn traffic comming/going to router has to be given priority rest traffic has to be given low priority...


NewBloke01 Tue, 08/12/2008 - 06:52
User Badges:

Presumably your customer is selecting interesting traffic to encrypt in the tunnel by an access list that is called by the crypto map. All other traffic needs to be given lower priority, so can you just use QoS to prioritise the same access list that the crypto map uses?


CSCO10758684 Tue, 08/12/2008 - 07:01
User Badges:


Thanks for the input ..can u share a sample configuration for the same ...Currently custoemr not using any config in router.tunnel is created in check point...

only config is belw mentioned rest all comn config

p classless

ip route XX.XX.XX.XX

ip http server

ip http access-class 23

ip http authentication local

ip http timeout-policy idle 60 life 86400 requests 10000


NewBloke01 Tue, 08/12/2008 - 07:18
User Badges:


First you need a crypto map like this:

crypto map MYMAP local-address Loopback0

crypto map MYMAP 1 ipsec-isakmp

description VPN tunnel to Germany

set peer t.t.t.t (the other end of the IPSEC tunnel - public address)

set transform-set ESP-3DES-SHA (or whatever...)

match address Encrypt

Now you need to make an access-list called “Encrypt” and that would look something like this:

ip access-list extended Encrypt

permit ip n.n.n.n y.y.y.y.0

permit ip n.n.n.n0.0.0.255 z.z.z.z

permit ip n.n.n.n0 x.x.x.x

and so -on, where n.n.n.n = LAN address

y.y.y.y, z.z.z.z & x.x.x.x = remote networks that need encrypting.

Now this list “Encrypt” can be used to mark traffic for QoS (see cisco main site on how to police and mark traffic.)

Hope this helps.


CSCO10758684 Tue, 08/12/2008 - 07:34
User Badges:


great but a big list ...let me have check ..will let you know the status ..



This Discussion