How to prioritize VPN traffic in Cisco router

Unanswered Question
Aug 12th, 2008

Hai,

One of the customer has put one request.Customer wants to Priortize his VPN Traffic in router,topology is like this

Internet RTR === Checkpoint==Cstmr LAN

customer is using IPSEC in check point.Is it possible to priortize the vpn traffic in Router (Cisco 1800 Sers)...pls share the input also the command to do the same

thanks in Advance

Lijesh

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (1 ratings)
Loading.
Collin Clark Tue, 08/12/2008 - 05:44

What's the point of prioritizing the traffic in the router when it loses all priority beyond that (on the internet)? It's possible to do, but doesn't make much sense. Find out what the real problem the customer is experiencing and address that.

Hope that helps.

CSCO10758684 Tue, 08/12/2008 - 05:53

hai,

Thanks for the update ..Customer is using site to site tunneling (destination hosted in Germeny) ...concern here is outgoing and incomming vpn traffic comming/going to router has to be given priority rest traffic has to be given low priority...

Lijesh

NewBloke01 Tue, 08/12/2008 - 06:52

Presumably your customer is selecting interesting traffic to encrypt in the tunnel by an access list that is called by the crypto map. All other traffic needs to be given lower priority, so can you just use QoS to prioritise the same access list that the crypto map uses?

Tim

CSCO10758684 Tue, 08/12/2008 - 07:01

Hai,

Thanks for the input ..can u share a sample configuration for the same ...Currently custoemr not using any config in router.tunnel is created in check point...

only config is belw mentioned rest all comn config

p classless

ip route 0.0.0.0 0.0.0.0 XX.XX.XX.XX

ip http server

ip http access-class 23

ip http authentication local

ip http timeout-policy idle 60 life 86400 requests 10000

Lijesh

NewBloke01 Tue, 08/12/2008 - 07:18

Okay,

First you need a crypto map like this:

crypto map MYMAP local-address Loopback0

crypto map MYMAP 1 ipsec-isakmp

description VPN tunnel to Germany

set peer t.t.t.t (the other end of the IPSEC tunnel - public address)

set transform-set ESP-3DES-SHA (or whatever...)

match address Encrypt

Now you need to make an access-list called “Encrypt” and that would look something like this:

ip access-list extended Encrypt

permit ip n.n.n.n 0.0.0.255 y.y.y.y.0 0.0.0.255

permit ip n.n.n.n0.0.0.255 z.z.z.z 0.0.0.255

permit ip n.n.n.n0 0.0.0.255 x.x.x.x 0.0.0.255

and so -on, where n.n.n.n = LAN address

y.y.y.y, z.z.z.z & x.x.x.x = remote networks that need encrypting.

Now this list “Encrypt” can be used to mark traffic for QoS (see cisco main site on how to police and mark traffic.)

Hope this helps.

Tim

CSCO10758684 Tue, 08/12/2008 - 07:34

Wah,

great but a big list ...let me have check ..will let you know the status ..

Lijesh

Actions

This Discussion