08-12-2008 05:39 AM - edited 03-03-2019 11:07 PM
Hai,
One of the customer has put one request.Customer wants to Priortize his VPN Traffic in router,topology is like this
Internet RTR === Checkpoint==Cstmr LAN
customer is using IPSEC in check point.Is it possible to priortize the vpn traffic in Router (Cisco 1800 Sers)...pls share the input also the command to do the same
thanks in Advance
Lijesh
08-12-2008 05:44 AM
What's the point of prioritizing the traffic in the router when it loses all priority beyond that (on the internet)? It's possible to do, but doesn't make much sense. Find out what the real problem the customer is experiencing and address that.
Hope that helps.
08-12-2008 05:53 AM
hai,
Thanks for the update ..Customer is using site to site tunneling (destination hosted in Germeny) ...concern here is outgoing and incomming vpn traffic comming/going to router has to be given priority rest traffic has to be given low priority...
Lijesh
08-12-2008 06:52 AM
Presumably your customer is selecting interesting traffic to encrypt in the tunnel by an access list that is called by the crypto map. All other traffic needs to be given lower priority, so can you just use QoS to prioritise the same access list that the crypto map uses?
Tim
08-12-2008 07:01 AM
Hai,
Thanks for the input ..can u share a sample configuration for the same ...Currently custoemr not using any config in router.tunnel is created in check point...
only config is belw mentioned rest all comn config
p classless
ip route 0.0.0.0 0.0.0.0 XX.XX.XX.XX
ip http server
ip http access-class 23
ip http authentication local
ip http timeout-policy idle 60 life 86400 requests 10000
Lijesh
08-12-2008 07:18 AM
Okay,
First you need a crypto map like this:
crypto map MYMAP local-address Loopback0
crypto map MYMAP 1 ipsec-isakmp
description VPN tunnel to Germany
set peer t.t.t.t (the other end of the IPSEC tunnel - public address)
set transform-set ESP-3DES-SHA (or whatever...)
match address Encrypt
Now you need to make an access-list called âEncryptâ and that would look something like this:
ip access-list extended Encrypt
permit ip n.n.n.n 0.0.0.255 y.y.y.y.0 0.0.0.255
permit ip n.n.n.n0.0.0.255 z.z.z.z 0.0.0.255
permit ip n.n.n.n0 0.0.0.255 x.x.x.x 0.0.0.255
and so -on, where n.n.n.n = LAN address
y.y.y.y, z.z.z.z & x.x.x.x = remote networks that need encrypting.
Now this list âEncryptâ can be used to mark traffic for QoS (see cisco main site on how to police and mark traffic.)
Hope this helps.
Tim
08-12-2008 07:34 AM
Wah,
great but a big list ...let me have check ..will let you know the status ..
Lijesh
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide