QoS on internet connection and for IPSEC tunnel

Unanswered Question
Feb 24th, 2009

I have a requirement to configure QoS on an internet link that is limited to 1mbps upload speed. There are remote sites connecting to this HO site that have much larger bandwidth limits so i want to control outbound bandwidth from this site.

As an example I have created a sample configuration below. In the example I have assumed that I will be allocating 256kbps to each IPSEC VPN and 256kbps to http and https traffic.

Is this along the right lines and will I need a class-default class for all other traffic?

Many thanks

class-map match-any HTTP

match access-group HTTP

class-map match-any VPN1

match access-group VPN1

class-map match-any VPN2

match access-group VPN2

policy-map output

class HTTP-TRAFFIC

bandwidth 256

class VPN1

bandwidth 256

class VPN2

bandwidth 256

ip access-list extended VPN1

permit esp host x.x.x.x host y.y.y.y (where x.x.x is my router IP address and y.y.y.y is the vpn peer 1)

ip access-list extended VPN2

permit esp host x.x.x.x host z.z.z.z (where x.x.x is my router IP address and z.z.z.z is the vpn peer 2)

ip access-list extended HTTP

permit tcp any any eq 80

permit tcp any any eq 443

permit tcp any eq 80 any

permit tcp any eq 443 any

interface dialer0

service-policy output output

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Joseph W. Doherty Wed, 02/25/2009 - 04:12

Unless you physical interface is 1 Mbps, you'll want a "parent" policy shaper to match the downstream bandwidth. (E.g. Ethernet handoff to ADSL.)

e.g.

policy-map limit1mbps

class class-default

shape average 1000000 (or 850000 if you need to account for Ethernet overhead)

service-policy output

Then use the parent policy where you would use your existing policy.

Your child policy could be similar to what you've defined, although using a shaper alone or child policy with just a class-default FQ might suffice too.

BTW: there's always a class-default, it's implicit if you don't define it. However, when working with explict classes, I prefer to explicitly define it as FIFO (no FQ) so I can precisely allocate bandwidth for that class.

Actions

This Discussion