09-27-2010 11:39 PM - edited 03-04-2019 09:55 AM
Hi,
I have got WAN router before PIX for WAN connectivity. My Branch routers sending critical applications through encrypted tunnel directly to PIX.
I have intermediate WAN Router before PIX where i want to priority my encrypted data. Please let me know can i prioritize the encrypted traffic in the WANrouter.
I unable to see source and destination traffic at WAN router to prioritize encrypted traffic in legacy method.
Thanks.
09-28-2010 04:14 AM
Hi,
You can classify the traffic on the LAN interface before encryption and set the DSCP value. The DSCP will be copied to ESP or GRE header by default, then you can set your qos policy based on the DSCP.
HTH,
Lei Tian
09-28-2010 08:05 AM
If I understand correctly you'd like to prioritize business critical traffic on the WAN router that's inside an IPSEC tunnel? For example SAP traffic may be queued more favorably than Exchange traffic?
If this IPSEC tunnel is terminated on a downstream PIX such as the diagram then the router will have no awareness of the difference of packets within the tunnel. Once the IPSEC traffic gets to the router the layer 4 infomation isn't visible and has the same source/destination IP addresses.
If the tunnel termination point is moved to the WAN router than the teqnique described by Lei Tian would be optimal. Consider terminating WAN tunnels on a routers in order to have dynamic routing and powerful queuing options.
Chris
09-28-2010 10:10 AM
As mentioned in the diagram, PIX located in downstream side. Can we use pre-classify on PIX or will we be able to ESP packets in WAN router to classify it?
Thanks,
09-28-2010 10:28 AM
What code version are you running on the PIX?
Chris
09-28-2010 10:33 AM
Hi Chris,
It is pix 525 and version 7.7 ( i need to double check).
Or is it possible to prioritizing ESP possible at WAN Router?
Regards,
Sampath Kumar.
09-28-2010 11:00 AM
PIX/ASA Code 7.2 and latter supports the following QoS features:
Priority Queue
Shaping
Policing
There are some caveats if this traffic belongs to an IPSEC tunnel. This is the 7.2 QoS config guide:
http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/qos.html
You may be able to be creative with what's available to achieve your goals. Keep in mind that the single priority queue was specifically designed for voice traffic.
In regard to queuing ESP traffic on the router this is possible. Tunnel traffic can be queued based on tunnel endpoint addresses; queuing traffic within the tunnel would not be possible. I know the following link is generally not exciting material for humans; but this guide will be very valuable to you. You'll notice how much more powerful a router is in regard to QoS.
http://www.cisco.com/en/US/docs/ios/qos/configuration/guide/12_4/qos_12_4_book.html
There are many folks in this community that are very knowledgeable on the specifics.
Chris
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: