cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2927
Views
4
Helpful
6
Replies

How to prioritize my vpn traffic passing through my router

cssam
Level 1
Level 1

Hi,

I have got WAN router before PIX for WAN connectivity. My Branch routers sending critical applications through encrypted tunnel directly to PIX.

I have intermediate WAN Router before PIX where i want to priority my encrypted data. Please let me know can i prioritize the encrypted traffic in the WANrouter.

I unable to see source and destination traffic at WAN router to prioritize encrypted traffic in legacy method.

Thanks.

6 Replies 6

Lei Tian
Cisco Employee
Cisco Employee

Hi,

You can classify the traffic on the LAN interface before encryption and set the DSCP value. The DSCP will be copied to ESP or GRE header by default, then you can set your qos policy based on the DSCP.

HTH,

Lei Tian

If I understand correctly you'd like to prioritize business critical traffic on the WAN router that's inside an IPSEC tunnel?  For example SAP traffic may be queued more favorably than Exchange traffic?

If this IPSEC tunnel is terminated on a downstream PIX such as the diagram then the router will have no awareness of the difference of packets within the tunnel.  Once the IPSEC traffic gets to the router the layer 4 infomation isn't visible and has the same source/destination IP addresses.

If the tunnel termination point is moved to the WAN router than the teqnique described by Lei Tian would be optimal.  Consider terminating WAN tunnels on a routers in order to have dynamic routing and powerful queuing options.


Chris

As mentioned in the diagram, PIX located in downstream side. Can we use pre-classify on PIX or will we be able to ESP packets in WAN router to classify it?

Thanks,

What code version are you running on the PIX?

Chris

Hi Chris,

It is pix 525 and version 7.7 ( i need to double check).

Or is it possible to prioritizing ESP possible at WAN Router?

Regards,

Sampath Kumar.

PIX/ASA Code 7.2 and latter supports the following QoS features:

Priority Queue
Shaping
Policing

There are some caveats if this traffic belongs to an IPSEC tunnel.  This is the 7.2 QoS config guide:

http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/qos.html

You may be able to be creative with what's available to achieve your goals.  Keep in mind that the single priority queue was specifically designed for voice traffic.

In regard to queuing ESP traffic on the router this is possible.  Tunnel traffic can be queued based on tunnel endpoint addresses; queuing traffic within the tunnel would not be possible.  I know the following link is generally not exciting material for humans; but this guide will be very valuable to you.  You'll notice how much more powerful a router is in regard to QoS.

http://www.cisco.com/en/US/docs/ios/qos/configuration/guide/12_4/qos_12_4_book.html

There are many folks in this community that are very knowledgeable on the specifics.


Chris

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: