I have an DSL router connected to a central site via a GRE tunnel. The tunnel is encrypted by IPSEC and works fine.
- cisco 836 IOS version c836-k9o3s8y6-mz.123-2.XA6.bin
- DSL 7550kbps/864kbps
- ipsec encrypted gre tunnel
- ipsec tunnel mode
I'm trying to implement QoS. The configuration is rather straight forward.
- class-maps for voip and citrix
- policy-map - child and parent; with LLQ and CBWFQ; class based shaping
- qos pre-classify to classify packets prior to encryption
- crypto commands to prevent fragmentation after encryption
- expanded anti replay window
- output service-policy on tunnel interface
Two things don't work however.
- 'shape average' command for policy-map. I can enter it but it doesn't show up in the configuration and no error message appears.
- 'service-policy output parent' command on interface tunnel0. I can enter it but it doesn't show up in the configuration. Sometimes it says ' CBWFQ : Hierarchy supported only if shaping is configured in this class'. That's obvious because the 'shape average 400000' won't stick. Funny thing however is that i do not get the error message when i enter the 'shape average' command in the policy-map first. But still they both won't show up.
And the net result is that there is no active policy on the interface:
Policy Map parent
Policy Map child
Bandwidth 30 (%)
Bandwidth 500 (kbps) Max Threshold 64 (packets)
Flow based Fair Queueing
Bandwidth 0 (kbps) Max Threshold 64 (packets)
set dscp default
Also tried other IOS versions. Same result. Anyone got a clue what's going wrong here?
The parent policy is shaping at 400 Kbps but the child has a (Citrix) class with 500 Kbps?
CBWFQ is sensitive to interface bandwidth, you might try defining a bandwidth on the tunnel to a virtual 1 Mbps or so. (BTW: sometimes CBWFQ will place errors in the log not seen at the command line.)
You might also consider using the policy on the outbound physical interface. Amend the parent to only apply to the tunnel traffic and use DSCP markings, copied to the encrypted packet's header, for VoIP and Citrix traffic.
You might also consider, if available, using NBAR to match Citrix.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :