hai,

Thanks for the update ..Customer is using site to site tunneling (destination hosted in Germeny) ...concern here is outgoing and incomming vpn traffic comming/going to router has to be given priority rest traffic has to be given low priority...

Lijesh

Presumably your customer is selecting interesting traffic to encrypt in the tunnel by an access list that is called by the crypto map. All other traffic needs to be given lower priority, so can you just use QoS to prioritise the same access list that the crypto map uses?

Tim

Hai,

Thanks for the input ..can u share a sample configuration for the same ...Currently custoemr not using any config in router.tunnel is created in check point...

only config is belw mentioned rest all comn config

p classless

ip route 0.0.0.0 0.0.0.0 XX.XX.XX.XX

ip http server

ip http access-class 23

ip http authentication local

ip http timeout-policy idle 60 life 86400 requests 10000

Lijesh

Okay,

First you need a crypto map like this:

crypto map MYMAP local-address Loopback0

crypto map MYMAP 1 ipsec-isakmp

description VPN tunnel to Germany

set peer t.t.t.t (the other end of the IPSEC tunnel - public address)

set transform-set ESP-3DES-SHA (or whatever...)

match address Encrypt

Now you need to make an access-list called “Encrypt” and that would look something like this:

ip access-list extended Encrypt

permit ip n.n.n.n 0.0.0.255 y.y.y.y.0 0.0.0.255

permit ip n.n.n.n0.0.0.255 z.z.z.z 0.0.0.255

permit ip n.n.n.n0 0.0.0.255 x.x.x.x 0.0.0.255

and so -on, where n.n.n.n = LAN address

y.y.y.y, z.z.z.z & x.x.x.x = remote networks that need encrypting.

Now this list “Encrypt” can be used to mark traffic for QoS (see cisco main site on how to police and mark traffic.)

Hope this helps.

Tim

Wah,

great but a big list ...let me have check ..will let you know the status ..

Lijesh