Re: QoS for VPN traffic (IOS 12.4(11)T)?

simon · ‎12-15-2006

Hi,

I'm running IOS 12.4(11)T on my 2610XM 32/128. The router is doing NAT, firewalling and acting as vpn server. I'm running the new zone-based policy firewall feature. My brother is using the Cisco VPN client to connect to my network.

I've only an 3072/512 ADSL line with one dynamic ip address. So, I wonder if I can do any type of QoS for the VPN traffic. As my upload is limited, I want to limit it. Can I do this? Which QoS implementation should I use in my environment?

Thanks for your help.

kamal-learn · ‎12-15-2006

hi simon@home

to implement QOS you nedd to classify your traffic into classes, and give it an amount of bandwidth.

(assuming you dont need in your case a marking, and a congestion avoidance mechanism)so when it comes to applying QOS on tunneled traffic ,a traffic that is encapsulated within another such ipsec in general the solution deponds on what kind of information you wanna classify your traffic by,so if you wanna classify your traffic by the marked values such as ip prece dscp, the chalenge here is that all that marking is in the TOS field of the packet s header which is hidden, encapsulated, and may be encrypted the good news is the ios copy the TOS field of the encapsulated packet into the TOS field of the encapsulating packet,if you want you can classify based on the TOS since you dont use marking in your network this will not work for you.

how you can do if you need to classify your traffic based on for example destination port, ip addresses, those information are hidden , encrypted and the ios does not do anything automaticaly here you can perform a (QOS PRE-CLASSIFY) commad under the crypto- map this command will keep a copy of the packet before it enter the tunnel hence you still have a chance to classify it based on other thing than the TOS.

(the discussion above clarify the problems and the solutions in the case of a tunnel that is crossed by differents type of tunneled traffics and you want to prioritize some of them )

so try this :

class match-all vpn-traffic

match protocol ipsec (if you are using ipsec)

or

match access-group 101

policy-map vpn-policy

class vpn-traffic

bandwidth percent xx

access-list 101 permit ip any your-brother-ip-address

crypto-map

.

qos pre-classify

interface ethernet 0 <---- internet

service-policy output vpn-policy

show policy interface ethernet 0 to check!

Good luck

HTH

PLEASE DO RATE THE POST IF IT HELPS

simon · ‎12-16-2006

hi kamal-learn,

thanks for your explenation! I've tried to edit my config as you suggested. Where do I have to add this:

crypto-map

.

qos pre-classify

I've configured it without these options and got this error when I try to verify my config on dialer1:

Class Based Weighted Fair Queueing will be applied only to the Virtual-Access in

terfaces associated with an MLP bundle.

My brother uses the Cisco VPN client to dial in, so he has no static ip. I've also no static ip. I'm using PPPoE on my ADSL connection.

kamal-learn · ‎12-16-2006

hi

you ve said that you brother is goin to use VPN to access your network , so your router must terminate this VPN tunnel, which mean that you have configured that on your router whitch mean that you have already crypto-map over there in the case of IPSEC!!!

so try to provide us with your config so that we can see that all together.

thanks

simon · ‎12-17-2006

Ok, here's my config. The ACL for incoming VPN traffic isn't edited yet, so it's still running permitting any trafic.

I've added the config as attachment.

simon · ‎12-22-2006

Nobody?

kamal-learn · ‎12-22-2006

hi

as i mentionned in my last post classifying use marking will not work here since your traffioc is not marked but i suggest the use (QOS preclassify) i think will work so go under (crypto dynamic-map vpn_cmap 1) and check if you are allowed to use this command use the question mark ? under that mode if you find it go ahead and add it (QOS PRECLASSIFY).

what happend at that moment every packets

before it hits the ipsec tunnel the IOS will keep a copy of it so that you can do your QOS on the original packet so you need as i mentionned in the above post to create (classes ) using class-map and policy using

policy-map to assign bandwidth and apply the policy to your outbound interface dialer1 [service-policy outbound (TEST-policy)]

i hope it works

HTH

PLS do rate if it does help

simon · ‎12-23-2006

Ok, I've tried this:

class match-all vpn-traffic

match protocol ipsec

policy-map vpn-policy

class vpn-traffic

bandwidth percent 50

crypto dynamic-map vpn_cmap 1

qos pre-classify

int dialer1

service-policy output vpn-policy

The itnerface goes down, and is going up with this error:

Class Based Weighted Fair Queueing will be applied only to the Virtual-Access in

terfaces associated with an MLP bundle.

Hmm, I think I'll have to use another type of QoS in my environment?

kamal-learn · ‎12-23-2006

Hmmm, yes sure use another type of QOS

do rate if it brings some knowledges

simon · ‎12-24-2006

Hmm, I found it in the QoS documentation:

CBWFQ is not supported on Ethernet subinterfaces.

simon · ‎12-24-2006

http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fqos_c/fqcprt4/qcfgts.htm#wp1000982

Genereic Traffic Shaping should be working, but I can't enable it on dialer1, only on my ethernet interface. Hmm, I didn't know, that Cisco QoS for a PPPoE connection could be that hard to configure....

simon · ‎01-06-2007

What do you recommand on my config?

tcottrell · ‎01-08-2007

qos-preclassify specifies that QOS is applied before the vpn connection. Simply enable your own trusty class-maps for rtp and your signalling (h323, mgcp, or skinny) and you should be fine.