12-15-2006 10:00 AM - edited 03-03-2019 03:03 PM
Hi,
I'm running IOS 12.4(11)T on my 2610XM 32/128. The router is doing NAT, firewalling and acting as vpn server. I'm running the new zone-based policy firewall feature. My brother is using the Cisco VPN client to connect to my network.
I've only an 3072/512 ADSL line with one dynamic ip address. So, I wonder if I can do any type of QoS for the VPN traffic. As my upload is limited, I want to limit it. Can I do this? Which QoS implementation should I use in my environment?
Thanks for your help.
12-15-2006 06:05 PM
hi simon@home
to implement QOS you nedd to classify your traffic into classes, and give it an amount of bandwidth.
(assuming you dont need in your case a marking, and a congestion avoidance mechanism)so when it comes to applying QOS on tunneled traffic ,a traffic that is encapsulated within another such ipsec in general the solution deponds on what kind of information you wanna classify your traffic by,so if you wanna classify your traffic by the marked values such as ip prece dscp, the chalenge here is that all that marking is in the TOS field of the packet s header which is hidden, encapsulated, and may be encrypted the good news is the ios copy the TOS field of the encapsulated packet into the TOS field of the encapsulating packet,if you want you can classify based on the TOS since you dont use marking in your network this will not work for you.
how you can do if you need to classify your traffic based on for example destination port, ip addresses, those information are hidden , encrypted and the ios does not do anything automaticaly here you can perform a (QOS PRE-CLASSIFY) commad under the crypto- map this command will keep a copy of the packet before it enter the tunnel hence you still have a chance to classify it based on other thing than the TOS.
(the discussion above clarify the problems and the solutions in the case of a tunnel that is crossed by differents type of tunneled traffics and you want to prioritize some of them )
so try this :
class match-all vpn-traffic
match protocol ipsec (if you are using ipsec)
or
match access-group 101
policy-map vpn-policy
class vpn-traffic
bandwidth percent xx
access-list 101 permit ip any your-brother-ip-address
crypto-map
.
.
.
qos pre-classify
interface ethernet 0 <---- internet
service-policy output vpn-policy
show policy interface ethernet 0 to check!
Good luck
HTH
PLEASE DO RATE THE POST IF IT HELPS
12-16-2006 03:40 PM
hi kamal-learn,
thanks for your explenation! I've tried to edit my config as you suggested. Where do I have to add this:
crypto-map
.
.
.
qos pre-classify
I've configured it without these options and got this error when I try to verify my config on dialer1:
Class Based Weighted Fair Queueing will be applied only to the Virtual-Access in
terfaces associated with an MLP bundle.
My brother uses the Cisco VPN client to dial in, so he has no static ip. I've also no static ip. I'm using PPPoE on my ADSL connection.
12-16-2006 05:09 PM
hi
you ve said that you brother is goin to use VPN to access your network , so your router must terminate this VPN tunnel, which mean that you have configured that on your router whitch mean that you have already crypto-map over there in the case of IPSEC!!!
so try to provide us with your config so that we can see that all together.
thanks
12-17-2006 12:28 AM
12-22-2006 06:01 AM
Nobody?
12-22-2006 06:51 AM
hi
as i mentionned in my last post classifying use marking will not work here since your traffioc is not marked but i suggest the use (QOS preclassify) i think will work so go under (crypto dynamic-map vpn_cmap 1) and check if you are allowed to use this command use the question mark ? under that mode if you find it go ahead and add it (QOS PRECLASSIFY).
what happend at that moment every packets
before it hits the ipsec tunnel the IOS will keep a copy of it so that you can do your QOS on the original packet so you need as i mentionned in the above post to create (classes ) using class-map and policy using
policy-map to assign bandwidth and apply the policy to your outbound interface dialer1 [service-policy outbound (TEST-policy)]
i hope it works
HTH
PLS do rate if it does help
12-23-2006 08:07 AM
Ok, I've tried this:
class match-all vpn-traffic
match protocol ipsec
policy-map vpn-policy
class vpn-traffic
bandwidth percent 50
crypto dynamic-map vpn_cmap 1
qos pre-classify
int dialer1
service-policy output vpn-policy
The itnerface goes down, and is going up with this error:
Class Based Weighted Fair Queueing will be applied only to the Virtual-Access in
terfaces associated with an MLP bundle.
Hmm, I think I'll have to use another type of QoS in my environment?
12-23-2006 11:52 AM
Hmmm, yes sure use another type of QOS
do rate if it brings some knowledges
12-24-2006 02:58 AM
Hmm, I found it in the QoS documentation:
CBWFQ is not supported on Ethernet subinterfaces.
12-24-2006 03:33 AM
Genereic Traffic Shaping should be working, but I can't enable it on dialer1, only on my ethernet interface. Hmm, I didn't know, that Cisco QoS for a PPPoE connection could be that hard to configure....
01-06-2007 02:45 AM
What do you recommand on my config?
01-08-2007 03:21 AM
qos-preclassify specifies that QOS is applied before the vpn connection. Simply enable your own trusty class-maps for rtp and your signalling (h323, mgcp, or skinny) and you should be fine.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide