|
Prioritize VPN traffic over http, ftp, etc.
We're running a Cisco 1711 Security Access Router at a corporate
satellite office. We make Nortel and Cisco VPN connections from PCs on our internal network out through the router. These VPN connections are starved when a high bandwidth non-VPN (http, ftp, etc.) download is initiated. Can anyone provide any configuration examples (PQ, LLQ, CBWFQ, single-hop QoS, anything that works!) for identifying and prioritizing VPN traffic over all other traffic? The bottleneck is at the router and I should be able to throttle back all other traffic to allow the VPN traffic through. This is a simple problem with a simple solution but I'm finding with Cisco stuff there's no such thing as a simple solution. Please don't send links to Cisco documentation unless it provides an explicit example applying to VPN traffic (no VoIP, etc.) And don't reply saying that QoS won't do any good because it's not implemented on the open internet because all I need is a single hop solution. I had an OpenBSD machine up and running within a few hours as a bandwidth manager (using the built in packet filter) providing the VPN prioritization we needed. We'd still be using it if it were a little more stable with multiple VPN connections. Thanks in advance... |
Re: Prioritize VPN traffic over http, ftp, etc.
mchadwick@aoainc.com wrote:
> We're running a Cisco 1711 Security Access Router at a corporate > satellite office. We make Nortel and Cisco VPN connections from PCs on > our internal network out through the router. These VPN connections are > starved when a high bandwidth non-VPN (http, ftp, etc.) download is > initiated. > > Can anyone provide any configuration examples (PQ, LLQ, CBWFQ, > single-hop QoS, anything that works!) for identifying and prioritizing > VPN traffic over all other traffic? The bottleneck is at the router and > I should be able to throttle back all other traffic to allow the VPN > traffic through. > > This is a simple problem with a simple solution but I'm finding with > Cisco stuff there's no such thing as a simple solution. Please don't > send links to Cisco documentation unless it provides an explicit > example applying to VPN traffic (no VoIP, etc.) And don't reply saying > that QoS won't do any good because it's not implemented on the open > internet because all I need is a single hop solution. > > I had an OpenBSD machine up and running within a few hours as a > bandwidth manager (using the built in packet filter) providing the VPN > prioritization we needed. We'd still be using it if it were a little > more stable with multiple VPN connections. > > Thanks in advance... > Wow, I think I am going to have to publish a website with some basic qos configurations. There's seems to be a need for it! Ok, there is a simple way to do this. As per most cisco qos, it's 3 steps: 1) create class-maps which define your traffic classes say, class-map match-any VPN match protocol ipsec That is assuming your vpn is ipsec, you can also specifiy an access-list: class-map match-any VPN match ip access-group BLAH Below is the default class. Everything not VPN will automatically go in here. You don't need to explicitly define it, it's automatically there. class-map class-default 2) Create the policy policy-map PRIORITISE-VPN class VPN bandwidth percent 50 class class-default bandwidth percent 25 (This CBWFQ example requires the bandwidth statement be configured under the interface) The 'bandwidth percent' numbers represent a MINIMUM guarantee. So if VPN needs 50% of the interface bw, it will get it. Conversely if it doesn't need it, it will shared amongst the other classes. If VPN needs more than 50% it might also get it, provided the default class doesn't need a huge amount more than it's 25% - but it's not guaranteed. We have only allocated 75% because that's the default amount of bw you are allowed to reserve in a policy. You can change this if you want finer control. 3) Apply the policy to an interface. If you manage the routers at both ends apply the same poilicy outbound on both ends of the point-to-point link. Otherwise you can just double up and apply the same policy inbound and outbound on your 1711 interface ser0 service-policy output PRIORITISE-VPN service-policy input PRIORITISE-VPN Hope this helps, Ben |
Re: Prioritize VPN traffic over http, ftp, etc.
Thank you very much for the reply Ben. Your simple, straight-forward
instructions validated that I was already on the right track. The only thing that didn't work, and it may be a restriction of the 1711, is the policy-map can't be applied to the input of an interface, but all I have to do is apply it to the output of both my external and internal interfaces to acheive the same thing. I think my problem is I'm not classifying the VPN traffic properly. We're using Nortel and Cisco VPN clients which should fall under the 'ipsec' protocol classification but it doesn't seem to be working. The other item I've had difficulty locating is the debug command to monitor the performance of a policy. Maybe I should try classifying all the high bandwidth (http, ftp, etc.) traffic and then let the VPN and whatever is left fall into the 'class-default'. If you have the time, a page with simple instructions and tutorials would probably help a lot of people with these all-in-one routers. The main target audience for these routers, I would guess, is the SOHO crowd who just want to plunk it down as a broadband gateway, spend a couple of hours running through some configuration wizards and be done. We don't want to spend a week or two in classes or wade through a mountain of whitepaper and documentation with very few applicable examples or spend hundreds of dollars to have a Cisco certified engineer to come out and set it up. It seems to me that Cisco doesn't want to cater to this audience because it would circumvent their training/certification, service and paid support mechanism. Sorry for the rant. I'm a software engineer who just wants the thing up and running so I can get back to programming. ;) - Mark Ben wrote: > mchadwick@aoainc.com wrote: > > We're running a Cisco 1711 Security Access Router at a corporate > > satellite office. We make Nortel and Cisco VPN connections from PCs on > > our internal network out through the router. These VPN connections are > > starved when a high bandwidth non-VPN (http, ftp, etc.) download is > > initiated. > > > > Can anyone provide any configuration examples (PQ, LLQ, CBWFQ, > > single-hop QoS, anything that works!) for identifying and prioritizing > > VPN traffic over all other traffic? The bottleneck is at the router and > > I should be able to throttle back all other traffic to allow the VPN > > traffic through. > > > > This is a simple problem with a simple solution but I'm finding with > > Cisco stuff there's no such thing as a simple solution. Please don't > > send links to Cisco documentation unless it provides an explicit > > example applying to VPN traffic (no VoIP, etc.) And don't reply saying > > that QoS won't do any good because it's not implemented on the open > > internet because all I need is a single hop solution. > > > > I had an OpenBSD machine up and running within a few hours as a > > bandwidth manager (using the built in packet filter) providing the VPN > > prioritization we needed. We'd still be using it if it were a little > > more stable with multiple VPN connections. > > > > Thanks in advance... > > > Wow, I think I am going to have to publish a website with some basic qos > configurations. There's seems to be a need for it! > > Ok, there is a simple way to do this. As per most cisco qos, it's 3 steps: > > 1) create class-maps which define your traffic classes > > say, > > class-map match-any VPN > match protocol ipsec > > That is assuming your vpn is ipsec, you can also specifiy an access-list: > > class-map match-any VPN > match ip access-group BLAH > > Below is the default class. Everything not VPN will automatically go in > here. You don't need to explicitly define it, it's automatically there. > > class-map class-default > > 2) Create the policy > > policy-map PRIORITISE-VPN > class VPN > bandwidth percent 50 > class class-default > bandwidth percent 25 > > (This CBWFQ example requires the bandwidth statement be configured under > the interface) > > The 'bandwidth percent' numbers represent a MINIMUM guarantee. So if VPN > needs 50% of the interface bw, it will get it. Conversely if it doesn't > need it, it will shared amongst the other classes. If VPN needs more > than 50% it might also get it, provided the default class doesn't need a > huge amount more than it's 25% - but it's not guaranteed. > > We have only allocated 75% because that's the default amount of bw you > are allowed to reserve in a policy. You can change this if you want > finer control. > > 3) Apply the policy to an interface. > > If you manage the routers at both ends apply the same poilicy outbound > on both ends of the point-to-point link. Otherwise you can just double > up and apply the same policy inbound and outbound on your 1711 > > interface ser0 > service-policy output PRIORITISE-VPN > service-policy input PRIORITISE-VPN > > > Hope this helps, > > Ben |
Re: Prioritize VPN traffic over http, ftp, etc.
mchadwick@aoainc.com wrote:
> Thank you very much for the reply Ben. Your simple, straight-forward > instructions validated that I was already on the right track. The only > thing that didn't work, and it may be a restriction of the 1711, is the > policy-map can't be applied to the input of an interface, but all I > have to do is apply it to the output of both my external and internal > interfaces to acheive the same thing. I think my problem is I'm not > classifying the VPN traffic properly. We're using Nortel and Cisco VPN > clients which should fall under the 'ipsec' protocol classification but > it doesn't seem to be working. The other item I've had difficulty > locating is the debug command to monitor the performance of a policy. > Maybe I should try classifying all the high bandwidth (http, ftp, etc.) > traffic and then let the VPN and whatever is left fall into the > 'class-default'. > > If you have the time, a page with simple instructions and tutorials > would probably help a lot of people with these all-in-one routers. The > main target audience for these routers, I would guess, is the SOHO > crowd who just want to plunk it down as a broadband gateway, spend a > couple of hours running through some configuration wizards and be done. > We don't want to spend a week or two in classes or wade through a > mountain of whitepaper and documentation with very few applicable > examples or spend hundreds of dollars to have a Cisco certified > engineer to come out and set it up. It seems to me that Cisco doesn't > want to cater to this audience because it would circumvent their > training/certification, service and paid support mechanism. > > Sorry for the rant. I'm a software engineer who just wants the thing up > and running so I can get back to programming. ;) > > - Mark > > Ben wrote: > >>mchadwick@aoainc.com wrote: >> >>>We're running a Cisco 1711 Security Access Router at a corporate >>>satellite office. We make Nortel and Cisco VPN connections from PCs > > on > >>>our internal network out through the router. These VPN connections > > are > >>>starved when a high bandwidth non-VPN (http, ftp, etc.) download is >>>initiated. >>> >>>Can anyone provide any configuration examples (PQ, LLQ, CBWFQ, >>>single-hop QoS, anything that works!) for identifying and > > prioritizing > >>>VPN traffic over all other traffic? The bottleneck is at the router > > and > >>>I should be able to throttle back all other traffic to allow the > > VPN > >>>traffic through. >>> >>>This is a simple problem with a simple solution but I'm finding > > with > >>>Cisco stuff there's no such thing as a simple solution. Please > > don't > >>>send links to Cisco documentation unless it provides an explicit >>>example applying to VPN traffic (no VoIP, etc.) And don't reply > > saying > >>>that QoS won't do any good because it's not implemented on the open >>>internet because all I need is a single hop solution. >>> >>>I had an OpenBSD machine up and running within a few hours as a >>>bandwidth manager (using the built in packet filter) providing the > > VPN > >>>prioritization we needed. We'd still be using it if it were a > > little > >>>more stable with multiple VPN connections. >>> >>>Thanks in advance... >>> >> >>Wow, I think I am going to have to publish a website with some basic > > qos > >>configurations. There's seems to be a need for it! >> >>Ok, there is a simple way to do this. As per most cisco qos, it's 3 > > steps: > >>1) create class-maps which define your traffic classes >> >>say, >> >>class-map match-any VPN >> match protocol ipsec >> >>That is assuming your vpn is ipsec, you can also specifiy an > > access-list: > >>class-map match-any VPN >> match ip access-group BLAH >> >>Below is the default class. Everything not VPN will automatically go > > in > >>here. You don't need to explicitly define it, it's automatically > > there. > >>class-map class-default >> >>2) Create the policy >> >>policy-map PRIORITISE-VPN >> class VPN >> bandwidth percent 50 >> class class-default >> bandwidth percent 25 >> >>(This CBWFQ example requires the bandwidth statement be configured > > under > >>the interface) >> >>The 'bandwidth percent' numbers represent a MINIMUM guarantee. So if > > VPN > >>needs 50% of the interface bw, it will get it. Conversely if it > > doesn't > >>need it, it will shared amongst the other classes. If VPN needs more >>than 50% it might also get it, provided the default class doesn't > > need a > >>huge amount more than it's 25% - but it's not guaranteed. >> >>We have only allocated 75% because that's the default amount of bw > > you > >>are allowed to reserve in a policy. You can change this if you want >>finer control. >> >>3) Apply the policy to an interface. >> >>If you manage the routers at both ends apply the same poilicy > > outbound > >>on both ends of the point-to-point link. Otherwise you can just > > double > >>up and apply the same policy inbound and outbound on your 1711 >> >>interface ser0 >> service-policy output PRIORITISE-VPN >> service-policy input PRIORITISE-VPN >> >> >>Hope this helps, >> >>Ben > > Hi Michael, No problem. Sorry overlooked the fact that CBWFQ is only meaningful in the outbound direction, but you have it working now. Regarding classifying your VPN traffic, it may help to do some packet sniffing on the vpn client (I use ethereal myself) or 'debug ip packet' on the router to see exactly what the VPN traffic is. It's probably better to be explicit about the traffic you want to give a higher qos to, since anything can end up in that default queue. Re: debugs, I have actually never had to debug a policy so not sure if the option is there. Usually 'show policy interface' or 'show queueing interface' has enough information for me (not sure if you're aware of these commands) Totally agree with you on the Cisco documentation. I have actually put together a first draft of a HOWTO. Check it out and let me know if you think it's heading in the right direction. http://www.bencarbery.com/qos/ Ben |
Another option to classify VPN traffic
Just came accross this thread...The config provided is pretty good.
Another way to classify VPN traffic would be to use an access list to catch the headers i.e; AH and ESP (depending on which one you are using) access-list 110 permit ah any any access-list 110 permit esp any any class-map CATCH_VPN match access-group 110 policy-map RESERVE_BANDWIDTH class CATCH_VPN bandwidth percent 40 |
QoS?
Hey,
This is the first thread I have been able to find for a while about QoS and configuration that has been helpful. Can you post how I can create a catch for a specific host? I want to be able to allow traffic from a specific host to be given the highest priority. I was thinking of allowing 50% for two different hosts. 192.168.4.128 /24 192.168.0.1 /24 And then allow all other traffic on fair weighted queuing. Thanks, Ryan |
Hey Ben,
This was informative but i cannot access the your site ?please advise |
| All times are GMT. The time now is 05:24 PM. |
Powered by vBulletin®. Copyright ©2000 - 2013, vBulletin Solutions, Inc.
SEO by vBSEO ©2010, Crawlability, Inc.