Prioritize VPN traffic over http, ftp, etc.

Discussion in 'Cisco' started by mchadwick@aoainc.com, Dec 22, 2004.

  1. Guest

    We're running a Cisco 1711 Security Access Router at a corporate
    satellite office. We make Nortel and Cisco VPN connections from PCs on
    our internal network out through the router. These VPN connections are
    starved when a high bandwidth non-VPN (http, ftp, etc.) download is
    initiated.

    Can anyone provide any configuration examples (PQ, LLQ, CBWFQ,
    single-hop QoS, anything that works!) for identifying and prioritizing
    VPN traffic over all other traffic? The bottleneck is at the router and
    I should be able to throttle back all other traffic to allow the VPN
    traffic through.

    This is a simple problem with a simple solution but I'm finding with
    Cisco stuff there's no such thing as a simple solution. Please don't
    send links to Cisco documentation unless it provides an explicit
    example applying to VPN traffic (no VoIP, etc.) And don't reply saying
    that QoS won't do any good because it's not implemented on the open
    internet because all I need is a single hop solution.

    I had an OpenBSD machine up and running within a few hours as a
    bandwidth manager (using the built in packet filter) providing the VPN
    prioritization we needed. We'd still be using it if it were a little
    more stable with multiple VPN connections.

    Thanks in advance...
    , Dec 22, 2004
    #1
    1. Advertising

  2. Ben Guest

    wrote:
    > We're running a Cisco 1711 Security Access Router at a corporate
    > satellite office. We make Nortel and Cisco VPN connections from PCs on
    > our internal network out through the router. These VPN connections are
    > starved when a high bandwidth non-VPN (http, ftp, etc.) download is
    > initiated.
    >
    > Can anyone provide any configuration examples (PQ, LLQ, CBWFQ,
    > single-hop QoS, anything that works!) for identifying and prioritizing
    > VPN traffic over all other traffic? The bottleneck is at the router and
    > I should be able to throttle back all other traffic to allow the VPN
    > traffic through.
    >
    > This is a simple problem with a simple solution but I'm finding with
    > Cisco stuff there's no such thing as a simple solution. Please don't
    > send links to Cisco documentation unless it provides an explicit
    > example applying to VPN traffic (no VoIP, etc.) And don't reply saying
    > that QoS won't do any good because it's not implemented on the open
    > internet because all I need is a single hop solution.
    >
    > I had an OpenBSD machine up and running within a few hours as a
    > bandwidth manager (using the built in packet filter) providing the VPN
    > prioritization we needed. We'd still be using it if it were a little
    > more stable with multiple VPN connections.
    >
    > Thanks in advance...
    >

    Wow, I think I am going to have to publish a website with some basic qos
    configurations. There's seems to be a need for it!

    Ok, there is a simple way to do this. As per most cisco qos, it's 3 steps:

    1) create class-maps which define your traffic classes

    say,

    class-map match-any VPN
    match protocol ipsec

    That is assuming your vpn is ipsec, you can also specifiy an access-list:

    class-map match-any VPN
    match ip access-group BLAH

    Below is the default class. Everything not VPN will automatically go in
    here. You don't need to explicitly define it, it's automatically there.

    class-map class-default

    2) Create the policy

    policy-map PRIORITISE-VPN
    class VPN
    bandwidth percent 50
    class class-default
    bandwidth percent 25

    (This CBWFQ example requires the bandwidth statement be configured under
    the interface)

    The 'bandwidth percent' numbers represent a MINIMUM guarantee. So if VPN
    needs 50% of the interface bw, it will get it. Conversely if it doesn't
    need it, it will shared amongst the other classes. If VPN needs more
    than 50% it might also get it, provided the default class doesn't need a
    huge amount more than it's 25% - but it's not guaranteed.

    We have only allocated 75% because that's the default amount of bw you
    are allowed to reserve in a policy. You can change this if you want
    finer control.

    3) Apply the policy to an interface.

    If you manage the routers at both ends apply the same poilicy outbound
    on both ends of the point-to-point link. Otherwise you can just double
    up and apply the same policy inbound and outbound on your 1711

    interface ser0
    service-policy output PRIORITISE-VPN
    service-policy input PRIORITISE-VPN


    Hope this helps,

    Ben
    Ben, Dec 23, 2004
    #2
    1. Advertising

  3. Guest

    Thank you very much for the reply Ben. Your simple, straight-forward
    instructions validated that I was already on the right track. The only
    thing that didn't work, and it may be a restriction of the 1711, is the
    policy-map can't be applied to the input of an interface, but all I
    have to do is apply it to the output of both my external and internal
    interfaces to acheive the same thing. I think my problem is I'm not
    classifying the VPN traffic properly. We're using Nortel and Cisco VPN
    clients which should fall under the 'ipsec' protocol classification but
    it doesn't seem to be working. The other item I've had difficulty
    locating is the debug command to monitor the performance of a policy.
    Maybe I should try classifying all the high bandwidth (http, ftp, etc.)
    traffic and then let the VPN and whatever is left fall into the
    'class-default'.

    If you have the time, a page with simple instructions and tutorials
    would probably help a lot of people with these all-in-one routers. The
    main target audience for these routers, I would guess, is the SOHO
    crowd who just want to plunk it down as a broadband gateway, spend a
    couple of hours running through some configuration wizards and be done.
    We don't want to spend a week or two in classes or wade through a
    mountain of whitepaper and documentation with very few applicable
    examples or spend hundreds of dollars to have a Cisco certified
    engineer to come out and set it up. It seems to me that Cisco doesn't
    want to cater to this audience because it would circumvent their
    training/certification, service and paid support mechanism.

    Sorry for the rant. I'm a software engineer who just wants the thing up
    and running so I can get back to programming. ;)

    - Mark

    Ben wrote:
    > wrote:
    > > We're running a Cisco 1711 Security Access Router at a corporate
    > > satellite office. We make Nortel and Cisco VPN connections from PCs

    on
    > > our internal network out through the router. These VPN connections

    are
    > > starved when a high bandwidth non-VPN (http, ftp, etc.) download is
    > > initiated.
    > >
    > > Can anyone provide any configuration examples (PQ, LLQ, CBWFQ,
    > > single-hop QoS, anything that works!) for identifying and

    prioritizing
    > > VPN traffic over all other traffic? The bottleneck is at the router

    and
    > > I should be able to throttle back all other traffic to allow the

    VPN
    > > traffic through.
    > >
    > > This is a simple problem with a simple solution but I'm finding

    with
    > > Cisco stuff there's no such thing as a simple solution. Please

    don't
    > > send links to Cisco documentation unless it provides an explicit
    > > example applying to VPN traffic (no VoIP, etc.) And don't reply

    saying
    > > that QoS won't do any good because it's not implemented on the open
    > > internet because all I need is a single hop solution.
    > >
    > > I had an OpenBSD machine up and running within a few hours as a
    > > bandwidth manager (using the built in packet filter) providing the

    VPN
    > > prioritization we needed. We'd still be using it if it were a

    little
    > > more stable with multiple VPN connections.
    > >
    > > Thanks in advance...
    > >

    > Wow, I think I am going to have to publish a website with some basic

    qos
    > configurations. There's seems to be a need for it!
    >
    > Ok, there is a simple way to do this. As per most cisco qos, it's 3

    steps:
    >
    > 1) create class-maps which define your traffic classes
    >
    > say,
    >
    > class-map match-any VPN
    > match protocol ipsec
    >
    > That is assuming your vpn is ipsec, you can also specifiy an

    access-list:
    >
    > class-map match-any VPN
    > match ip access-group BLAH
    >
    > Below is the default class. Everything not VPN will automatically go

    in
    > here. You don't need to explicitly define it, it's automatically

    there.
    >
    > class-map class-default
    >
    > 2) Create the policy
    >
    > policy-map PRIORITISE-VPN
    > class VPN
    > bandwidth percent 50
    > class class-default
    > bandwidth percent 25
    >
    > (This CBWFQ example requires the bandwidth statement be configured

    under
    > the interface)
    >
    > The 'bandwidth percent' numbers represent a MINIMUM guarantee. So if

    VPN
    > needs 50% of the interface bw, it will get it. Conversely if it

    doesn't
    > need it, it will shared amongst the other classes. If VPN needs more
    > than 50% it might also get it, provided the default class doesn't

    need a
    > huge amount more than it's 25% - but it's not guaranteed.
    >
    > We have only allocated 75% because that's the default amount of bw

    you
    > are allowed to reserve in a policy. You can change this if you want
    > finer control.
    >
    > 3) Apply the policy to an interface.
    >
    > If you manage the routers at both ends apply the same poilicy

    outbound
    > on both ends of the point-to-point link. Otherwise you can just

    double
    > up and apply the same policy inbound and outbound on your 1711
    >
    > interface ser0
    > service-policy output PRIORITISE-VPN
    > service-policy input PRIORITISE-VPN
    >
    >
    > Hope this helps,
    >
    > Ben
    , Dec 23, 2004
    #3
  4. Ben Guest

    wrote:
    > Thank you very much for the reply Ben. Your simple, straight-forward
    > instructions validated that I was already on the right track. The only
    > thing that didn't work, and it may be a restriction of the 1711, is the
    > policy-map can't be applied to the input of an interface, but all I
    > have to do is apply it to the output of both my external and internal
    > interfaces to acheive the same thing. I think my problem is I'm not
    > classifying the VPN traffic properly. We're using Nortel and Cisco VPN
    > clients which should fall under the 'ipsec' protocol classification but
    > it doesn't seem to be working. The other item I've had difficulty
    > locating is the debug command to monitor the performance of a policy.
    > Maybe I should try classifying all the high bandwidth (http, ftp, etc.)
    > traffic and then let the VPN and whatever is left fall into the
    > 'class-default'.
    >
    > If you have the time, a page with simple instructions and tutorials
    > would probably help a lot of people with these all-in-one routers. The
    > main target audience for these routers, I would guess, is the SOHO
    > crowd who just want to plunk it down as a broadband gateway, spend a
    > couple of hours running through some configuration wizards and be done.
    > We don't want to spend a week or two in classes or wade through a
    > mountain of whitepaper and documentation with very few applicable
    > examples or spend hundreds of dollars to have a Cisco certified
    > engineer to come out and set it up. It seems to me that Cisco doesn't
    > want to cater to this audience because it would circumvent their
    > training/certification, service and paid support mechanism.
    >
    > Sorry for the rant. I'm a software engineer who just wants the thing up
    > and running so I can get back to programming. ;)
    >
    > - Mark
    >
    > Ben wrote:
    >
    >> wrote:
    >>
    >>>We're running a Cisco 1711 Security Access Router at a corporate
    >>>satellite office. We make Nortel and Cisco VPN connections from PCs

    >
    > on
    >
    >>>our internal network out through the router. These VPN connections

    >
    > are
    >
    >>>starved when a high bandwidth non-VPN (http, ftp, etc.) download is
    >>>initiated.
    >>>
    >>>Can anyone provide any configuration examples (PQ, LLQ, CBWFQ,
    >>>single-hop QoS, anything that works!) for identifying and

    >
    > prioritizing
    >
    >>>VPN traffic over all other traffic? The bottleneck is at the router

    >
    > and
    >
    >>>I should be able to throttle back all other traffic to allow the

    >
    > VPN
    >
    >>>traffic through.
    >>>
    >>>This is a simple problem with a simple solution but I'm finding

    >
    > with
    >
    >>>Cisco stuff there's no such thing as a simple solution. Please

    >
    > don't
    >
    >>>send links to Cisco documentation unless it provides an explicit
    >>>example applying to VPN traffic (no VoIP, etc.) And don't reply

    >
    > saying
    >
    >>>that QoS won't do any good because it's not implemented on the open
    >>>internet because all I need is a single hop solution.
    >>>
    >>>I had an OpenBSD machine up and running within a few hours as a
    >>>bandwidth manager (using the built in packet filter) providing the

    >
    > VPN
    >
    >>>prioritization we needed. We'd still be using it if it were a

    >
    > little
    >
    >>>more stable with multiple VPN connections.
    >>>
    >>>Thanks in advance...
    >>>

    >>
    >>Wow, I think I am going to have to publish a website with some basic

    >
    > qos
    >
    >>configurations. There's seems to be a need for it!
    >>
    >>Ok, there is a simple way to do this. As per most cisco qos, it's 3

    >
    > steps:
    >
    >>1) create class-maps which define your traffic classes
    >>
    >>say,
    >>
    >>class-map match-any VPN
    >> match protocol ipsec
    >>
    >>That is assuming your vpn is ipsec, you can also specifiy an

    >
    > access-list:
    >
    >>class-map match-any VPN
    >> match ip access-group BLAH
    >>
    >>Below is the default class. Everything not VPN will automatically go

    >
    > in
    >
    >>here. You don't need to explicitly define it, it's automatically

    >
    > there.
    >
    >>class-map class-default
    >>
    >>2) Create the policy
    >>
    >>policy-map PRIORITISE-VPN
    >> class VPN
    >> bandwidth percent 50
    >> class class-default
    >> bandwidth percent 25
    >>
    >>(This CBWFQ example requires the bandwidth statement be configured

    >
    > under
    >
    >>the interface)
    >>
    >>The 'bandwidth percent' numbers represent a MINIMUM guarantee. So if

    >
    > VPN
    >
    >>needs 50% of the interface bw, it will get it. Conversely if it

    >
    > doesn't
    >
    >>need it, it will shared amongst the other classes. If VPN needs more
    >>than 50% it might also get it, provided the default class doesn't

    >
    > need a
    >
    >>huge amount more than it's 25% - but it's not guaranteed.
    >>
    >>We have only allocated 75% because that's the default amount of bw

    >
    > you
    >
    >>are allowed to reserve in a policy. You can change this if you want
    >>finer control.
    >>
    >>3) Apply the policy to an interface.
    >>
    >>If you manage the routers at both ends apply the same poilicy

    >
    > outbound
    >
    >>on both ends of the point-to-point link. Otherwise you can just

    >
    > double
    >
    >>up and apply the same policy inbound and outbound on your 1711
    >>
    >>interface ser0
    >> service-policy output PRIORITISE-VPN
    >> service-policy input PRIORITISE-VPN
    >>
    >>
    >>Hope this helps,
    >>
    >>Ben

    >
    >


    Hi Michael,

    No problem. Sorry overlooked the fact that CBWFQ is only meaningful in
    the outbound direction, but you have it working now.

    Regarding classifying your VPN traffic, it may help to do some packet
    sniffing on the vpn client (I use ethereal myself) or 'debug ip packet'
    on the router to see exactly what the VPN traffic is. It's probably
    better to be explicit about the traffic you want to give a higher qos
    to, since anything can end up in that default queue.

    Re: debugs, I have actually never had to debug a policy so not sure if
    the option is there. Usually 'show policy interface' or 'show queueing
    interface' has enough information for me (not sure if you're aware of
    these commands)

    Totally agree with you on the Cisco documentation. I have actually put
    together a first draft of a HOWTO. Check it out and let me know if you
    think it's heading in the right direction.

    http://www.bencarbery.com/qos/

    Ben
    Ben, Dec 24, 2004
    #4
  5. rudolphlacerda

    Joined:
    Aug 5, 2008
    Messages:
    1
    Another option to classify VPN traffic

    Just came accross this thread...The config provided is pretty good.
    Another way to classify VPN traffic would be to use an access list to catch the headers i.e; AH and ESP (depending on which one you are using)
    access-list 110 permit ah any any
    access-list 110 permit esp any any

    class-map CATCH_VPN
    match access-group 110

    policy-map RESERVE_BANDWIDTH
    class CATCH_VPN
    bandwidth percent 40
    rudolphlacerda, Aug 5, 2008
    #5
  6. coppsbuildall

    Joined:
    Nov 2, 2008
    Messages:
    3
    QoS?

    Hey,

    This is the first thread I have been able to find for a while about QoS and configuration that has been helpful. Can you post how I can create a catch for a specific host? I want to be able to allow traffic from a specific host to be given the highest priority. I was thinking of allowing 50% for two different hosts.

    192.168.4.128 /24
    192.168.0.1 /24

    And then allow all other traffic on fair weighted queuing.

    Thanks,
    Ryan
    coppsbuildall, Nov 2, 2008
    #6
  7. aliatad

    Joined:
    Sep 11, 2012
    Messages:
    1
    Hey Ben,
    This was informative but i cannot access the your site ?please advise
    aliatad, Sep 11, 2012
    #7
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Brian Bergin

    prioritize traffic on PIX?

    Brian Bergin, May 17, 2005, in forum: Cisco
    Replies:
    4
    Views:
    724
    Brian Bergin
    May 17, 2005
  2. ESM
    Replies:
    2
    Views:
    4,732
  3. 05hammer
    Replies:
    1
    Views:
    889
    Trendkill
    Jan 31, 2008
  4. Theo Markettos

    VOIP over VPN over TCP over WAP over 3G

    Theo Markettos, Feb 3, 2008, in forum: UK VOIP
    Replies:
    2
    Views:
    826
    Theo Markettos
    Feb 14, 2008
  5. milan_9211

    HTTP SOAP/HTTP GET/HTTP POST

    milan_9211, Jan 10, 2011, in forum: Software
    Replies:
    0
    Views:
    3,059
    milan_9211
    Jan 10, 2011
Loading...

Share This Page