QoS and IPSEC

Discussion in 'Cisco' started by Fwed, Feb 10, 2006.

  1. Fwed

    Fwed Guest

    Hi,

    I have a pix to router VPN.

    One Pix and 4 routers. Routers are connected with a VPN IPsec to the pix
    over Internet.

    Lan-----pix----router0------(internet)------router1
    |_________router2
    |_________etc ...

    I want router1,2,3 & 4 have the same bandwitch, so i would like QoS.

    There is nat translation to the pix on router0 for the VPN.

    I make access-list on router0 with the public IP address of the router1
    to router4.

    access-list 110 permit ip host 193.x.x.1 any
    access-list 111 permit ip host 193.x.x.2 any
    ....
    I make my class :

    class-map match-all router1
    match access-group 110
    class-map match-all router2
    match access-group 111

    I make policy-map :

    policy-map test
    class router1
    bandwidth percent 15
    class router2
    bandwidth percent 15
    ....

    On the int ATM0 :

    service-policy output test

    It does not work ...

    I have a dialer0 interface but i can't apply the service-policy (error
    with the virtual-template)

    What solution can I have ?

    thansk a lot,

    Fwed
     
    Fwed, Feb 10, 2006
    #1
    1. Advertising

  2. Fwed

    Horst Wagner Guest

    Antw: QoS and IPSEC

    As far as I see the ip addresses in your access-lists should be destination
    and not source?
    So try with:
    access-list 110 permit ip any host 193.x.x.1
    access-list 111 permit ip any host 193.x.x.2
    ....
     
    Horst Wagner, Feb 10, 2006
    #2
    1. Advertising

  3. Fwed

    Charlie Root Guest

    "Fwed" <> wrote in message
    news:43ec5bcf$0$280$...
    > Hi,
    >
    > I have a pix to router VPN.
    >
    > One Pix and 4 routers. Routers are connected with a VPN IPsec to the pix
    > over Internet.
    >
    > Lan-----pix----router0------(internet)------router1
    > |_________router2
    > |_________etc ...
    >
    > I want router1,2,3 & 4 have the same bandwitch, so i would like QoS.
    >
    > There is nat translation to the pix on router0 for the VPN.
    >
    > I make access-list on router0 with the public IP address of the router1
    > to router4.
    >
    > access-list 110 permit ip host 193.x.x.1 any
    > access-list 111 permit ip host 193.x.x.2 any
    > ...


    Perhaps you should swap the address and 'any'.

    > On the int ATM0 :
    >
    > service-policy output test
    >
    > It does not work ...
    >
    > I have a dialer0 interface but i can't apply the service-policy (error
    > with the virtual-template)
    >
    > What solution can I have ?
    >

    You need to enable 'ppp multilink' on the dialer, then you can apply service
    policy there. Since you probably don't have IP configured on ATM0, the
    policy won't catch any traffic based on IP attributes.

    Regards,
    iLya
     
    Charlie Root, Feb 10, 2006
    #3
  4. Fwed

    Fwed Guest

    Re: Antw: QoS and IPSEC

    Horst Wagner a écrit :
    > As far as I see the ip addresses in your access-lists should be destination
    > and not source?
    > So try with:
    > access-list 110 permit ip any host 193.x.x.1
    > access-list 111 permit ip any host 193.x.x.2
    > ...


    I tested with :

    access-list 110 permit esp host 193.x.x.1 any
    access-list 111 permit esp host 193.x.x.2 any

    but it's the same ...
     
    Fwed, Feb 10, 2006
    #4
  5. Fwed

    Fwed Guest

    > You need to enable 'ppp multilink' on the dialer, then you can apply service
    > policy there.


    Ok, i have not ppp multilink ...

    Because when I do an "sh ip nat translations" I see all of my router so
    i thought that i can do this with tha int ATM ...


    > Since you probably don't have IP configured on ATM0, the
    > policy won't catch any traffic based on IP attributes.


    There no IP on ATM0, only on dialer0.

    I will looking for ppp multilink :)

    Thanks
     
    Fwed, Feb 10, 2006
    #5
  6. Fwed

    Fwed Guest


    > You need to enable 'ppp multilink' on the dialer


    I find that :

    > ppp multilink
    >Configure the PPP multilink command (on both routers) under the
    >physical interface AND the dialer interface (if using dialer profiles).


    It mean that i configure under the interface ATM0 and the dialer0 ?
    And it mean that i do it on all of the other routers (router1, 2, 3 & 4) ?

    >Note: If you add this command, you must disconnect any existing
    >connections and then reconnect for the new multilink parameters to be
    >applied. Because multilink is negotiated during the call setup, any
    >changes to multilink are not implemented on connections that have
    >completed the link control protocol (LCP) negotiation.


    I have IPsec connection, if i add "ppp multilink" on router0, i lost the
    VPN. If i reload the router1 (or 2, 3, 4) with adding ppp multilink, my
    VPN will restart normally ?

    Thanks
     
    Fwed, Feb 10, 2006
    #6
  7. Fwed

    Charlie Root Guest

    "Fwed" <> wrote in message
    news:43ec7b32$0$32163$...
    >
    >> You need to enable 'ppp multilink' on the dialer

    >
    > I find that :
    >
    >> ppp multilink
    >>Configure the PPP multilink command (on both routers) under the
    >>physical interface AND the dialer interface (if using dialer profiles).

    >
    > It mean that i configure under the interface ATM0 and the dialer0 ?
    > And it mean that i do it on all of the other routers (router1, 2, 3 & 4)
    > ?
    >


    ppp multilink is required (even for single physical link) on every router
    where you want to aplly 'service-policy' (you'll get an error if you attempt
    to apply policy without having multilink ppp). So if your r[1-4] all should
    have 'service-policy' attached, then you need ppp multilink there, otherwise
    you configure it only on router0 and _only_ on dialer0 interface but not on
    ATM.

    >>Note: If you add this command, you must disconnect any existing
    >>connections and then reconnect for the new multilink parameters to be
    >>applied. Because multilink is negotiated during the call setup, any
    >>changes to multilink are not implemented on connections that have
    >>completed the link control protocol (LCP) negotiation.

    >

    This is true. You most likely will actually see link automatically going
    down as soon as you configure ppp multilink.

    > I have IPsec connection, if i add "ppp multilink" on router0, i lost the
    > VPN. If i reload the router1 (or 2, 3, 4) with adding ppp multilink, my
    > VPN will restart normally ?
    >

    For 'ppp multilink' to work, it's necessary that you ADSL provider permits
    it. Does your ADSL come up with multilink enabled on Dialer0? If it doesn't
    work now, reload won't help. If this is the case, check with your ADSL
    provider if they could allow you to run multilink PPP (even over single
    connection).

    P.S.: In your other reply regarding access-list - changes are necessary, but
    not enough - you must attach policy to the dialer, not to the ATM interface.

    Regards,
    iLya
     
    Charlie Root, Feb 10, 2006
    #7
  8. Fwed

    Fwed Guest

    Charlie Root a écrit :
    > "Fwed" <> wrote in message
    > news:43ec7b32$0$32163$...
    >
    >>>You need to enable 'ppp multilink' on the dialer

    >>
    >>I find that :
    >>
    >>
    >>>ppp multilink
    >>>Configure the PPP multilink command (on both routers) under the
    >>>physical interface AND the dialer interface (if using dialer profiles).

    >>
    >>It mean that i configure under the interface ATM0 and the dialer0 ?
    >>And it mean that i do it on all of the other routers (router1, 2, 3 & 4)
    >>?
    >>

    >
    >
    > ppp multilink is required (even for single physical link) on every router
    > where you want to aplly 'service-policy' (you'll get an error if you attempt
    > to apply policy without having multilink ppp). So if your r[1-4] all should
    > have 'service-policy' attached, then you need ppp multilink there, otherwise
    > you configure it only on router0 and _only_ on dialer0 interface but not on
    > ATM.
    >
    >
    >>>Note: If you add this command, you must disconnect any existing
    >>>connections and then reconnect for the new multilink parameters to be
    >>>applied. Because multilink is negotiated during the call setup, any
    >>>changes to multilink are not implemented on connections that have
    >>>completed the link control protocol (LCP) negotiation.

    >>

    > This is true. You most likely will actually see link automatically going
    > down as soon as you configure ppp multilink.
    >
    >
    >>I have IPsec connection, if i add "ppp multilink" on router0, i lost the
    >>VPN. If i reload the router1 (or 2, 3, 4) with adding ppp multilink, my
    >>VPN will restart normally ?
    >>

    >
    > For 'ppp multilink' to work, it's necessary that you ADSL provider permits
    > it. Does your ADSL come up with multilink enabled on Dialer0? If it doesn't
    > work now, reload won't help. If this is the case, check with your ADSL
    > provider if they could allow you to run multilink PPP (even over single
    > connection).
    >
    > P.S.: In your other reply regarding access-list - changes are necessary, but
    > not enough - you must attach policy to the dialer, not to the ATM interface.
    >
    > Regards,
    > iLya
    >
    >

    Thanks a lot, i will check that quickly :)
     
    Fwed, Feb 10, 2006
    #8
  9. Fwed

    Horst Wagner Guest

    Re: Antw: QoS and IPSEC

    o.k.
    but there you still mixed up destination and source address!
     
    Horst Wagner, Feb 10, 2006
    #9
  10. Fwed

    Horst Wagner Guest

    Antw: Re: QoS and IPSEC

    f.y.i.
    i´ve als DSL with dialer and atm and no service-policy on the dialer-interface, only on atm-interface and it works great!

    I still think that your access-lists are wrong because packets leaving your central router will have the addresses of the other routers as destination addresses and not source!
    So your statements have to be ... any host ... rather than ...host...any!

    cheers
    Horst
     
    Horst Wagner, Feb 10, 2006
    #10
  11. Fwed

    Fwed Guest

    Re: Antw: Re: QoS and IPSEC

    Horst Wagner a écrit :
    > f.y.i.
    > i´ve als DSL with dialer and atm and no service-policy on the dialer-interface, only on atm-interface and it works great!
    >
    > I still think that your access-lists are wrong because packets leaving your central router will have the addresses of the other routers as destination addresses and not source!
    > So your statements have to be ... any host ... rather than ...host...any!
    >
    > cheers
    > Horst
    >
    >
    >

    I did not have any time to test. When I will can, I tell you the result :)

    Thanks for your help :)
     
    Fwed, Feb 14, 2006
    #11
  12. Fwed

    Fwed Guest

    Re: Antw: Re: QoS and IPSEC

    Horst Wagner a écrit :
    > f.y.i.
    > i´ve als DSL with dialer and atm and no service-policy on the dialer-interface, only on atm-interface and it works great!
    >
    > I still think that your access-lists are wrong because packets leaving your central router will have the addresses of the other routers as destination addresses and not source!
    > So your statements have to be ... any host ... rather than ...host...any!
    >
    > cheers
    > Horst
    >
    >
    >

    I do what you say and that work ! :)

    Thank you a lot :)
     
    Fwed, Feb 16, 2006
    #12
  13. Fwed

    Guest

    Re: Antw: Re: QoS and IPSEC

    Summary:
    > QoS needs ppp multilink on dialer.


    It seems to me that QoS and specifically LLQ does not
    work with ADSL unless the provider supports Multilink
    PPP.

    If anyone can contradict this please do so.

    If anyone can off an example config please do.

    If anyone has any way of persuading Cisco to eliminate this
    tiresome and apparently arbitrary and apparently
    undocumented _feature_ please do so.

    It is of course documented in the sense that no examples of
    QoS on dialers without MPPP are in the configuration guides and
    there are several references to QoS with MPPP however
    this has not helped me to avoid wasting a lot of time
    and having disssatisfied users.

    Finally is it possible to do ADSL without the dialer and thereby
    get access to QoS?
     
    , Feb 17, 2006
    #13
  14. Fwed

    Charlie Root Guest

    Re: Antw: Re: QoS and IPSEC

    <> wrote in message
    news:...
    > Finally is it possible to do ADSL without the dialer and thereby
    > get access to QoS?
    >

    Theoretically - yes, but practically no. The only way I know to avoid dialer
    or virtual template is to use AAL5SNAP encapsulation, which not many
    providers support. Even if you manage to get CPE side without dialer, the
    provider is most likely still uses Virtual-Template therefore the line has
    to run MLPPP if you want bi-directional QoS (that is from access server to
    CPE and from CPE to the access server).

    Kind regards,
    iLya
     
    Charlie Root, Feb 17, 2006
    #14
  15. Fwed

    Guest

    Re: Antw: Re: QoS and IPSEC

    > Finally is it possible to do ADSL without the dialer and thereby
    >> get access to QoS?


    iLya says:
    > Theoretically - yes, but practically no. The only way I know to avoid dialer
    > or virtual template is to use AAL5SNAP encapsulation, which not many
    > providers support. Even if you manage to get CPE side without dialer, the
    > provider is most likely still uses Virtual-Template therefore the line has
    > to run MLPPP if you want bi-directional QoS (that is from access server to
    > CPE and from CPE to the access server).


    Thanks.

    "if you want bi-directional QoS "
    That would clearly be ideal however eliminating the output drops
    and queuing delays on my ATM interface was the goal.

    This is a bit of a rant now, read on at your own risk.

    In one particular case we have a temporary ADSL line while we are
    waiting on something better going in. It is 512k up and about 3M
    down. I see queuing delays on the inside outbound but the outside
    inbound looks OK. (Well I can't see it directly but I can see that
    there are no delays.)

    I have looked at every possible Cisco solution to this problem and I
    have found
    two.

    1. Do queuing on a Cat 3560 which after MUCH pain I got working
    in a manner that prioritises voice absolutely and restricts other
    traffic to
    Line-rate less Desired-voice-bandwidth). This is less than ideal and
    there are
    almost no stats available on the behaviour.

    2. Put two routers back to back in the path with two wires
    between them, one of then a serial link. Use policy routing to direct
    the traffic in different directions via either of the interfaces to get

    either 512k raw data rate or more than 3M. Then put LLQ on the
    512k interface to get traffic shaping to 512k.

    I am quite new to QoS and I was somewhat surprised that
    there seems no way to do

    LLQ with \
    Voice on Priority Q |__> Shaped to 512k
    Other traffic on other queues |
    /

    On a Cisco router.

    To do shaping you seem to need a physical interface that
    has a Q to do the shaping to the raw data rate and you
    apply the LLQ there.

    Hierarchical Queuing looked promissing however it
    works the other way round. (More wasted time since the
    limitations are not exlplained in the Documentation.)

    You apply shaping per Class then offer it to the LLQ.

    I want to apply LLQ with the output from the queues
    limited to some arbitrary bandwidth of my choice.

    Rant off.
    Don't _even_start_ me on software upgrades breaking configs.
     
    , Feb 17, 2006
    #15
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Andrew Albert

    QOS for VOIP using 768k of FR / Auto QOS

    Andrew Albert, Feb 6, 2005, in forum: Cisco
    Replies:
    7
    Views:
    1,553
  2. Replies:
    0
    Views:
    908
  3. dominix
    Replies:
    2
    Views:
    499
    dominix
    Feb 6, 2007
  4. AM
    Replies:
    1
    Views:
    593
  5. kamal1352
    Replies:
    0
    Views:
    947
    kamal1352
    Sep 18, 2011
Loading...

Share This Page