Prioritize VPN traffic over http, ftp, etc.

Discussion in 'Cisco' started by mchadwick, Dec 22, 2004.

  1. mchadwick

    mchadwick Guest

    We're running a Cisco 1711 Security Access Router at a corporate
    satellite office. We make Nortel and Cisco VPN connections from PCs on
    our internal network out through the router. These VPN connections are
    starved when a high bandwidth non-VPN (http, ftp, etc.) download is

    Can anyone provide any configuration examples (PQ, LLQ, CBWFQ,
    single-hop QoS, anything that works!) for identifying and prioritizing
    VPN traffic over all other traffic? The bottleneck is at the router and
    I should be able to throttle back all other traffic to allow the VPN
    traffic through.

    This is a simple problem with a simple solution but I'm finding with
    Cisco stuff there's no such thing as a simple solution. Please don't
    send links to Cisco documentation unless it provides an explicit
    example applying to VPN traffic (no VoIP, etc.) And don't reply saying
    that QoS won't do any good because it's not implemented on the open
    internet because all I need is a single hop solution.

    I had an OpenBSD machine up and running within a few hours as a
    bandwidth manager (using the built in packet filter) providing the VPN
    prioritization we needed. We'd still be using it if it were a little
    more stable with multiple VPN connections.

    Thanks in advance...
    mchadwick, Dec 22, 2004
    1. Advertisements

  2. mchadwick

    Ben Guest

    Wow, I think I am going to have to publish a website with some basic qos
    configurations. There's seems to be a need for it!

    Ok, there is a simple way to do this. As per most cisco qos, it's 3 steps:

    1) create class-maps which define your traffic classes


    class-map match-any VPN
    match protocol ipsec

    That is assuming your vpn is ipsec, you can also specifiy an access-list:

    class-map match-any VPN
    match ip access-group BLAH

    Below is the default class. Everything not VPN will automatically go in
    here. You don't need to explicitly define it, it's automatically there.

    class-map class-default

    2) Create the policy

    policy-map PRIORITISE-VPN
    class VPN
    bandwidth percent 50
    class class-default
    bandwidth percent 25

    (This CBWFQ example requires the bandwidth statement be configured under
    the interface)

    The 'bandwidth percent' numbers represent a MINIMUM guarantee. So if VPN
    needs 50% of the interface bw, it will get it. Conversely if it doesn't
    need it, it will shared amongst the other classes. If VPN needs more
    than 50% it might also get it, provided the default class doesn't need a
    huge amount more than it's 25% - but it's not guaranteed.

    We have only allocated 75% because that's the default amount of bw you
    are allowed to reserve in a policy. You can change this if you want
    finer control.

    3) Apply the policy to an interface.

    If you manage the routers at both ends apply the same poilicy outbound
    on both ends of the point-to-point link. Otherwise you can just double
    up and apply the same policy inbound and outbound on your 1711

    interface ser0
    service-policy output PRIORITISE-VPN
    service-policy input PRIORITISE-VPN

    Hope this helps,

    Ben, Dec 23, 2004
    1. Advertisements

  3. mchadwick

    mchadwick Guest

    Thank you very much for the reply Ben. Your simple, straight-forward
    instructions validated that I was already on the right track. The only
    thing that didn't work, and it may be a restriction of the 1711, is the
    policy-map can't be applied to the input of an interface, but all I
    have to do is apply it to the output of both my external and internal
    interfaces to acheive the same thing. I think my problem is I'm not
    classifying the VPN traffic properly. We're using Nortel and Cisco VPN
    clients which should fall under the 'ipsec' protocol classification but
    it doesn't seem to be working. The other item I've had difficulty
    locating is the debug command to monitor the performance of a policy.
    Maybe I should try classifying all the high bandwidth (http, ftp, etc.)
    traffic and then let the VPN and whatever is left fall into the

    If you have the time, a page with simple instructions and tutorials
    would probably help a lot of people with these all-in-one routers. The
    main target audience for these routers, I would guess, is the SOHO
    crowd who just want to plunk it down as a broadband gateway, spend a
    couple of hours running through some configuration wizards and be done.
    We don't want to spend a week or two in classes or wade through a
    mountain of whitepaper and documentation with very few applicable
    examples or spend hundreds of dollars to have a Cisco certified
    engineer to come out and set it up. It seems to me that Cisco doesn't
    want to cater to this audience because it would circumvent their
    training/certification, service and paid support mechanism.

    Sorry for the rant. I'm a software engineer who just wants the thing up
    and running so I can get back to programming. ;)

    - Mark
    mchadwick, Dec 23, 2004
  4. mchadwick

    Ben Guest

    Hi Michael,

    No problem. Sorry overlooked the fact that CBWFQ is only meaningful in
    the outbound direction, but you have it working now.

    Regarding classifying your VPN traffic, it may help to do some packet
    sniffing on the vpn client (I use ethereal myself) or 'debug ip packet'
    on the router to see exactly what the VPN traffic is. It's probably
    better to be explicit about the traffic you want to give a higher qos
    to, since anything can end up in that default queue.

    Re: debugs, I have actually never had to debug a policy so not sure if
    the option is there. Usually 'show policy interface' or 'show queueing
    interface' has enough information for me (not sure if you're aware of
    these commands)

    Totally agree with you on the Cisco documentation. I have actually put
    together a first draft of a HOWTO. Check it out and let me know if you
    think it's heading in the right direction.

    Ben, Dec 24, 2004
  5. mchadwick


    Aug 5, 2008
    Likes Received:
    Another option to classify VPN traffic

    Just came accross this thread...The config provided is pretty good.
    Another way to classify VPN traffic would be to use an access list to catch the headers i.e; AH and ESP (depending on which one you are using)
    access-list 110 permit ah any any
    access-list 110 permit esp any any

    class-map CATCH_VPN
    match access-group 110

    policy-map RESERVE_BANDWIDTH
    class CATCH_VPN
    bandwidth percent 40
    rudolphlacerda, Aug 5, 2008
  6. mchadwick


    Nov 2, 2008
    Likes Received:


    This is the first thread I have been able to find for a while about QoS and configuration that has been helpful. Can you post how I can create a catch for a specific host? I want to be able to allow traffic from a specific host to be given the highest priority. I was thinking of allowing 50% for two different hosts. /24 /24

    And then allow all other traffic on fair weighted queuing.

    coppsbuildall, Nov 2, 2008
  7. mchadwick


    Sep 11, 2012
    Likes Received:
    Hey Ben,
    This was informative but i cannot access the your site ?please advise
    aliatad, Sep 11, 2012
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.