Prioritize VPN traffic over http, ftp, etc.

We're running a Cisco 1711 Security Access Router at a corporate
satellite office. We make Nortel and Cisco VPN connections from PCs on
our internal network out through the router. These VPN connections are
starved when a high bandwidth non-VPN (http, ftp, etc.) download is
initiated.

Can anyone provide any configuration examples (PQ, LLQ, CBWFQ,
single-hop QoS, anything that works!) for identifying and prioritizing
VPN traffic over all other traffic? The bottleneck is at the router and
I should be able to throttle back all other traffic to allow the VPN
traffic through.

This is a simple problem with a simple solution but I'm finding with
Cisco stuff there's no such thing as a simple solution. Please don't
send links to Cisco documentation unless it provides an explicit
example applying to VPN traffic (no VoIP, etc.) And don't reply saying
that QoS won't do any good because it's not implemented on the open
internet because all I need is a single hop solution.

I had an OpenBSD machine up and running within a few hours as a
bandwidth manager (using the built in packet filter) providing the VPN
prioritization we needed. We'd still be using it if it were a little
more stable with multiple VPN connections.

Thanks in advance...

 

Wow, I think I am going to have to publish a website with some basic qos
configurations. There's seems to be a need for it!

Ok, there is a simple way to do this. As per most cisco qos, it's 3 steps:

1) create class-maps which define your traffic classes

say,

class-map match-any VPN
match protocol ipsec

That is assuming your vpn is ipsec, you can also specifiy an access-list:

class-map match-any VPN
match ip access-group BLAH

Below is the default class. Everything not VPN will automatically go in
here. You don't need to explicitly define it, it's automatically there.

class-map class-default

2) Create the policy

policy-map PRIORITISE-VPN
class VPN
bandwidth percent 50
class class-default
bandwidth percent 25

(This CBWFQ example requires the bandwidth statement be configured under
the interface)

The 'bandwidth percent' numbers represent a MINIMUM guarantee. So if VPN
needs 50% of the interface bw, it will get it. Conversely if it doesn't
need it, it will shared amongst the other classes. If VPN needs more
than 50% it might also get it, provided the default class doesn't need a
huge amount more than it's 25% - but it's not guaranteed.

We have only allocated 75% because that's the default amount of bw you
are allowed to reserve in a policy. You can change this if you want
finer control.

3) Apply the policy to an interface.

If you manage the routers at both ends apply the same poilicy outbound
on both ends of the point-to-point link. Otherwise you can just double
up and apply the same policy inbound and outbound on your 1711

interface ser0
service-policy output PRIORITISE-VPN
service-policy input PRIORITISE-VPN


Hope this helps,

Ben

 

Thank you very much for the reply Ben. Your simple, straight-forward
instructions validated that I was already on the right track. The only
thing that didn't work, and it may be a restriction of the 1711, is the
policy-map can't be applied to the input of an interface, but all I
have to do is apply it to the output of both my external and internal
interfaces to acheive the same thing. I think my problem is I'm not
classifying the VPN traffic properly. We're using Nortel and Cisco VPN
clients which should fall under the 'ipsec' protocol classification but
it doesn't seem to be working. The other item I've had difficulty
locating is the debug command to monitor the performance of a policy.
Maybe I should try classifying all the high bandwidth (http, ftp, etc.)
traffic and then let the VPN and whatever is left fall into the
'class-default'.

If you have the time, a page with simple instructions and tutorials
would probably help a lot of people with these all-in-one routers. The
main target audience for these routers, I would guess, is the SOHO
crowd who just want to plunk it down as a broadband gateway, spend a
couple of hours running through some configuration wizards and be done.
We don't want to spend a week or two in classes or wade through a
mountain of whitepaper and documentation with very few applicable
examples or spend hundreds of dollars to have a Cisco certified
engineer to come out and set it up. It seems to me that Cisco doesn't
want to cater to this audience because it would circumvent their
training/certification, service and paid support mechanism.

Sorry for the rant. I'm a software engineer who just wants the thing up
and running so I can get back to programming.

- Mark

 

Hi Michael,

No problem. Sorry overlooked the fact that CBWFQ is only meaningful in
the outbound direction, but you have it working now.

Regarding classifying your VPN traffic, it may help to do some packet
sniffing on the vpn client (I use ethereal myself) or 'debug ip packet'
on the router to see exactly what the VPN traffic is. It's probably
better to be explicit about the traffic you want to give a higher qos
to, since anything can end up in that default queue.

Re: debugs, I have actually never had to debug a policy so not sure if
the option is there. Usually 'show policy interface' or 'show queueing
interface' has enough information for me (not sure if you're aware of
these commands)

Totally agree with you on the Cisco documentation. I have actually put
together a first draft of a HOWTO. Check it out and let me know if you
think it's heading in the right direction.

http://www.bencarbery.com/qos/

Ben

 

Another option to classify VPN traffic

Just came accross this thread...The config provided is pretty good.
Another way to classify VPN traffic would be to use an access list to catch the headers i.e; AH and ESP (depending on which one you are using)
access-list 110 permit ah any any
access-list 110 permit esp any any

class-map CATCH_VPN
match access-group 110

policy-map RESERVE_BANDWIDTH
class CATCH_VPN
bandwidth percent 40

 

QoS?

Hey,

This is the first thread I have been able to find for a while about QoS and configuration that has been helpful. Can you post how I can create a catch for a specific host? I want to be able to allow traffic from a specific host to be given the highest priority. I was thinking of allowing 50% for two different hosts.

192.168.4.128 /24
192.168.0.1 /24

And then allow all other traffic on fair weighted queuing.

Thanks,
Ryan

 

Hey Ben,
This was informative but i cannot access the your site ?please advise