Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 228
  • Last Modified:

Giving VPN traffic higher priority

I would like to know how I can give my business office VPN traffic higher prioity on my Cisco 2811 router?
0
csg_int_it
Asked:
csg_int_it
  • 10
  • 10
1 Solution
 
donmanrobbCommented:
Something like this will do the trick
2611XM(config-cmap)#class-map VPN_L2TP
2611XM(config-cmap)#match protocol l2tp
2611XM(config-cmap)#policy-map QoS_Policy
2611XM(config-pmap)#class VPN_L2TP
2611XM(config-pmap-c)#priority percent 30
2611XM(config-pmap-c)#exit
2611XM(config-pmap)#int fa0/0
2611XM(config-if)#service-policy input QoS_Policy

Open in new window

0
 
csg_int_itAuthor Commented:
donmanrobb,
I will give this a try and let you know what happens.

Mike
0
 
csg_int_itAuthor Commented:
When I enter the last line (service-policy input QoS_Policy), I get the following message:
CBWFQ: Can be enabled asn an out feature only.

Mike
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
donmanrobbCommented:
My bad, try service-policy output QoS_Policy
0
 
csg_int_itAuthor Commented:
Donmanrobb,
That command worked.

How long before I know it worked?

Mike
0
 
donmanrobbCommented:
Were you experiencing performance issues with VPN before?
0
 
donmanrobbCommented:
you can also have a look at
show policy-map int <interface you applied on> to see if there is any matches. Obviously someone would have to be connected via VPN for a bit first.
0
 
donmanrobbCommented:
You may have to do the following

no class-map VPN_L2TP
class-map match-any VPN_L2TP
match protocol ipsec
match protocol l2tp
match protocol pptp
0
 
csg_int_itAuthor Commented:
Donmanrobb,
We use Business Office VPNs to connect our offices world wide.  I wanted a way to give this traffic higher priority than all other traffic.

I ran the show policy-map int fa0/0 and got the following:
Class-map: VPN-L2TP (match-all)
  0 packets, 0 bytes
  5 minute offered rate 0 bps, drop rate 0 bps
  Match: protocol l2tp
  Queueing
      Strict Prioirity
      Output Queue: Conversation 264
      Bandwidth 30 (%)
      Bandwidth 30000 (kbps) Burst 750000 (Bytes)
      (pkts matched/bytes matched) 0/0
      (total drops/bytes drops) 0/0

Class-map: class-default (match-any)
  207019 packets, 149463105 bytes
  5 minute offered rate 2092000 bps, drop rate 0 bps
  Match: any

Mike
0
 
donmanrobbCommented:
Okay please make the above change and post the new output after a couple minutes.
0
 
csg_int_itAuthor Commented:
How do I get rid of the class-map?
0
 
donmanrobbCommented:
as above, no class-map VPN_L2TP
0
 
csg_int_itAuthor Commented:
I get the following message:
Class-map VPN-L2TP is being used
0
 
donmanrobbCommented:
ah, you have to take off service-policy output QoS_Policy with:
no service-policy output QoS_Policy then make the class-map changes then add the service-policy back on
0
 
csg_int_itAuthor Commented:
I go it.  I had to remove the policy-maps.

I will add the lines above and let you know what happens.

Mike
0
 
csg_int_itAuthor Commented:
Donmanrobb,
Here is the output from the show policy-map:
CSG_VB#sh policy-map int fa0/0
 FastEthernet0/0

  Service-policy output: QoS_Policy

    Class-map: VPN_L2TP (match-any)
      4157 packets, 622326 bytes
      5 minute offered rate 22000 bps, drop rate 0 bps
      Match: protocol ipsec
        4157 packets, 622326 bytes
        5 minute rate 22000 bps
      Match: protocol l2tp
        0 packets, 0 bytes
        5 minute rate 0 bps
      Match: protocol pptp
        0 packets, 0 bytes
        5 minute rate 0 bps
      Queueing
        Strict Priority
        Output Queue: Conversation 264
        Bandwidth 30 (%)
        Bandwidth 30000 (kbps) Burst 750000 (Bytes)
        (pkts matched/bytes matched) 1/182
        (total drops/bytes drops) 0/0

    Class-map: class-default (match-any)
      9406 packets, 6880585 bytes
      5 minute offered rate 172000 bps, drop rate 0 bps
      Match: any
CSG_VB#
0
 
donmanrobbCommented:
Yup I'd say its working
0
 
donmanrobbCommented:
Its matching the ipsec traffic, and since its a priority queue it will serve the ipsec traffic before anything else.
0
 
csg_int_itAuthor Commented:
By changing the service-policy line to 'output' and by adding the 'match protocol ipsec' and 'match protocol pptp', the solution seems to be working.
0
 
csg_int_itAuthor Commented:
Donmanrobb,
Thank  you for your help.

Mike
0

Featured Post

 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

  • 10
  • 10
Tackle projects and never again get stuck behind a technical roadblock.
Join Now