Hi,
I have an DSL router connected to a central site via a GRE tunnel. The tunnel is encrypted by IPSEC and works fine.
- cisco 836 IOS version c836-k9o3s8y6-mz.123-2.XA6.bin
- DSL 7550kbps/864kbps
- ipsec encrypted gre tunnel
- ipsec tunnel mode
I'm trying to implement QoS. The configuration is rather straight forward.
- class-maps for voip and citrix
- policy-map - child and parent; with LLQ and CBWFQ; class based shaping
- qos pre-classify to classify packets prior to encryption
- crypto commands to prevent fragmentation after encryption
- expanded anti replay window
- output service-policy on tunnel interface
Two things don't work however.
- 'shape average' command for policy-map. I can enter it but it doesn't show up in the configuration and no error message appears.
- 'service-policy output parent' command on interface tunnel0. I can enter it but it doesn't show up in the configuration. Sometimes it says ' CBWFQ : Hierarchy supported only if shaping is configured in this class'. That's obvious because the 'shape average' won't stick. Funny thing however is that i do not get the error message when i enter the 'shape average' command in the policy-map first. But still they both won't show up.
And the net result is that there is no active policy on the interface:
dsl-router#sh policy-map Policy Map parent Class class-default service-policy child
Policy Map child Class voip Strict Priority Bandwidth 30 (%) Class citrix Bandwidth 500 (kbps) Max Threshold 64 (packets) Class class-default Flow based Fair Queueing Bandwidth 0 (kbps) Max Threshold 64 (packets) set dscp default
Anyone got a clue what's going wrong here?
---------------------config example--------------------- crypto isakmp policy 1 authentication pre-share ! crypto isakmp key 0 72e7823djijeaj281r84sokdij382883djj address
192.xxx.yyy.10 crypto ipsec transform-set VPN-SITE-TRANS esp-3des esp-sha-hmac crypto ipsec security-association replay window-size 1024 crypto df-bit set crypto ipsec fragmentation before-encryption ! crypto map VPN-SITE 1 ipsec-isakmp set peer 192.xxx.yyy.10 set transform-set VPN-SITE-TRANS match address VPN-TO-CENTRAL ! class-map match-any voip match ip dscp ef class-map match-any citrix match access-group name citrix_ports ! policy-map child class voip priority percent 30 ! LLQ class citrix bandwidth 500 ! CBWFQ class class-default fair-queue set dscp default policy-map parent class class-default shape average 400000 ! shape traffic to 400 kbps service-policy child ! interface Tunnel0 description GRE tunnel ip address 137.aaa.bbb.2 255.255.255.252 qos pre-classify service-policy output parent keepalive 10 3 tunnel source BVI1 tunnel destination 192.xxx.yyy.10 crypto map VPN-SITE ! interface Ethernet0 description LAN ip address 10.19.245.254 255.255.255.0 ip helper-address 10.11.12.13 ip tcp adjust-mss 1432 no ip mroute-cache ! interface ATM0 no ip address no ip mroute-cache no atm ilmi-keepalive pvc 0/35 encapsulation aal5snap ! dsl operating-mode auto ! interface BVI1 description towards outside dsl mac-address 0000.00c2.5911 ip address dhcp no ip redirects qos pre-classify crypto map VPN-SITE ! router eigrp 20 passive-interface BRI0 passive-interface Ethernet0 network 10.0.0.0 network 137.aaa.bbb.ccc no auto-summary ! ip access-list extended citrix_ports permit tcp any any eq 1494 permit udp any any eq 1494 permit tcp any any eq 1604 permit udp any any eq 1604 permit tcp any any eq 2598 permit udp any any eq 2598 deny ip any any ! ip access-list extended VPN-TO-CENTRAL permit gre any host 192.xxx.yyy.10 ! end